diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index fcf1c76d4..aaeb72f2a 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,5 +1,14 @@
 <!--
-For Security Vulnerabilities, please use https://pivotal.io/security#reporting
+******************
+Deprecation Notice
+******************
+The Spring Security OAuth project is deprecated. 
+The latest OAuth 2.0 support is provided by Spring Security. 
+See the OAuth 2.0 Migration Guide https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
+-->
+
+<!--
+For Security Vulnerabilities, please use https://spring.io/security-policy
 -->
 
 ### Summary
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index 70c6c946d..570bf5e02 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,5 +1,14 @@
 <!--
-For Security Vulnerabilities, please use https://pivotal.io/security#reporting
+******************
+Deprecation Notice
+******************
+The Spring Security OAuth project is deprecated. 
+The latest OAuth 2.0 support is provided by Spring Security. 
+See the OAuth 2.0 Migration Guide https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide
+-->
+
+<!--
+For Security Vulnerabilities, please use https://spring.io/security-policy
 -->
 
 <!--
diff --git a/README.md b/README.md
index 3e49c78f0..64beaafd3 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,6 @@
-[![Build Status](https://travis-ci.org/spring-projects/spring-security-oauth.svg?branch=master)](https://travis-ci.org/spring-projects/spring-security-oauth) 
+# spring-security-oauth is no longer actively maintained by VMware, Inc.
 
-# Maintenance Mode
-
-This project is in maintenance mode in favor of the OAuth Support provided by Spring Security. Read more about it in the [blog post](https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security).
+## This project has been replaced by the OAuth2 support provided by [Spring Security](https://spring.io/projects/spring-security) (client and resource server) and [Spring Authorization Server](https://spring.io/projects/spring-authorization-server).
 
 # About
 
@@ -101,4 +99,4 @@ request but before a merge.
 * Add yourself as an @author to the .java files that you modify substantially (more than cosmetic changes).
 * Add some Javadocs and, if you change the namespace, some XSD doc elements.
 * A few unit tests would help a lot as well - someone has to do it.
-* If no-one else is using your branch, please rebase it against the current master (or other target branch in the main project).
+* If no-one else is using your branch, please rebase it against the current main (or other target branch in the main project).
diff --git a/docs/Home.md b/docs/Home.md
deleted file mode 100644
index 4bb73188e..000000000
--- a/docs/Home.md
+++ /dev/null
@@ -1,41 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Welcome
-
-OAuth for Spring Security provides an [OAuth](https://oauth.net)
-implementation for
-[Spring Security](https://projects.spring.io/spring-security/).
-Support is provided for the implementation of OAuth providers and
-OAuth consumers. There is support for [Oauth 1(a)](oauth1.html) (including
-[two-legged OAuth](twolegged.html), a.k.a. "Signed Fetch") and for
-[OAuth 2.0](oauth2.md).
-
-Applying security to an application is not for the faint of heart, and OAuth is no exception. Before you get started,
-you're going to want to make sure you understand OAuth and the problem it's designed to address. There is good
-documentation at [the OAuth site](https://oauth.net). You will also want to make sure you understand how 
-[Spring](https://springframework.org/) and [Spring Security](https://projects.spring.io/spring-security/) work.
-
-You're going to want to be quite familiar with both [OAuth](https://oauth.net) (and/or [OAuth2](https://tools.ietf.org/html/draft-ietf-oauth-v2))
-and [Spring Security](https://projects.spring.io/spring-security/), to maximize the effectiveness of this developers guide. OAuth for
-Spring Security is tightly tied to both technologies, so the more familiar you are with them, the more likely you'll be to recognize the terminology
-and patterns that are used.
-
-With that, you're ready to get started.  Here are some useful links:
-
-* For access to the binaries, use Maven ([instructions here](downloads.html))
-
-* Source code is in github
-  [at spring-projects/spring-security-oauth](https://github.com/spring-projects/spring-security-oauth).
-
-* You'll want to see OAuth for Spring Security in action, so here is a
-[tutorial](tutorial.html)
-
-* Read a more detailed explanation in the [developer's guide](devguide.html).
-
-* For more help and support, checkout the [support links](support.html).
-
diff --git a/docs/_Sidebar.md b/docs/_Sidebar.md
deleted file mode 100644
index 981184225..000000000
--- a/docs/_Sidebar.md
+++ /dev/null
@@ -1,13 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-* [Home](Home.html)
-* [Tuturial](tutorial.html)
-* [OAuth 1.0](oauth1.html)
-* [OAuth 2.0](oauth2.html)
-* [Downloads](downloads.html)
-* [Support](support.html)
diff --git a/docs/devguide.md b/docs/devguide.md
deleted file mode 100644
index d96e6fbb0..000000000
--- a/docs/devguide.md
+++ /dev/null
@@ -1,28 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Developers Guide
-
-## Preparation
-
-You're going to want to be quite familiar with
-[OAuth2](https://tools.ietf.org/html/draft-ietf-oauth-v2) (and/or
-[OAuth](https://oauth.net) ) and
-[Spring Security](https://projects.spring.io/spring-security/),
-to maximize the effectiveness of this developers guide. OAuth for
-Spring Security is tightly tied to both technologies, so the more
-familiar you are with them, the more likely you'll be to recognize the
-terminology and patterns that are used.
-
-## Options
-
-Your first decision is whether you need to leverage support for OAuth 1.0, OAuth 2.0, or both.
-
-So pick your poison:
-
-* [OAuth 1.0](oauth1.html)
-* [OAuth 2](oauth2.html)
diff --git a/docs/downloads.md b/docs/downloads.md
deleted file mode 100644
index da7a4a2d3..000000000
--- a/docs/downloads.md
+++ /dev/null
@@ -1,35 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Downloads
-
-You can download source code bundles from [Github], or clone the repository using git.  OAuth for Spring Security is a Maven-based project.
