Why Spring Is Launching a New Authorization Server and What It Means for Developers

Spring announced a new community‑driven project called Spring Authorization Server , led by Spring Security , to provide authorization server support for the Spring ecosystem.

About ten years ago, Spring launched the community project Spring Security OAuth , which became a benchmark thanks to extensive community contributions.

However, Spring Security OAuth can no longer keep up with the evolving OAuth specifications, and many of its components are outdated, lacking a unified OAuth library that aligns with Spring products.

Rewriting OAuth support for Spring Security is a massive effort. The Spring team decided to split the work into client, resource server, and authorization server components. While third‑party authorization servers have proliferated, the team does not consider building an authorization server a common requirement, nor providing OAuth support without a dedicated library appropriate. Consequently, the Spring Security roadmap states that creating an authorization server will no longer be supported.

Following strong community feedback that the Spring ecosystem needs built‑in authorization server capabilities, the Spring Authorization Server project was proposed and is now in preparation, inviting contributors to help it succeed like its predecessor.

References:

Spring Authorization Server: https://github.com/spring-projects-experimental/spring-authorization-server

Spring Security OAuth roadmap: https://spring.io/blog/2019/11/14/spring-security-oauth-2-0-roadmap-update