We have recently updated our Spring Boot application (OAuth server). Since Spring Security OAuth 2.4.0 RELEASE EnableAuthorizationServer seems to be deprecated.
We read migration guide but we haven't found any section about authorization server.
Do you have any details about the migration? Is migration recommended, or can we keep the code?
In Spring's Roadmap, they don't have a plan for authorization server support anymore.
https://spring.io/blog/2019/11/14/spring-security-oauth-2-0-roadmap-update
No Authorization Server Support
In October 2012, RFC 6749, the OAuth 2.0 Authorization Framework, was published. Subsequently in May 2014, Spring Security OAuth released its 2.0.0 version with support for Authorization Server, Resource Server, and Client. This made a great deal of sense in the absence of OAuth 2.0 libraries and products.
Since #han-lee posted, a new Spring project has been created to fill this gap: https://github.com/spring-projects-experimental/spring-authorization-server
See the news post here.
Related
I'm looking to find a tool that will do the authentication (and authorization) part of the project. For the project, I will be using spring boot and java 8.
I will be working with OAuth2.0, the flow for untrusted client(web-applictation) and trusted client(another server)
I was looking at Keycloak and Spring Authorization Server.
But it's unclear what are all the possibilities with the Spring Authorization Server.
Like with Keycloak you have single sign on, identity brokering, social login, user federation, admin console, account management console, standard protocols etc.
Is this also possible with Spring Authorization Server, or what are the possibilities of Spring Authorization Server?
We're working on reference documentation which will include a feature list. In the meantime, see feature list on the GitHub wiki for the project.
From this PR, a possible short overview/answer to your question would be:
Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
Update: The reference documentation is now available and contains an Overview page with this information.
You can make custom OAuth resource server implementation or use the SAML standard.
Also, you can implement access by JWT token, which suites well for API-only service.
You can use also "Basic Authentication", but it's too simple for a mature applications.
I am developing a client application for client_credentials grant type flow in OAUTH2.
I am not able to decide on which dependency to use in my project for this purpose among the following.
spring-boot-starter-oauth2-client
spring-cloud-starter-oauth2
spring-security-oauth2
I referred this documentation from spring-projects in which under client-support section it had a table describing the available options. But I am not able to understand which column is referring to which of the above dependencies.
I want to configure a WebClient or RestTemplate which retrieves the OAUTH2 token from the auth-server automatically before accessing a resource-server.
Please guide me in choosing the right artifact for my project.
If you are using Spring Boot you should choose org.springframework.boot:spring-boot-starter-oauth2-client.
This includes Spring Security's OAuth 2.0 Client support and provides Spring Boot auto-configuration to set up OAuth2/Open ID Connect clients.
You can read about how to configure client in the Spring Boot reference documentation.
You can also find additional details in the Spring Security reference documentation.
If you are not using Spring Boot then you should choose org.springframework.security:spring-security-oauth2-client. This also provides Spring Security's latest OAuth 2.0 Client support, but does not include the Spring Boot auto-configuration.
The corresponding documentation is also the Spring Security reference documentation.
The third dependency you mentioned org.springframework.security.oauth:spring-security-oauth2 should not be used because it is part of the legacy Spring Security OAuth project, which is now deprecated.
The functionality that this library provided has now been moved into Spring Security.
That is what the Migration Guide describes, the migration from the legacy project to the latest Spring Security support.
You should not use the org.springframework.cloud:spring-cloud-starter-oauth2 at this time, because it relies on the legacy OAuth support.
This is likely to change in the future, as the Spring Cloud team updates to the latest Spring Security support.
Spring Security 5.2.2 has incorporated Spring Security OAuth project, but not AuthorizationServer or ResourceServer. What are the replacements to AuthorizationServer in Spring Security 5.2.2?
OAuth-2.0-Migration-Guide
This document contains guidance for moving OAuth 2.0 Clients and Resource Servers from Spring Security OAuth 2.x to Spring Security 5.2.x. Since Spring Security doesn’t provide Authorization Server support, migrating a Spring Security OAuth Authorization Server is out of scope for this document.