-
-* groupId: `org.springframework.security.oauth`
-* artifactId: `spring-security-oauth` for OAuth 1.0a and `spring-security-oauth2` for OAuth 2.0
-
-To download the jars, just look in the [Maven repository][mavenrepo].
-
-Full releases go in Maven [central], and in the SpringSource repository but milestones and snapshots go only in the SpringSource respository.  For milestones:
-
-    <repository>
-        <id>spring-milestone</id>
-        <name>Spring Maven MILESTONE Repository</name>
-        <url>https://maven.springframework.org/milestone</url>
-    </repository>
-
-and for snapshots:
-
-    <repository>
-        <id>spring-snnapshot</id>
-        <name>Spring Maven SNAPSHOT Repository</name>
-        <url>https://maven.springframework.org/snapshot</url>
-    </repository>
-
-[mavenrepo]: https://shrub.appspot.com/maven.springframework.org/release/org/springframework/security/oauth/spring-security-oauth/
-[central]: https://repo1.maven.org/maven2/org/springframework/security/oauth/spring-security-oauth/
-[Github]: https://github.com/spring-projects/spring-security-oauth
diff --git a/docs/oauth1.md b/docs/oauth1.md
deleted file mode 100644
index dac3145fc..000000000
--- a/docs/oauth1.md
+++ /dev/null
@@ -1,299 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# OAuth 1 Developers Guide
-
-## Introduction
-
-This is the developers guide for the support for OAuth 1.0. For OAuth 2.0, everything is different, so [see it's developers guide](oauth2.html).
-
-This user guide is divided into two parts, the first for the OAuth 1.0 provider, the second for the OAuth 1.0 consumer.  Here's a
-TOC for quick navigation:
-
-## OAuth 1.0 Provider
-
-The OAuth 1.0 provider is responsible for managing the OAuth 1.0 consumers that can access its protected resources on behalf of
-a user. The provider does this by managing and verifying the OAuth 1.0 tokens that can be used to access the protected
-resources. Of course, the provider must also supply an interface for the user to confirm that a consumer can be granted
-access to the protected resources (i.e. a confirmation page).
-
-### Managing Consumers
-
-The entry point into your database of consumers is defined by the [`ConsumerDetailsService`][ConsumerDetailsService].
-You must define your own [`ConsumerDetailsService`][ConsumerDetailsService] that will load [`ConsumerDetails`][ConsumerDetails]
-by the _consumer key_.  Note the existence of an [in-memory implementation][InMemoryConsumerDetailsService] of 
-[`ConsumerDetailsService`][ConsumerDetailsService].
-
-When implementing your [`ConsumerDetailsService`][ConsumerDetailsService] consider returning instances of 
-[BaseConsumerDetails][BaseConsumerDetails] which contains additional information about the consumer that may be useful when 
-displaying a confirmation screen to the user.
-
-### Managing Tokens
-
-The [`OAuthProviderTokenServices`][OAuthProviderTokenServices] interface defines the operations that are necessary to manage 
-OAuth 1.0 tokens. Note the following:
-
-* When a request token is created, care must be taken to ensure that it is not an access token.
-* When a request token is authorized, the authentication must be stored so that the subsequent access token can reference it.
-* When an access token is created, it must reference the authentication that was used to authorized the request token that is used 
-  to create the access token.
-
-When creating your [`OAuthProviderTokenServices`][OAuthProviderTokenServices] implementation, you may want to consider extending
-the [`RandomValueProviderTokenServices`][RandomValueProviderTokenServices] which creates tokens via random value and handles 
-everything except for the persistence of the tokens.  There is also an [in-memory implementation][InMemoryProviderTokenServices]
-of the [`OAuthProviderTokenServices`][OAuthProviderTokenServices] that may be suitable, but note that when using the in-memory implementation
-a separate thread is spawned to take care of the cleanup of expired tokens.
-
-### OAuth 1.0 Provider Request Filters
-
-The requests for the tokens and for access to protected resources are handled by standard Spring Security request filters. The following filters
-are required in the Spring Security filter chain in order to implement OAuth 1.0:
-
-* The [`UnauthenticatedRequestTokenProcessingFilter`][UnauthenticatedRequestTokenProcessingFilter] is used to service the request for
-  an unauthenticated request token. Default URL: `/oauth_request_token`.
-* The [`UserAuthorizationProcessingFilter`][UserAuthorizationProcessingFilter] is used authorize a request token. The user must be
-  authenticated and it is assumed that the user has been presented with the appropriate confirmation page.
-* The [`AccessTokenProcessingFilter`][AccessTokenProcessingFilter] is used to service the request for an OAuth 1.0 access token.
-  Default URL: `/oauth_access_token`.
-* The [`ProtectedResourceProcessingFilter`][ProtectedResourceProcessingFilter] is used to load the Authentication for the request given
-  an authenticated access token.
-
-### Managing Nonces
-
-The OAuth 1.0 spec also recommends that the nonce that is supplied on every OAuth 1.0 request be checked to ensure it isn't used twice for the
-same timestamp. In order to do this, nonces must be stored and verified on every OAuth 1.0 request.  The interface that is used
-to validate nonces is [`OAuthNonceServices`][OAuthNonceServices]. The default implementation, [`ExpiringTimestampNonceServices`][ExpiringTimestampNonceServices],
-does not adhere to this recommendation, but only validates that the timestamp isn't too old. If further assurance is required, you will need
-to supply your own implementation of `OAuthNonceServices`. Note the existence of an [in-memory implementation][InMemoryNonceServices].
