MMS • Johan Janssen
Article originally posted on InfoQ. Visit InfoQ
Just over two years since it was introduced to the Java community, Spring Authorization Server 1.0 is planned for a GA release in November 2022. The Spring Authorization Server project replaces the Spring Security OAuth project that has already been declared as end-of-life. The project is led by the Spring Security team and delivers support for OAuth 2.1 Authorization Server for Spring applications.
The project is based on Spring Security 6.0 which depends on Spring Framework 6.0 and requires at least Java 17 and Tomcat 10 or Jetty 11. The public APIs and the configuration are still being improved, which will result in breaking changes for consuming applications.
GitHub’s Milestones display the various upcoming milestone releases and release candidates leading to the release of Spring Authorization Server 1.0. Additionally, Spring Authorization Server 0.4.0 will be released based on Spring Security 5.x and Java 8.
First introduced ten years ago, Spring Security OAuth evolved into a popular project supporting a large portion of the OAuth specification. It was the basis for OAuth solutions in various projects, both for the consumer and provider side, such as the CloudFoundry User Account and Authentication (UAA). Both OAuth 1.0 and 2.0 were supported, while 1.0 is obsolete by now. Unfortunately the implementation didn’t support some user scenarios and a large part of the implementation was written by the Spring team.
Written from scratch solely for OAuth 2.0, Spring Authorization Server is based on the Nimbus library, supporting more features such as JSON Web Token (JWT) claims, OpenID Connect (OIDC) and reactive programming.
VMWare Tanzu offers both Open Source Software Support and Commercial Support for Spring Authorization Server.
The Spring project welcomes contributions and recommends reading the contributing documentation for Spring Authorization Server.