Just over two years after its introduction to the Java community, Spring Authorization Server 1.0 is slated for a GA release in November 2022. The Spring Authorization Server project replaces the Spring Security OAuth project which has already been declared end of life. The project is led by the Spring Security team and provides OAuth 2.1 authorization server support for Spring applications.
The project is based on Spring Security 6.0 which depends on Spring Framework 6.0 and requires at least Java 17 and Tomcat 10 or Jetty 11. Public APIs and configuration are still being improved which will bring breaking changes for applications consumers.
The GitHub milestones display the various upcoming releases and release candidates leading to the release of Spring Authorization Server 1.0. Also, Spring Authorization Server 0.4.0 will be released based on Spring Security 5.x and Java 8.
First introduced a decade ago, Spring Security OAuth has become a popular project supporting much of the OAuth specification. This was the basis for OAuth solutions in various projects, both consumer and provider, such as CloudFoundry User Account and Authentication (UAA). OAuth 1.0 and 2.0 were supported, while 1.0 is now deprecated. Unfortunately, the implementation didn’t support some user scenarios, and much of the implementation was written by the Spring team.
Written from the ground up just for OAuth 2.0, Spring Authorization Server is based on the Nimbus library, supporting more features like JSON Web Token (JWT), OpenID Connect (OIDC) claims, and reactive programming.
VMWare Tanzu offers both open source software support and commercial support for Spring Authorization Server.
The Spring Project welcomes contributions and recommends reading the contributing documentation for Spring Authorization Server.