-
-### Managing Callbacks
-
-With the 1.0a revision of the OAuth 1.0 specification, the callback URL is provided at the time the request is made for a request token and will be used when
-redirecting the user back to the OAuth 1.0 consumer. Therefore, a means must be provided to persist the callback between requests. The interface that is used
-to persist callbacks is [`OAuthCallbackServices`][OAuthCallbackServices]. The default implementation, [`InMemoryCallbackServices`][InMemoryCallbackServices]
-persists the callbacks in-memory. You must supply your own implementation of `OAuthCallbackServices` if this is inadequate.
-
-### Managing Verifiers
-
-With the 1.0a revision of the OAuth 1.0 specification, the a verifier is provided to the consumer via the user that must be passed back
-to the provider when requesting the access token. Therefore, a means must be provided to create and persist the verifier. The interface
-that is used to this end is [`OAuthVerifierServices`][OAuthVerifierServices]. The default implementation,
-[`RandomValueInMemoryVerifierServices`][RandomValueInMemoryVerifierServices], creates a small, user-friendly (6 readable ASCII characters
-by default) verifier and persists the verifier in memory. You must supply your own implementation of `OAuthVerifierServices` if this is inadequate.
-
-### Authorization By Consumer
-
-It is sometimes required to limit access to a resource to a specific consumer or to a consumer that has specific roles. The classes in the
-[`org.springframework.security.oauth.provider.attributes`][attributes-package] package can be used to do this. Methods can be protected using the
-annotations in that package, and the [`ConsumerSecurityConfig`][ConsumerSecurityConfig] can be supplied to the standard Spring Security filter
-interceptor in order to enable the annotations. Finally, the [`ConsumerSecurityVoter`][ConsumerSecurityVoter] would need to be supplied to the
-Spring Security authentication manager.
-
-### Provider Configuration
-
-For the OAuth 1.0 provider, configuration is simplified using the custom spring configuration elements. The schema for these elements rests at
-[https://www.springframework.org/schema/security/spring-security-oauth.xsd][oauth1.xsd]. The namespace is `http://www.springframework.org/schema/security/oauth`.
-
-The following configuration elements are used to supply provider configuration:
-
-#### The "provider" element
-
-The `provider` element is used to configure the OAuth 1.0 provider mechanism. The following attributes can be applied to the `provider` element:
-
-* `consumer-details-service-ref`: The reference to the bean that defines the consumer details service. This is required if not autowired.
-* `token-services-ref`: The reference to the bean that defines the token services.
-* `request-token-url`: The URL at which a request for an unauthenticated request token will be serviced. Default value: "/oauth_request_token"
-* `authenticate-token-url`: The URL at which a request to authenticate a request token will be serviced. Default value: "/oauth_authenticate_token"
-* `access-token-url`: The URL at which a request for an access token (using an authenticated request token) will be serviced. Default value: "/oauth_access_token"
-* `access-granted-url`: The URL to which the user will be redirected upon authenticating a request token, but only if there was no callback URL supplied from the oauth consumer. Default value: "/"
-* `user-approval-url`: The URL to which the user will be redirected if for some reason authentication of a request token failed. Default behavior is to just issue a "401: unauthorized" response.
-* `nonce-services-ref`: The reference to the bean that defines the nonce services. Default is to supply an instance of `org.springframework.security.oauth.provider.nonce.ExpiringTimestampNonceServices`
-* `callback-services-ref`: The reference to the bean that defines the callback services. Default is to supply an instance of `org.springframework.security.oauth.provider.callback.InMemoryCallbackServices`
-* `verifier-services-ref`: The reference to the bean that defines the verifier services. Default is to supply an instance of `org.springframework.security.oauth.provider.verifier.RandomValueInMemoryVerifierServices`
-* `auth-handler-ref`: The reference to the bean that defines the authentication handler. Default is to supply an instance of `org.springframework.security.oauth.provider.DefaultAuthenticationHandler`
-* `support-ref`: The reference to the bean that defines the provider support logic. Default is to supply an instance of `org.springframework.security.oauth.provider.CoreOAuthProviderSupport`
-* `token-id-param`: The name of the request parameter that specifies to the 'authenticate-token-url' the id of the token that is to be authenticated. Default value: "requestToken".
-* `callback-url-param`: The name of the request parameter that specifies to the 'authenticate-token-url' the callback URL to which the user is to be redirected upon successful authentication. Default value: "callbackURL".
-
-#### The "consumer-details-service" element
-
-The `consumer-details-service` element is used to define an in-memory implementation of the consumer details service.  It takes an `id` attribute and an
-arbitrary number of `consumer` child elements that define the following attributes for each consumer:
-
-* `key`: (required) The consumer key.
-* `secret`: (required) The consumer secret.
-* `name`: The (display) name of the consumer.
-* `authorities`: Comma-separated list of authorities (e.g. roles) that are granted to the consumer.
-* `resourceName`: The name of the resource.
-* `resourceDescription`: The description of the resource.
-* `requiredToObtainAuthenticatedToken`: Whether this consumer is required to obtain an authenticated oauth token. If _true_, it means that the OAuth 1.0 consumer won't be granted access to the protected resource unless the user is directed to the token authorization page. If _false_, it means that the provider has an additional level of trust with the consumer. Not requiring an authenticated access token is also known as "2-legged" OAuth or "signed fetch". For more information, see [two-legged OAuth](./twolegged.html).
-
-#### The "token-services" element
-
-The `token-services` element is a simple element that can be used to provide an in-memory implementation of the provider token services.
-It supports an _id_ attribute (bean id) and a _cleanupInterval_ attribute that specifies how often the cleanup thread should wake up (in seconds).
-
-#### The "verifier-services" element
-
-The `verifier-services` element is a simple element that can be used to provide an in-memory implementation of the provider verifier services.
-It supports an `id` attribute (bean id) and a `verifierLengthBytes` attribute that specifies the length of the verifier.
