Reputation: 127
When will spring-authorization-server support Spring Boot 2.6.x and spring-boot-starter-oauth2-client
I don't want to repeat previous other threads. I just don't see this being tracked anywhere although it is a known issue. If it is tracked, please point me in the right direction.
Currently spring-authorization-server works with Spring Boot 2.5.x. It is known that there is an inconsistency with the spring-boot-starter-oauth2-client implementation and the Jwt tokens and that of spring-authorization-server.
This means you can successfully run spring-authorization-server with Spring Boot 2.6.x BUT you cannot add the dependency spring-boot-starter-oauth2-client.
And that's where I'm stuck. I wanted to implement a federated security example using the federated sample located in the codebase here: https://github.com/spring-projects/spring-authorization-server/tree/main/samples/federated-identity-authorizationserver
2022-04-25 14:14:34.067 ERROR 54601 --- [ XNIO-1 task-2] io.undertow.request : UT005023: Exception handling request to /oauth2/token
java.lang.IllegalAccessError: failed to access class org.springframework.security.oauth2.jwt.JoseHeader from class org.springframework.security.oauth2.server.authorization.token.JwtGenerator (org.springframework.security.oauth2.jwt.JoseHeader and org.springframework.security.oauth2.server.authorization.token.JwtGenerator are in unnamed module of loader 'app')
at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:130) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
at org.springframework.security.oauth2.server.authorization.token.JwtGenerator.generate(JwtGenerator.java:59) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
at org.springframework.security.oauth2.server.authorization.token.DelegatingOAuth2TokenGenerator.generate(DelegatingOAuth2TokenGenerator.java:60) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
at org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider.authenticate(OAuth2AuthorizationCodeAuthenticationProvider.java:212) ~[spring-security-oauth2-authorization-server-0.2.3.jar:0.2.3]
What's the status of this inconsistency?
Upvotes: 0
Views: 1444
Answers (2)
Reputation: 127
Spring Authorization Server v0.3.0 has been released and there is no longer a discrepancy between SAS and Spring Security OAuth.
🦸♂️
Upvotes: 0
Reputation: 438
As a workaround, you can move the security-oauth2-authorization-server dependency before any other spring-boot dependencies declaration inside the pom, that will force classloader to load the org.springframework.security.oauth2.jwt.JoseHeader from security-oauth2-authorization-server. Please read https://github.com/spring-projects/spring-authorization-server/issues/518#issuecomment-1017332290
Upvotes: 1
Related Questions
- What is the replacement for the deprecated AuthorizationServer in Spring Security?
- Current SpringBoot OAuth2 approach
- Deprecate spring-security-oauth as a client
- Spring Boot 2.0.0 + OAuth2
- Spring Security Version
- How to make spring-boot 1.5.0 support this oauth2 solution?
- SpringBoot 1.5.x + Security + OAuth2
- Spring boot 2.0.0.M6 OAuth2 web application client. No @EnableOauth2Sso anymore; how to replace?
- Spring boot, security starter and OAuth2 client
- Does spring-security 3.1 support spring-security-oauth (for oauth2)? Is there a reference?