Spring-security: Introduce Migration Guidance for Spring Security's OAuth 2.0 Support
Spring Security 5.0 introduced first-class support for OAuth 2.0, yet many aren't aware of this change or they are struggling with understanding how to change their existing code to use the new support.
There's a migration guide for Spring Security 3 to 4 which contains several migration examples. This seems like a good format to repeat for migrating from Spring Security OAuth 2.x to Spring Security 5 in a new repository.
Also, it might be nice if these examples worked well with each other so that a user could mix and match them, according to their setup.
We should also consider updating/replacing the "Spring Boot and OAuth 2" guide.
I'll hold off on creating tickets for some of these, as I'd like to start a discussion about what other items may be needed and whether there is a better representation of the work to be done.
References
jzheaux
All 8 comments
@jzheaux I would like to take it forward with your help and guidance.
ankurpathak
on 9 Apr 2019
@jzheaux The migration guide will also need to address migration of the Authorization Server, since current Spring Security Oauth implementations are able to combine the Authorization and Resource Server function together.
dfcoffin
on 9 Apr 2019
@dfcoffin Spring Security 5 support for Authorization Server yet to come. Correct me if I am not.
ankurpathak
on 9 Apr 2019
@ankurpathak That is also my understand, which is why I suggested it needs to be added to any migration documentation project, so individuals attempting to migrate with Authorization Server Spring Security Oauth implementations don't start and then find out they can't complete the migration.
@jzheaux Please correct me if Spring Security 5.2.0 incorporates the Authorization Server support
dfcoffin
on 9 Apr 2019
@dfcoffin
Please correct me if Spring Security 5.2.0 incorporates the Authorization Server support
Authorization Server support has not started yet and therefore will not be included in the 5.2.0 release. We started planning from a high-level in #6320 but the work won't start until we're at RC1 phase for 5.2.0 (at least). The plan is to release initial support for Authorization Server in the 5.3.0 release.
jgrandja
on 9 Apr 2019
@dcoffin, while 5.2 won't introduce new Authorization Server support, you are right that it would probably be valuable to make the migration scenarios clear to the reader (so they don't assume the guide is about Authorization Server). Also, we can add more scenarios when 5.3 is released.
jzheaux
on 10 Apr 2019
@jzheaux Is there a timeline for when 5.3 is planned for release? I have a legacy open source system built with Spring-Security-OAuth that requires support for both an Authorization and Resource Server capability in the same application. I',m planning to migrate to Spring Security 5, but lack of Authorization Server support is a blocking condition.
dfcoffin
on 17 May 2019
@dfcoffin Thanks for asking. No, 5.3 has not been slated yet; I'd imagine it would be some time mid next year.
jzheaux
on 29 May 2019
Related issues
unlimitedsola
路
4Comments
spring-issuemaster
路
4Comments
mstoecklmayr
路
3Comments
silentsnooc
路
3Comments
adolfoweloy
路
3Comments
Most helpful comment
@jzheaux Is there a timeline for when 5.3 is planned for release? I have a legacy open source system built with Spring-Security-OAuth that requires support for both an Authorization and Resource Server capability in the same application. I',m planning to migrate to Spring Security 5, but lack of Authorization Server support is a blocking condition.