-
-### Configuring An OAuth-Aware Expression Handler
-
-You may want to take advantage of Spring Security's [expression-based access control](https://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html).
-You can register a oauth-aware expression handler with the `expression-handler` element. Use the id of the oauth expression handler to add oauth-aware
-expressions to the built-in expressions.
-
-The expressions include _oauthConsumerHasRole_, _oauthConsumerHasAnyRole_, and _denyOAuthConsumer_ which can be used to provide access based on the role of the
-oauth consumer.
-
-## OAuth 1.0 Consumer
-
-The OAuth 1.0 consumer logic is responsible for (1) obtaining an OAuth 1 access token and (2) signing requests for OAuth 1
-protected resources. OAuth for Spring Security provides a request filter for acquiring the access token, a request filter
-for ensuring that access to certain URLs is locked down to a set of acquired access token, and utilities for making a request
-for a protected resource. A consumer must be responsible for maintaing a list of protected resources that can be accessed and,
-like the provider, a consumer must be responsible for managing the OAuth 1.0 tokens.
-
-If you were discouraged by the complexity of implementing an OAuth 1.0 provider, take heart.  Implementation of an OAuth 1.0
-consumer is easier, partially because OAuth 1.0 for Spring Security provides suitable defaults for most cases.
-
-### Managing Protected Resources
-
-A database of protected resources that are accessible by a consumer must be provided through the [`ProtectedResourceDetailsService`][ProtectedResourceDetailsService].
-Each protected resource must provide all information related to obtaining access to it. This includes the URL to obtain a request token, the URL to which to
-redirect the user for authorization, the URL at which to obtain an access token, etc.  It also contains various properties that describe the provider of the
-protected resource. Consider the existence of the [`InMemoryProtectedResourceDetailsService`][InMemoryProtectedResourceDetailsService]
-and the [`BaseProtectedResourceDetails`][BaseProtectedResourceDetails] for help in creating the database of protected resources.
-
-### Managing Provider Tokens
-
-Like the provider, the consumer must be responsible for managing the OAuth tokens. The necessary interface for managing the consumer tokens is
-[`OAuthConsumerTokenServices`][OAuthConsumerTokenServices]. Assuming that the consumer can leverage an active HTTP session, the default
-[`HttpSessionBasedTokenServices`][HttpSessionBasedTokenServices] might be adequate, but if you'd like to persist access tokens longer than a user
-session, you'll have to implement your own persistent implementation of the token services.
-
-### OAuth 1.0 Consumer Request Filters
-
-There are two request filters that are applicable to the OAuth consumer logic. The first filter, [`OAuthConsumerContextFilter`][OAuthConsumerContextFilter],
-is responsible for establishing an OAuth-specific security context, very similar to Spring Security's `SecurityContext`. The security
-context simply contains a set of access tokens that have been obtained for the current user. This security context is leveraged when making requests
-for protected resources.
-
-There is another request filter, [`OAuthConsumerProcessingFilter`][OAuthConsumerProcessingFilter], that can be applied to specific URLs or
-URL patterns that require access to a remote protected resource. Putting this filter in Spring Security's filter chain
-will ensure that any access tokens needed for the specified URL patters will be obtained before allowing access to the resources.
-
-### Requesting Protected Resources
-
-The [`OAuthRestTemplate`][OAuthRestTemplate] can be used to make REST-like requests to resources protected by OAuth. It's used just like a standard
-RestTemplate (new in Spring 3), but is supplied with a specific `ProtectedResourcDetails` so it can sign its requests.
-
-### Consumer Configuration
-
-For the OAuth 1.0 consumer, configuration is simplified using the custom spring configuration elements. The schema for these elements rests at
-[https://www.springframework.org/schema/security/spring-security-oauth.xsd][oauth1.xsd].
-The namespace is `http://www.springframework.org/schema/security/oauth`.
-
-Two custom configuration elements are used to supply provider configuration:
-
-#### The "consumer" element
-
-The `consumer` element configures the OAuth 1.0 consumer mechanism. This element is used to set up the security filter(s) that will handle
-the OAuth consumer logic. The OAuth context filter establishes a context for the OAuth consumer logic. The OAuth access filter is used to
-apply OAuth constraints on specified URLs (request paths) in your application. The access filter is applied by specified one or more `url`
-child elements to the `consumer` element.
-
-The `url` element supports the following attributes:
-
-* `pattern`: (required) The URL pattern.
-* `resources`: (required) Comma-separated list of the ids of the protected resources that the URL requires access to.
-* `httpMethod`: The HTTP method that requires access. Default is all methods.
-
-The `consumer` element also supports the following attributes:
-
-* `resource-details-service-ref`: The reference to the resource details service.  This is required if not autowired.
-* `oauth-failure-page`: The page to which to redirect the user if a problem happens during OAuth 1.0 authentication.
-* `entry-point-ref`: Reference to the entry point to use if a problem happens during OAuth 1.0 authentication (overrides _oauth-failure-page_).
-* `path-type`: URL path type.  Default value: "ant".
-* `lowercase-comparisons`: Whether to use lowercase comparisons.
-* `support-ref`: Reference to the OAuth 1.0 consumer support logic.
-* `token-services-factory-ref`: Reference to the token services factory.
-
-#### The "resource-details-service" element
-
-The `resource-details-service` element configures an in-memory implementation of the resource details. It supports an "id" attribute
-and an arbitrary number of `resource` child elements which are used to define the protected resources and support the following attributes:
-
-* `id`: (required) The resource id.
-* `key`: (required) The consumer key.
-* `secret`: (required) The shared secret.
-* `request-token-url`: (required) The URL to use to get the OAuth 1.0 request token.
-* `user-authorization-url`: (required) The URL to which to redirect the user to authorize the request token.
