Next Generation OAuth 2.0 Support with Spring Security

Engineering | Joe Grandja | January 30, 2018 | ...

Note

See the latest announcements on Announcing the Spring Authorization Server and Spring Security OAuth 2.0 Roadmap Update

Current State

The current state of OAuth 2.0 Support, within the Spring projects portfolio, is spread out between Spring Security OAuth, Spring Cloud Security, Spring Boot 1.5.x, and the new support introduced in Spring Security 5. As a user of OAuth, you may be asking, "Which project(s) do I use? And why has Spring Security 5 introduced new support into the mix?"

To put it simply, there was a need to unify the OAuth 2.0 support into one project in order to provide a clear choice to the user and to avoid any potential confusion. In addition, the OAuth 2.0 support needed to take the next level and provide more extensive support for OAuth 2.0 and OpenID Connect 1.0. Also, based on community feedback, documentation needed to be re-vamped in order to allow for ease of use and promote developer productivity. Based on all these factors, we decided to start afresh and build the next generation of OAuth 2.0 support in Spring Security 5.

The Plan Forward

The OAuth 2.0 support is currently underway in Spring Security 5 with new Client support. The plan is to also provide support for Resource Server by mid-2018 and Authorization Server by the end of 2018 or early 2019. Our goal is to provide extensive support for OAuth 2.0 Core and Extensions, OpenID Connect 1.0, and Javascript Object Signing and Encryption (JOSE).

If you are interested in finding out more about which OAuth 2.0 and OpenID Connect 1.0 features will be implemented in Spring Security 5, you may track upcoming features in the Spring Security GitHub repo using the OAuth2, OIDC, and JWT-JOSE labels.

Future of Legacy Spring Security OAuth Project

At this time, we would also like to announce that the Spring Security OAuth project is officially in maintenance mode. We will provide bug/security fixes and consider adding minor features but we will not be adding major features. Our focus and efforts going forward will be put into building all the features currently in Spring Security OAuth into Spring Security 5.x. After Spring Security has reached feature parity with Spring Security OAuth, we will continue to support bugs and security fixes for at least one year.

Feature Matrix / Roadmap

We’ve put together a feature matrix that outlines all the OAuth 2.0 features implemented by the various projects within the Spring portfolio. This matrix may be used to determine which project(s) to use (today) based on your OAuth 2.0 requirements. It also serves as a roadmap of the features to be implemented as we move towards feature parity with Spring Security OAuth.

For any additional inquiries you may have, please see the Frequently Asked Questions on our wiki or reach out to me @joe_grandja or Rob @rob_winch on Twitter.

Get the Spring newsletter

Thank you for your interest. Someone will get back to you shortly.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all