The first thing to note is that Spring Security OAuth 2.4.0 officially deprecates all its classes.
The second thing is that according to the Spring Security - OAuth 2.0 Features Matrix - FAQ:
We are no longer planning on adding Authorization Server support to Spring Security.
One solution is to use an OAuth2 authorization server such as Gluu or Keycloak, but depending on your usage and on the degree of customization you have made in your authorization server this is certainly not straightforward.
Due to Spring community protests, there is also some hope that an authorization server will still be implemented in Spring Security. According to Josh Cummings on Github :
We'd like to thank everyone for your feedback on the decision to not support Authorization Server. Due to this feedback and some internal discussions, we are taking another look at this decision. We'll notify the community on any progress.
See also : Spring Security OAuth 2.0 Roadmap Update
== Update 5 March 2020 ==
To answer the question of Joseph: "Any issue if we continue using it?": For now, no specific issues, Spring Security OAuth is still maintained but this will probably not be the case in a near future. Citing the same blog post as above:
The 2.3.x line will reach EOL in March 2020. We will support the 2.4.x line at least one year after reaching feature parity.
To that end, with the release of Spring Security 5.2, we are strongly encouraging users to start migrating their legacy OAuth 2.0 client and resource server applications to the new support in Spring Security 5.2.
== Update 15 April 2020 ==
A brand new Spring Authorization Server is announced. You can find it on Github.
== Update 7 May 2020 ==
As announced on the Spring blog:
[...] the plan is to provide patch and security fixes for the Spring Security Oauth 2.4.x and 2.5.x line until May 2021. Additionally, security fixes will be supported for the 2.5.x line until May 2022, at which point the project will have reached end-of-life.
== Update 09 July 2021 ==
The new Spring Authorization Server 0.1.2 is now available. According to the comments of Joe Grandja, there is no definite timeline for a production ready version and the APIs are still evolving.
== Update 19 August 2021 ==
The first officially supported production-ready version, Spring Authorization Server 0.2.0, is available : Spring Authorization Server goes to production !
== Update 24 March 2022 ==
Spring Authorization Server 0.2.3 is now available, but there is still no feature parity with the Authorization Server from the deprecated Spring Security OAuth project. Completed features can be found in the Github wiki. Advancement can be followed with the ZenHub board.
== Update 1 June 2022 ==
The Spring Security OAuth and Spring Security OAuth Boot 2 auto-configuration projects have reached end of life. See official blog post.
== Update 22 November 2022 ==
Spring Authorization Server 1.0 is now GA. It requires Spring 6, JDK 17 and Tomcat 10 or Jetty 11. Commercial support is available from VMware.
is OAuth2 Authorization server supported by Spring WebFlux? I mean is it possible to develop a reactive OAuth2 Authorization server in Spring? if no, when it will be added to the framework?
I think no, Authorization server is out of their roadmap. Starting from november the 13th every class in spring security which worked with Authorization server features become deprecated.
Spring Security OAuth 2.0 Roadmap Update (here the answer on you question)
#mhrsalehi, please checkout my repo. I added an implementation of old OAuth2 Authorization server for webflux. Currently only support /oauth/token if you want support for any other endpoints please submit a ticket or PR.
Github: spring-reactive-authorization-server
I need to add realtime updates to a system. I'm using Grails 2.5.0 with Grails Spring Security Core 2.0 RC4, which is based on Spring Security 3.2.3. There's a Grails plugin to add Spring 4.0 WebSocket support (https://github.com/zyro23/grails-spring-websocket/tree/1.3.x), but I'm unsure of how to handle authentication. How can I integrate the authentication?
Alternatively, I can start a separate web app to handle the realtime updates using Spring Security 4.0 with the latest WebSocket plugin, but I would prefer to use my current, production ready authentication system instead of attempting to clone the current one.
spring security support for websocket starts with spring security 4.
what you could do is securing message subscriptions and sending (client --> server) with a ChannelInterceptor. maybe this example helps: https://jira.spring.io/browse/SEC-2546