-* `access-token-url`: (required) The URL to use to get an OAuth 1.0 access token.
-* `signature-method`: The signature method to use (e.g. "HMAC-SHA1", "PLAINTEXT", etc.). Default "HMAC-SHA1".
-* `user-authorization-token-param`: Name of the request parameter to use to pass the value of the request token when redirecting the user to the authorization page. Default value: "requestToken"
-* `user-authorization-callback-param`: Name of the request parameter to use to pass the value of the callback URL when redirecting the user to the authorization page. Default value: "callbackURL"
-* `accepts-authorization-header`: Whether the provider accepts the HTTP authorization header. Default: "true"
-* `authorization-header-realm`: The "realm" for the HTTP authorization header.
-* `use10a`: Whether the resource is protected using OAuth 1.0a. Default: "true"
-
-## Customizations Not Explicitly Supported by Namespace
- 
-The XML DSL has extension points for some of the most common use
-cases, generally specified through strategies injected through
-attributes (e.g. the `token-services-ref` in the `<provider/>`), but
-occasionally you may need to add customizations not supported in this
-way.  Other cases can be handled locally without losing the benefit of
-the namespace because the bean definitions created are all designed to
-be easy to override.  The namespace parsers create bean definitions
-with fixed bean definition names (hopefully easy to guess, but it is
-not hard to verify them by reading the source code of the parsers),
-and all you need to do to override one part of the namespace support
-is create a bean definition with the same name.  For instance, the
-`<provider/>` element creates an `OAuthProviderProcessingFilter` which
-itself has a default `ProtectedResourceProcessingFilter`, but if you
-wanted to replace it you could override the bean definition:
- 
-     <oauth:provider .../>
-     
-     <bean  id="oauthProtectedResourceFilter" class="org.springframework.security.oauth.provider.filter.ProtectedResourceProcessingFilter">
-        ...
-     </bean>
-     
-In this example, the explicit bean definition overrides the one created by the `<provider/>` because of the ordering in the application context declaration (this is a standard Spring bean factory feature). Bean definitions created by the namespace parsers follow the convention that they start with "oauth" and generally they are the class name of the default implementation provided by the framework.
-
-[ConsumerDetailsService]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetailsService.html
-[ConsumerDetails]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetails.html
-[InMemoryConsumerDetailsService]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.html
-[BaseConsumerDetails]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/BaseConsumerDetails.html
-[OAuthProviderTokenServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.html
-[RandomValueProviderTokenServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.html
-[InMemoryProviderTokenServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.html
-[UnauthenticatedRequestTokenProcessingFilter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/UnauthenticatedRequestTokenProcessingFilter.html
-[UserAuthorizationProcessingFilter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/UserAuthorizationProcessingFilter.html
-[AccessTokenProcessingFilter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/AccessTokenProcessingFilter.html
-[ProtectedResourceProcessingFilter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ProtectedResourceProcessingFilter.html
-[OAuthNonceServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.html
-[ExpiringTimestampNonceServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.html
-[InMemoryNonceServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.html
-[OAuthCallbackServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/callback/OAuthCallbackServices.html
-[InMemoryCallbackServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/callback/InMemoryCallbackServices.html
-[OAuthVerifierServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.html
-[RandomValueInMemoryVerifierServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/verifier/RandomValueInMemoryVerifierServices.html
-[attributes-package]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/package-summary.html
-[ConsumerSecurityConfig]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.html
-[ConsumerSecurityVoter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.html
-[ProtectedResourceDetailsService]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.html
-[InMemoryProtectedResourceDetailsService]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.html
-[BaseProtectedResourceDetails]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.html
-[OAuthConsumerTokenServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.html
-[HttpSessionBasedTokenServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.html
-[OAuthConsumerContextFilter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthConsumerContextFilter.html
-[OAuthConsumerProcessingFilter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthConsumerProcessingFilter.html
-[OAuthRestTemplate]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/consumer/OAuthRestTemplate.html
-[oauth1.xsd]: https://www.springframework.org/schema/security/spring-security-oauth.xsd "oauth1.xsd"
diff --git a/docs/oauth2.md b/docs/oauth2.md
deleted file mode 100644
index 79fc5cea8..000000000
--- a/docs/oauth2.md
+++ /dev/null
@@ -1,292 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# OAuth 2 Developers Guide
-
-## Introduction
-
-This is the user guide for the support for [`OAuth 2.0`](https://tools.ietf.org/html/draft-ietf-oauth-v2). For OAuth 1.0, everything is different, so [see its user guide](oauth1.html).
-
-This user guide is divided into two parts, the first for the OAuth 2.0 provider, the second for the OAuth 2.0 client. For both the provider and the client, the best source of sample code is the [integration tests](https://github.com/spring-projects/spring-security-oauth/tree/master/tests) and [sample apps](https://github.com/spring-projects/spring-security-oauth/tree/master/samples/oauth2).
-
-## OAuth 2.0 Provider
-
-The OAuth 2.0 provider mechanism is responsible for exposing OAuth 2.0 protected resources. The configuration involves establishing the OAuth 2.0 clients that can access its protected resources independently or on behalf of a user. The provider does this by managing and verifying the OAuth 2.0 tokens used to access the protected resources. Where applicable, the provider must also supply an interface for the user to confirm that a client can be granted access to the protected resources (i.e. a confirmation page).
-
-## OAuth 2.0 Provider Implementation
-
-The provider role in OAuth 2.0 is actually split between Authorization Service and Resource Service, and while these sometimes reside in the same application, with Spring Security OAuth you have the option to split them across two applications, and also to have multiple Resource Services that share an Authorization Service. The requests for the tokens are handled by Spring MVC controller endpoints, and access to protected resources is handled by standard Spring Security request filters. The following endpoints are required in the Spring Security filter chain in order to implement OAuth 2.0 Authorization Server:
-
-* [`AuthorizationEndpoint`][AuthorizationEndpoint] is used to service requests for authorization. Default URL: `/oauth/authorize`.
