Currently in the Spring ecosystem, OAuth support has spread to a number of projects, including Spring Security Cloud, Spring Security OAuth, Spring Boot, and the edition of Spring Security (5.x+). This has created a lot of confusion within the community and no single source of ownership. The approach taken by the Spring team is to consolidate this and start maintaining everything regarding to OAuth with Spring Security. Important components that are part of OAuth, namely the authorization server, the resource server, and next-level support for OAuth2, as well as OpenID Connect 1.0, are expected to be added to Spring Security by the end of 2018. The Spring Security roadmap clearly states that by mid-2018, support for the resource server would be added, and the authorization server by the end of 2018.

The Spring Security OAuth project, as it stands at the time of writing this book, is in maintenance mode. This means that there will be a release for bug/security fixes, along with minor features. No major features are planned to be added to this project going forward.

The full OAuth2 feature matrix available in various Spring projects can be found at https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix.

At the time of writing this book, most of the features that we require to implement OAuth is available as part Spring Security OAuth project, which is in maintenance mode.