Introduce Migration Guidance for Spring Security's OAuth 2.0 Support

[jzheaux]

Spring Security 5.0 introduced first-class support for OAuth 2.0, yet many aren't aware of this change or they are struggling with understanding how to change their existing code to use the new support.

There's a migration guide for Spring Security 3 to 4 which contains several migration examples. This seems like a good format to repeat for migrating from Spring Security OAuth 2.x to Spring Security 5 in a new repository.

Also, it might be nice if these examples worked well with each other so that a user could mix and match them, according to their setup.

We should also consider updating/replacing the "Spring Boot and OAuth 2" guide.

I'll hold off on creating tickets for some of these, as I'd like to start a discussion about what other items may be needed and whether there is a better representation of the work to be done.

References

• Spring Security OAuth 2.0 Roadmap Update
• Next Generation OAuth 2.0 Support with Spring Security
• OAuth 2.0 Migration Guide
• OAuth 2.0 Features Matrix

[ankurpathak]

@jzheaux I would like to take it forward with your help and guidance.

[dfcoffin]

@jzheaux The migration guide will also need to address migration of the Authorization Server, since current Spring Security Oauth implementations are able to combine the Authorization and Resource Server function together.

[ankurpathak]

@dfcoffin Spring Security 5 support for Authorization Server yet to come. Correct me if I am not.

[dfcoffin]

@ankurpathak That is also my understand, which is why I suggested it needs to be added to any migration documentation project, so individuals attempting to migrate with Authorization Server Spring Security Oauth implementations don't start and then find out they can't complete the migration.

@jzheaux Please correct me if Spring Security 5.2.0 incorporates the Authorization Server support

[jgrandja]

@dfcoffin

Please correct me if Spring Security 5.2.0 incorporates the Authorization Server support

Authorization Server support has not started yet and therefore will not be included in the 5.2.0 release. We started planning from a high-level in #6320 but the work won't start until we're at RC1 phase for 5.2.0 (at least). The plan is to release initial support for Authorization Server in the 5.3.0 release.

[jzheaux]

@dcoffin, while 5.2 won't introduce new Authorization Server support, you are right that it would probably be valuable to make the migration scenarios clear to the reader (so they don't assume the guide is about Authorization Server). Also, we can add more scenarios when 5.3 is released.

[dfcoffin]

@jzheaux Is there a timeline for when 5.3 is planned for release? I have a legacy open source system built with Spring-Security-OAuth that requires support for both an Authorization and Resource Server capability in the same application. I',m planning to migrate to Spring Security 5, but lack of Authorization Server support is a blocking condition.

[jzheaux]

@dfcoffin Thanks for asking. No, 5.3 has not been slated yet; I'd imagine it would be some time mid next year.