-* [`TokenEndpoint`][TokenEndpoint] is used to service requests for access tokens. Default URL: `/oauth/token`.
-
-The following filter is required to implement an OAuth 2.0 Resource Server:
-
-* The [`OAuth2AuthenticationProcessingFilter`][OAuth2AuthenticationProcessingFilter] is used to load the Authentication for the request given an authenticated access token.
-
-For all the OAuth 2.0 provider features, configuration is simplified using special Spring OAuth `@Configuration` adapters.  There is also an XML namespace for OAuth configuration, and the schema resides at [https://www.springframework.org/schema/security/spring-security-oauth2.xsd][oauth2.xsd]. The namespace is `http://www.springframework.org/schema/security/oauth2`.
-
-## Authorization Server Configuration
-
-As you configure the Authorization Server, you have to consider the grant type that the client is to use to obtain an access token from the end-user (e.g. authorization code, user credentials, refresh token). The configuration of the server is used to provide implementations of the client details service and token services and to enable or disable certain aspects of the mechanism globally. Note, however, that each client can be configured specifically with permissions to be able to use certain authorization mechanisms and access grants. I.e. just because your provider is configured to support the "client credentials" grant type, doesn't mean that a specific client is authorized to use that grant type.
-
-The `@EnableAuthorizationServer` annotation is used to configure the OAuth 2.0 Authorization Server mechanism, together with any `@Beans` that implement `AuthorizationServerConfigurer` (there is a handy adapter implementation with empty methods). The following features are delegated to separate configurers that are created by Spring and passed into the `AuthorizationServerConfigurer`:
-
-* `ClientDetailsServiceConfigurer`: a configurer that defines the client details service. Client details can be initialized, or you can just refer to an existing store.
-* `AuthorizationServerSecurityConfigurer`: defines the security constraints on the token endpoint.
-* `AuthorizationServerEndpointsConfigurer`: defines the authorization and token endpoints and the token services.
-
-An important aspect of the provider configuration is the way that an authorization code is supplied to an OAuth client (in the authorization code grant). An authorization code is obtained by the OAuth client by directing the end-user to an authorization page where the user can enter her credentials, resulting in a redirection from the provider authorization server back to the OAuth client with the authorization code. Examples of this are elaborated in the OAuth 2 specification.
-
-In XML there is an `<authorization-server/>` element that is used in a similar way to configure the OAuth 2.0 Authorization Server.
-
-### Configuring Client Details
-
-The `ClientDetailsServiceConfigurer` (a callback from your `AuthorizationServerConfigurer`) can be used to define an in-memory or JDBC implementation of the client details service. Important attributes of a client are
-
-* `clientId`: (required) the client id.
-* `secret`: (required for trusted clients) the client secret, if any.
-* `scope`: The scope to which the client is limited. If scope is undefined or empty (the default) the client is not limited by scope.
-* `authorizedGrantTypes`: Grant types that are authorized for the client to use. Default value is empty.
-* `authorities`: Authorities that are granted to the client (regular Spring Security authorities).
-
-Client details can be updated in a running application by access the underlying store directly (e.g. database tables in the case of `JdbcClientDetailsService`) or through the `ClientDetailsManager` interface (which both implementations of `ClientDetailsService` also implement).
-
-> NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the [test code in github](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql).
-
-### Managing Tokens
-
-The [`AuthorizationServerTokenServices`][AuthorizationServerTokenServices] interface defines the operations that are necessary to manage OAuth 2.0 tokens. Note the following:
-
-* When an access token is created, the authentication must be stored so that resources accepting the access token can reference it later.
-* The access token is used to load the authentication that was used to authorize its creation.
-
-When creating your `AuthorizationServerTokenServices` implementation, you may want to consider using the [`DefaultTokenServices`][DefaultTokenServices] which has many strategies that can be plugged in to change the format and storage of access tokens. By default it creates tokens via random value and handles everything except for the persistence of the tokens which it delegates to a `TokenStore`. The default store is an [in-memory implementation][InMemoryTokenStore], but there are some other implementations available. Here's a description with some discussion of each of them
-
-* The default `InMemoryTokenStore` is perfectly fine for a single server (i.e. low traffic and no hot swap to a backup server in the case of failure). Most projects can start here, and maybe operate this way in development mode, to make it easy to start a server with no dependencies.
-
-* The `JdbcTokenStore` is the [JDBC version](JdbcTokenStore) of the same thing, which stores token data in a relational database. Use the JDBC version if you can share a database between servers, either scaled up instances of the same server if there is only one, or the Authorization and Resources Servers if there are multiple components. To use the `JdbcTokenStore` you need "spring-jdbc" on the classpath.
-
-* The [JSON Web Token (JWT) version](`JwtTokenStore`) of the store encodes all the data about the grant into the token itself (so no back end store at all which is a significant advantage).  One disadvantage is that you can't easily revoke an access token, so they normally are granted with short expiry and the revocation is handled at the refresh token. Another disadvantage is that the tokens can get quite large if you are storing a lot of user credential information in them. The `JwtTokenStore` is not really a "store" in the sense that it doesn't persist any data, but it plays the same role of translating betweeen token values and authentication information in the `DefaultTokenServices`.
-
-> NOTE: the schema for the JDBC service is not packaged with the library (because there are too many variations you might like to use in practice), but there is an example you can start from in the [test code in github](https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/test/resources/schema.sql). Be sure to `@EnableTransactionManagement` to prevent clashes between client apps competing for the same rows when tokens are created. Note also that the sample schema has explicit `PRIMARY KEY` declarations - these are also necessary in a concurrent environment.
