Migrate Spring OAuth to Spring Authorization Server with Java 8
This article explains how to migrate from the deprecated Spring Security OAuth to Spring Authorization Server, covering Java 8 compatibility, extended grant types, Redis token storage, token formatting enhancements, custom authorization code handling, and resource server improvements, all demonstrated on the PIG microservice platform.
PIG Microservice Development Platform v3.5 released, officially supports Spring Authorization Server
The article uses the PIG microservice platform as a demo to illustrate migration from Spring Security OAuth to Spring Authorization Server (SAS) for authentication centers.
Background
Spring team announced that Spring Security OAuth is no longer maintained and will not receive further updates.
The current OAuth2 authorization server in the Spring ecosystem is Spring Authorization Server, which is now ready for production use.
Spring Boot 2.7 deprecates many Spring Security configuration classes, making upgrade difficult.
Migration Process
1. Java 1.8 Support
The latest SAS 0.3 is built on Java 11 and cannot run on lower Java versions. After communication with the Spring Security team, version 0.3.1 will remain compatible with Java 1.8.
We compiled a Java‑1.8 compatible version with the springboot Chinese community. Dependency coordinates:
<dependency>
<groupId>io.springboot.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>0.3.0</version>
</dependency>2. Authorization Mode Extensions
Extended support for password grant (SAS based on OAuth 2.1 does not support password grant).
Extended support for SMS login.
3. Redis Token Storage
The official project does not provide a Redis token persistence solution.
PIG adds PigRedisOAuth2AuthorizationService to support Redis token storage.
4. Token Output Formatting
Default token format when using introspection:
ku4R4n7YD1f584KXj4k_3GP9o-HbdY-PDIIh-twPVJTmvHa5mLIoifaNhbBvFNBbse6_wAMcRoOWuVs9qeBWpxQ5zIFrF1A4g1Q7LhVAfH1vo9Uc7WL3SP3u82j0XU5xCustom token prefix format for efficient Redis lookup and RDM grouping:
统一前缀::令牌类型::客户端ID::用户名::uuid@Bean
public OAuth2TokenGenerator oAuth2TokenGenerator() {
CustomeOAuth2AccessTokenGenerator accessTokenGenerator = new CustomeOAuth2AccessTokenGenerator();
// inject token with associated user info
accessTokenGenerator.setAccessTokenCustomizer(new CustomeOAuth2TokenCustomizer());
return new DelegatingOAuth2TokenGenerator(accessTokenGenerator, new OAuth2RefreshTokenGenerator());
}5. Token Output Enhancement
Enhanced token JSON includes user information:
{
"sub": "admin",
"clientId": "test",
"access_token": "xx",
"refresh_token": "xx",
"license": "https://pig4cloud.com",
"user_info": {
"username": "admin",
"accountNonExpired": true,
"accountNonLocked": true,
"credentialsNonExpired": true,
"enabled": true,
"id": 1,
"deptId": 1,
"phone": "17034642999",
"name": "admin",
"attributes": {}
}
}6. Authorization Code Customization
Inject custom confirm page for authorization‑code flow.
7. Resource Server Enhancements
Introspection scheme extended to support local resource server queries.
Default resource server introspection mode.
Extended local introspection for resource server.
Advantages: 1) Real‑time user status updates 2) Reduced network calls improve performance.
References
PIG Microservice: https://github.com/pig-mesh/pig
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.