-
Notifications
You must be signed in to change notification settings - Fork 6k
OAuth 2.0 Migration Guide
This document contains guidance for moving from Spring Security OAuth 2.x to Spring Security 5.2.x.
Because the two approaches are as different as they are, this document will tend to cover patterns more than precise search-and-replace steps.
Spring Security takes a slightly different approach from Spring Security OAuth in a few notable ways.
Spring Security OAuth exposes two different DSLs for Resource Server. These are configured by extending ResourceServerConfigurerAdapter.
Spring Security exposes the same functionality via the Spring Security DSL, which is configured by extending WebSecurityConfigurerAdapter.
Spring Security OAuth’s Resource Server support is enabled by adding the @EnableResourceServer annotation.
Spring Security’s Resource Server support is enabled via the Spring Security DSL.
Spring Security OAuth indicates two locations for specifying authorization rules. The first is via ResourceServerConfigurerAdapter - any rules supplied here are for when a bearer token is present. The second is via WebSecurityConfigurerAdapter - any rules supplied here are for requests where a bearer token is absent.
Spring Security indicates that all authorization rules be configured via one or many WebSecurityConfigurerAdapter s.
Spring Security OAuth supports a custom SpEL variable called oauth2.
To authorize requests or methods based on scope, you write an expression like access("#oauth2.hasScope('scope')").
Spring Security converts scopes that follow the granted authority naming convention.
To authorize requests or methods based on scope, you write an expression like hasAuthority("SCOPE_scope").
Both Spring Security and Spring Security OAuth2 Boot have examples for how to configure Resource Server:
| Use case | Spring Security | Spring Security OAuth |
|---|---|---|
JWT + JWK |
||
JWT + Key |
||
Opaque Token |
||
w/ Actuator |
||
Audience Validation |
||
Authorizing Requests |