-
-### JWT Tokens
-
-To use JWT tokens you need a `JwtTokenStore` in your Authorization Server. The Resource Server also needs to be able to decode the tokens so the `JwtTokenStore` has a dependency on a `JwtAccessTokenConverter`, and the same implementation is needed by both the Authorization Server and the Resource Server. The tokens are signed by default, and the Resource Server also has to be able to verify the signature, so it either needs the same symmetric (signing) key as the Authorization Server (shared secret, or symmetric key), or it needs the public key (verifier key) that matches the private key (signing key) in the Authorization Server (public-private or asymmetric key). The public key (if available) is exposed by the Authorization Server on the `/oauth/token_key` endpoint, which is secure by default with access rule "denyAll()". You can open it up by injecting a standard SpEL expression into the `AuthorizationServerSecurityConfigurer` (e.g. "permitAll()" is probably adequate since it is a public key).
-
-To use the `JwtTokenStore` you need "spring-security-jwt" on your classpath (you can find it in the same github repository as Spring OAuth but with a different release cycle).
-
-### Grant Types
-
-The grant types supported by the `AuthorizationEndpoint` can be
-configured via the `AuthorizationServerEndpointsConfigurer`. By default
-all grant types are supported except password (see below for details of how to switch it on). The
-following properties affect grant types:
-
-* `authenticationManager`: password grants are switched on by injecting an `AuthenticationManager`.
-* `userDetailsService`: if you inject a `UserDetailsService` or if one is configured globally anyway (e.g. in a `GlobalAuthenticationManagerConfigurer`) then a refresh token grant will contain a check on the user details, to ensure that the account is still active
-* `authorizationCodeServices`: defines the authorization code services (instance of `AuthorizationCodeServices`) for the auth code grant.
-* `implicitGrantService`: manages state during the imlpicit grant.
-* `tokenGranter`: the `TokenGranter` (taking full control of the granting and ignoring the other properties above)
-
-In XML grant types are included as child elements of the `authorization-server`.
-
-### Configuring the Endpoint URLs
-
-The `AuthorizationServerEndpointsConfigurer` has a `pathMapping()` method. It takes two arguments:
-
-* The default (framework implementation) URL path for the endpoint
-* The custom path required (starting with a "/")
-
-The URL paths provided by the framework are `/oauth/authorize` (the authorization endpoint), `/oauth/token` (the token endpoint), `/oauth/confirm_access` (user posts approval for grants here), `/oauth/error` (used to render errors in the authorization server), `/oauth/check_token` (used by Resource Servers to decode access tokens), and `/oauth/token_key` (exposes public key for token verification if using JWT tokens).
-
-N.B. the Authorization endpoint `/oauth/authorize` (or its mapped alternative) should be protected using Spring Security so that it is only accessible to authenticated users. For instance using a standard Spring Security `WebSecurityConfigurer`:
-
-```
-@Override
-protected void configure(HttpSecurity http) throws Exception {
-	http
-            .authorizeRequests().antMatchers("/login").permitAll().and()
-        // default protection for all resources (including /oauth/authorize)
-            .authorizeRequests()
-            .anyRequest().hasRole("USER")
-        // ... more configuration, e.g. for form login
-}
-```
-
-> Note: if your Authorization Server is also a Resource Server then there is another security filter chain with lower priority controlling the API resources. For those requests to be protected by access tokens you need their paths *not* to be matched by the ones in the main user-facing filter chain, so be sure to include a request matcher that picks out only non-API resources in the `WebSecurityConfigurer` above.
-
-The token endpoint is protected for you by default by Spring OAuth in the `@Configuration` support using HTTP Basic authentication of the client secret. This is not the case in XML (so it should be protected explicitly).
-
-In XML the `<authorization-server/>` element has some attributes that can be used to change the default endpoint URLs in a similar way. The `/check_token` endpoint has to be explicitly enabled (with the `check-token-enabled` attribute).
-
-## Customizing the UI
-
-Most of the Authorization Server endpoints are used primarily by machines, but there are a couple of resource that need a UI and those are the GET for `/oauth/confirm_access` and the HTML response from `/oauth/error`. They  are provided using whitelabel implementations in the framework, so most real-world instances of the Authorization Server will want to provide their own so they can control the styling and content. All you need to do is provide a Spring MVC controller with `@RequestMappings` for those endpoints, and the framework defaults will take a lower priority in the dispatcher. In the `/oauth/confirm_access` endpoint you can expect an `AuthorizationRequest` bound to the session carrying all the data needed to seek approval from the user (the default implementation is `WhitelabelApprovalEndpoint` so look there for a starting point to copy). You can grab all the data from that request and render it however you like, and then all the user needs to do is POST back to `/oauth/authorize` with information about approving or denying the grant. The request parameters are passed directly to a `UserApprovalHandler` in the `AuthorizationEndpoint` so you can interpret the data more or less as you please. The default `UserApprovalHandler` depends on whether or not you have supplied an `ApprovalStore` in your `AuthorizationServerEndpointsConfigurer` (in which case it is an `ApprovalStoreUserApprovalHandler`) or not (in which case it is a `TokenStoreUserApprovalHandler`). The standard approval handlers accept the following:
-
-* `TokenStoreUserApprovalHandler`: a simple yes/no decision via `user_oauth_approval` equals to "true" or "false".
-
-* `ApprovalStoreUserApprovalHandler`: a set of `scope.*` parameter keys with "*" equal to the scopes being requested. The value of the parameter can be "true" or "approved" (if the user approved the grant) else the user is deemed to have rejected that scope. A grant is successful if at least one scope is approved.
