hey everyone i have a quick question: since the authorization server for oauth2 is deprecated now, w...

tjb

12/18/2019, 5:18 PM

hey everyone i have a quick question: since the authorization server for oauth2 is deprecated now, what is the preferred method to have oauth2 in spring going forward?

Mike

12/18/2019, 7:04 PM

I believe it's in Spring Security now, isn't it? Whereas before, it was a standalone dependency.

tjb

12/18/2019, 9:21 PM

@EnableAuthorizationServer

is deprecated 😕

Mike

12/18/2019, 9:44 PM

I mean I believe all the Oauth code has been moved to Spring Security. Here's a migration from spring-security-oauth library. https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide

ashmelev

12/18/2019, 11:59 PM

I ran into the same issue. That document you linked states

Since Spring Security doesn't provide Authorization Server support, migrating a Spring Security OAuth Authorization Server is out of scope for this document.

I had to revert to V2.3.5 of the OAuth2 library to continue working as I could not find any doc explaining how to migrate the Auth Server side of things.

Mike

12/19/2019, 1:22 AM

Ah, okay. I wonder what Pivotal's plans or intentions are in this regard. I guess we'll ha e to wait and see.

Ben Madore

12/20/2019, 7:41 PM

I don’t htink they have any plans. they recommend peopel stop rolling their own and use a third party tool. https://spring.io/blog/2019/11/14/spring-security-oauth-2-0-roadmap-update#no-authorization-server-support

💯 1

👆 1

Ben Madore

12/20/2019, 7:42 PM

We are most definitely not promoting users to “build-their-own” authorization server. This would be a huge mistake for any team to take on unless they are solely focused on the application security domain and are specialists. It is extremely difficult to build a secure provider and really should be left to the specialists that provide these types of products. What we are promoting is to buy or leverage an open source provider for your application platform. The Spring Security team leverages Keycloak (https://www.keycloak.org/) for our internal development for client and resource server. It’s open-source and a much better option than to build your own.

10 Views

Open in Slack

Previous Next

kotlinlang

A modern programming language that makes developers happier.