AuthorizationServerConfigurerAdapter is deprecated

Question

I'd like to use Oauth2 authentication in spring rest API for login. But I got some warning like AuthorizationServerConfigurerAdapter is deprecated and see the OAuth 2.0 Migration Guide for Spring Security 5.

I checked there but not found a much migration guide. Can anyone please share the full example for this.

Thanks in advance...

I found out the same problem, trying to find the best approach how to implement authentication and authorization with OAuth 2 through Spring Security. It is possible that I am missing deeper knowledge about OAuth, but hope to figure out the issue with studying. — Peter S., Dec 19 '19 at 20:57
I tried to downgrade the version of _spring-security-oauth2_ from 2.4.0.RELEASE to 2.3.8.RELEASE and it looks like it was marked as deprecated from 2.4.0.RELEASE. Both versions are from November -> [maven repository](https://mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2) . I would only guess if the migration guide for authorization server is still in progress. — Peter S., Dec 19 '19 at 21:46

Anar Sultanov · Answer 1 · 2020-07-06T08:00:50.060

19

Spring Security OAuth2 project is currently deprecated and Spring Security team has decided to no longer provide support for authorization servers. They are going to reconsider this decision, but nothing is known at the moment, and I would advise you to consider other solutions, for example, Keycloak.

15/04/2020: A new Spring Authorization Server is announced.

It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.

07/05/2020: End-of-Life for Spring Security OAuth have been clarified.

To that end, the plan is to provide patch and security fixes for the 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project.

edited Jul 06 '20 at 08:00

answered Jan 23 '20 at 08:07

Anar Sultanov

3,016
2
17
27

2

This is the correct answer why `AuthorizationServerConfigurerAdapter` is depricated. Let's hope Spring will reconsider ... – JohanB Jan 23 '20 at 08:29
Do you have any tutorial or resource to help migrating from old Spring-Security-OAuth2 to Open Source Authorization Server as Keycloak, Gluu? – Kevin Apr 15 '20 at 05:51
I'm also very interested what can be used for the latest Spring Security. Please share! – Peter Penzov Jun 25 '20 at 15:09
@Geany I wrote and published a post describing one of the migration options: https://sultanov.dev/blog/migrate-from-spring-security-oauth-to-keycloak/ – Anar Sultanov Jul 13 '20 at 21:20
@PeterPenzov Keycloak as well as any other authorization server can be used with the latest Spring Security: https://www.baeldung.com/spring-boot-keycloak – Anar Sultanov Jul 13 '20 at 21:23

Cepr0 · Answer 2 · 2020-06-22T06:58:04.917

To work with AuthorizationServer (and AuthorizationServerConfigurerAdapter as well) in Spring Boot application you can use Spring Security OAuth Boot 2 Autoconfig. Despite it's in maintenance mode, it's updated actively (as of January 2020), its fresh version is 2.2.3 which is correspondent to Spring Boot version 2.2.3. Its reference guide says that:

Note that you need to specify the version for spring-security-oauth2-autoconfigure, since it is not managed by Spring Boot any longer, though it should match Boot’s version anyway

I used it in my demo project and everything seems OK. So, to work with OAuth2, JWT tokens, Authorization and Resource servers, all you need is to add it to your project:

    <dependency>
        <groupId>org.springframework.security.oauth.boot</groupId>
        <artifactId>spring-security-oauth2-autoconfigure</artifactId>
        <version>2.2.3.RELEASE</version>
    </dependency>

My demo project.

UPDATE

Starting with version 2.3.0 the Spring Security OAuth Boot 2 Autoconfig (which have spring-security-oauth2:2.4.1 under the hood) is also deprecated.

But according to End-of-Life for Spring Security OAuth post in Spring Blog:

...the plan is to provide patch and security fixes for the 2.4.x and 2.5.x [spring-security-oauth2] line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life. The same end-of-life timeline applies to the Spring Boot 2 auto-configuration project.

Also a new Spring Authorization Server project was announced.

It is a community-driven project led by the Spring Security team and is focused on delivering Authorization Server support to the Spring community.

In Spring Security OAuth 2.0 Roadmap Update they recommend using Keycloak as an open-source implementation of the authorization server. So I think that the following links will be helpful:

You should not suggest people using a project that is currently deprecated. — Anar Sultanov, Jan 23 '20 at 07:57
I didn't suggest to use deprecated project. `spring-security-oauth2-autoconfigure` is not deprecated yet, and I warned that it's in maintenance mode. The question was about the possibility of using `AuthorizationServer` - I demonstrated this possibility. — Cepr0, Jan 23 '20 at 10:45

AuthorizationServerConfigurerAdapter is deprecated

2 Answers2