What is the relation between spring-security-oauth2-client and spring-security-oauth?

Question

There is a spring project spring-security-oauth http://projects.spring.io/spring-security-oauth/docs/oauth2.html

dev guide

Source code

And then under spring-security, there is also oauth

Source code

In springboot doc, it uses spring-security-oauth2-client, which is from spring-security

And in springboot OAuth2 tutorial , it uses yet another org.springframework.security.oauth.boot

What are the differences? And when to use which?

Answer 1

There's currently a transition period where spring-security-oauth2 has been put in maintenance mode while functionality is being consolidated from there and some other places into the new OAuth2 part of Spring Security 5.

See this post from the Spring team for detailed information!

Answer 2

Be careful that spring can handle the old protocol OAuth (V1), too. So you have to be shure which version you are using, both are not compatible to each other.

For securing your application, refer to this guide: https://ordina-jworks.github.io/microservices/2017/09/26/Secure-your-architecture-part1.html It provides information for many spring components and their interaction. Here, of course, OAuth2 is used.