Safeguard
AppSec

Securing Spring Security OAuth2 and JOSE Dependencies

spring-security-oauth2-jose sits at the center of many Java auth stacks, but the legacy project is deprecated and its JOSE/JWT dependencies carry their own patch history; here is how to assess and reduce the risk.

Safeguard Research Team
Research
6 min read

Spring-security-oauth2-jose is the Nimbus-backed JOSE/JWT support module bundled with the legacy Spring Security OAuth2 project, and it matters for security because that legacy project has been officially deprecated in favor of Spring Security's native OAuth2 support and Spring Authorization Server, which means teams still pinned to it are running unmaintained authentication infrastructure. If your dependency scan flags spring-security-oauth2 or the associated JOSE module, the finding is really two things at once: whatever specific CVEs apply to your pinned version, and the broader fact that you are on a project the maintainers have told everyone to move off of.

This post covers what the spring-security-oauth2 and JOSE dependency chain actually does, why the legacy project's deprecation is itself a security signal, and how to plan the migration.

What does spring-security-oauth2 maven actually pull in?

The legacy spring-security-oauth2 library provided OAuth2 and OpenID Connect client and authorization server support for Spring applications before Spring Security added first-class, native OAuth2 support. As part of handling tokens, it depends on JOSE (JSON Object Signing and Encryption) libraries, typically Nimbus JOSE+JWT, to parse, validate, and verify signed and encrypted JWTs. When you pull spring-security-oauth2 into a Maven build, you are transitively pulling in that JOSE handling code as well, which is why the two show up together in dependency trees and in vulnerability scan output.

This matters because JWT handling code is a high-value target for vulnerabilities: it parses attacker-supplied tokens, verifies cryptographic signatures, and makes authorization decisions based on the result. A parsing or validation bug in the JOSE layer can translate directly into an authentication bypass or a denial-of-service condition, since the whole point of the library is to gate access based on token validity.

Why does the deprecation itself matter, separate from any specific CVE?

The Spring team deprecated the standalone spring-security-oauth2 project years ago and has directed users toward Spring Security's built-in OAuth2 client and resource server support, along with Spring Authorization Server for anyone building an authorization server. That deprecation is a security-relevant fact independent of whatever the current CVE count looks like, because it tells you future vulnerabilities in the legacy code path may not get the same maintenance priority as issues found in the actively developed replacement.

This is a similar dynamic to running an end-of-life language runtime: the absence of an active maintenance commitment is itself the risk, not just whatever is already known and patched. Teams that see "no open CVEs currently" on a legacy, deprecated dependency sometimes read that as "safe," when the more accurate read is "not currently known to be vulnerable, with less confidence that the next issue gets fixed quickly."

How should you assess your actual exposure?

Start by identifying whether you are using the legacy spring-security-oauth2 artifact at all, versus Spring Security's native spring-security-oauth2-client and spring-security-oauth2-resource-server modules, which are part of the actively maintained Spring Security project and a different dependency lineage despite the similar naming. Confusing the two is common, since the names overlap, but only the legacy standalone project carries the deprecation concern described here.

If you are on the legacy project, check your resolved version of the JOSE/JWT dependency specifically, since it is often the component with the more active patch history in this chain, and Maven's transitive resolution can leave you on an older pinned version than you expect if a parent POM or BOM constrains it. A dependency tree command (mvn dependency:tree) will show you exactly what version is actually resolved, which is not always obvious from your own pom.xml alone.

What is the actual remediation path?

For anyone still on the legacy project, the real fix is migration, not just a version bump, since the legacy project is not where active development happens anymore. Spring's own migration guidance moves client-side OAuth2 flows to Spring Security's native OAuth2 client support, and moves authorization-server use cases to Spring Authorization Server, which was built specifically to replace the legacy project's server-side functionality. This is a genuine migration effort involving configuration and sometimes code changes, not a drop-in dependency swap, so budget real time for it rather than treating it as a routine patch.

While migration is planned, make sure whatever JOSE/JWT version is actually resolved in your build is current, since that narrows your exposure to known parsing and validation issues in the interim. Pin the JOSE dependency explicitly in your build if your dependency management is pulling in an older transitive version than the latest available, rather than leaving it to whatever the legacy project's own POM specifies.

An SCA scan run against your Maven dependency graph will catch both the legacy artifact's presence and the specific resolved version of its JOSE dependency, which is the fastest way to get a concrete list of what needs attention rather than working from tribal knowledge about what your team thinks is still in use. Pair that with a SAST scan of your actual token validation logic, since custom code wrapped around a library call, for example weak signature algorithm allow-lists, can reintroduce risk even on an otherwise current dependency.

FAQ

Is spring-security-oauth2 the same thing as Spring Security's OAuth2 support?

No, and the naming overlap causes real confusion. The legacy standalone spring-security-oauth2 project is deprecated. Spring Security's native oauth2-client and oauth2-resource-server modules are actively maintained and are the recommended path forward.

Do I need to migrate immediately if I have no open CVEs today?

Not necessarily immediately, but plan for it. The absence of a currently known CVE on a deprecated project is not the same guarantee as being on an actively maintained one, and migration effort tends to grow, not shrink, the longer you wait and the more application code accumulates around the legacy APIs.

What does Nimbus JOSE+JWT actually do in this stack?

It is the underlying library responsible for parsing, signing, and verifying JWTs and other JOSE-format tokens. Both the legacy Spring Security OAuth2 project and Spring Security's native OAuth2 support rely on JOSE libraries under the hood for this cryptographic and parsing work.

Is Spring Authorization Server a drop-in replacement?

It replaces the authorization-server functionality of the legacy project but with a different configuration model, so treat it as a migration with its own learning curve rather than a same-API replacement.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.