Spring Security OAuth EOL: Migrate to Spring Security 5.7 & Authorization Server
Spring Security OAuth has reached end‑of‑life, with its documentation removed and code moved to a read‑only Spring attic repository; this guide explains how to detect deprecated dependencies, replace them with Spring Security 5.7’s OAuth2 Client, Resource Server, and the new Spring Authorization Server, ensuring a smooth migration to modern, supported authentication solutions.
Spring Security OAuth has reached end‑of‑life; the project stopped at version 2.5.2.RELEASE and will receive no further bug fixes.
The official documentation has been removed from spring.io (now 404) and the code repository has been moved to the Spring “attic” (spring‑attic) as read‑only.
All related Spring Boot auto‑configuration repositories have also been migrated and are no longer available.
Migration Guide
Dependency Check
Run mvn dependency:tree to find any of the following deprecated dependencies and replace them:
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth-parent</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth</groupId>
<artifactId>spring-security-oauth2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-jwt</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security.oauth.boot</groupId>
<artifactId>spring-security-oauth2-autoconfigure</artifactId>
</dependency>New OAuth2 Alternatives
Developers need to understand OAuth2.0, OAuth2.1 and OIDC 1.0.
Spring Security 5 already includes OAuth2 Client and Resource Server modules. For migration, upgrade to Spring Security 5.7.x (compatible with Spring 6) and add the following dependencies:
OAuth2 Client
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>Resource Server
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>Authorization Server
The recommended server is Spring Authorization Server (version 0.3.0), which requires Java 11+ and is added as:
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-authorization-server</artifactId>
<version>0.3.0</version>
</dependency>Spring Boot starters for the authorization server will be provided soon.
Conclusion
Although Spring Security OAuth is deprecated, projects can continue using it if necessary, but migration to the newer Spring Security OAuth2 stack is strongly recommended for better maintainability and future Spring Cloud compatibility.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.