-
-> NOTE: don't forget to include CSRF protection in your form that you render for the user. Spring Security is expecting a request parameter called "_csrf" by default (and it provides the value in a request attribute). See the Spring Security user guide for more information on that, or look at the whitelabel implementation for guidance.
-
-### Enforcing SSL
-
-Plain HTTP is fine for testing but an Authorization Server should only be used over SSL in production. You can run the app in a secure container or behind a proxy and it should work fine if you set the proxy and the container up correctly (which is nothing to do with OAuth2). You might also want to secure the endpoints using Spring Security `requiresChannel()` constraints. For the `/authorize` endpoint is up to you to do that as part of your normal application security. For the `/token` endpoint there is a flag in the `AuthorizationServerSecurityConfigurer` that you can set using the `sslOnly()` method. In both cases the secure channel setting is optional but will cause Spring Security to redirect to what it thinks is a secure channel if it detects a request on an insecure channel.
-
-## Customizing the Error Handling
-
-Error handling in an Authorization Server uses standard Spring MVC features, namely `@ExceptionHandler` methods in the endpoints themselves. Users can also provide a `WebResponseExceptionTranslator` to the endpoints themselves which is the best way to change the content of the responses as opposed to the way they are rendered. The rendering of exceptions delegates to `HttpMesssageConverters` (which can be added to the MVC configuration) in the case of token endpoint and to the OAuth error view (`/oauth/error`) in the case of the authorization endpoint. The whitelabel error endpoint is provided for HTML responses, but users probably need to provide a custom implementation (e.g. just add a `@Controller` with `@RequestMapping("/oauth/error")`).
-
-## Mapping User Roles to Scopes
-
-It is sometimes useful to limit the scope of tokens not only by the scopes assigned to the client, but also according to the user's own permissions. If you use a `DefaultOAuth2RequestFactory` in your `AuthorizationEndpoint` you can set a flag `checkUserScopes=true` to restrict permitted scopes to only those that match the user's roles. You can also inject an `OAuth2RequestFactory` into the `TokenEndpoint` but that only works (i.e. with password grants) if you also install a `TokenEndpointAuthenticationFilter` - you just need to add that filter after the HTTP `BasicAuthenticationFilter`. Of course, you can also implement your own rules for mapping scopes to roles and install your own version of the `OAuth2RequestFactory`. The `AuthorizationServerEndpointsConfigurer` allows you to inject a custom `OAuth2RequestFactory` so you can use that feature to set up a factory if you use `@EnableAuthorizationServer`.
-
-## Resource Server Configuration
-
-A Resource Server (can be the same as the Authorization Server or a separate application) serves resources that are protected by the OAuth2 token. Spring OAuth provides a Spring Security authentication filter that implements this protection. You can switch it on with `@EnableResourceServer` on an `@Configuration` class, and configure it (as necessary) using a `ResourceServerConfigurer`. The following features can be configured:
-
-* `tokenServices`: the bean that defines the token services (instance of `ResourceServerTokenServices`).
-* `resourceId`: the id for the resource (optional, but recommended and will be validated by the auth server if present).
-* other extension points for the resources server (e.g. `tokenExtractor` for extracting the tokens from incoming requests)
-* request matchers for protected resources (defaults to all)
-* access rules for protected resources (defaults to plain "authenticated")
-* other customizations for the protected resources permitted by the `HttpSecurity` configurer in Spring Security
-
-The `@EnableResourceServer` annotation adds a filter of type `OAuth2AuthenticationProcessingFilter` automatically to the Spring Security filter chain.
-
-In XML there is a `<resource-server/>` element with an `id` attribute - this is the bean id for a servlet `Filter` that can then be added manually to the standard Spring Security chain.
-
-Your `ResourceServerTokenServices` is the other half of a contract with the Authorization Server. If the Resource Server and Authorization Server are in the same application and you use `DefaultTokenServices` then you don't have to think too hard about this because it implements all the necessary interfaces so it is automatically consistent. If your Resource Server is a separate application then you have to make sure you match the capabilities of the Authorization Server and provide a `ResourceServerTokenServices` that knows how to decode the tokens correctly. As with the Authorization Server, you can often use the `DefaultTokenServices` and the choices are mostly expressed through the `TokenStore` (backend storage or local encoding). An alternative is the `RemoteTokenServices` which is a Spring OAuth features (not part of the spec) allowing Resource Servers to decode tokens through an HTTP resource on the Authorization Server (`/oauth/check_token`). `RemoteTokenServices` are convenient if there is not a huge volume of traffic in the Resource Servers (every request has to be verified with the Authorization Server), or if you can afford to cache the results. To use the `/oauth/check_token` endpoint you need to expose it by changing its access rule (default is "denyAll()") in the `AuthorizationServerSecurityConfigurer`, e.g.
-
-```
-@Override
-public void configure(AuthorizationServerSecurityConfigurer oauthServer) throws Exception {
-	oauthServer.tokenKeyAccess("isAnonymous() || hasAuthority('ROLE_TRUSTED_CLIENT')")
-	.checkTokenAccess("hasAuthority('ROLE_TRUSTED_CLIENT')");
-}
-
-```
-
-In this example we are configuring both the `/oauth/check_token` endpoint and the `/oauth/token_key` endpoint (so trusted resources can obtain the public key for JWT verification). These two endpoints are protected by HTTP Basic authentication using client credentials.
-
-### Configuring An OAuth-Aware Expression Handler
-
-You may want to take advantage of Spring Security's [expression-based access control][expressions]. An expression handler will be registered by default in the `@EnableResourceServer` setup. The expressions include _#oauth2.clientHasRole_, _#oauth2.clientHasAnyRole_, and _#oath2.denyClient_ which can be used to provide access based on the role of the oauth client (see `OAuth2SecurityExpressionMethods` for a comprehensive list). In XML you can register a oauth-aware expression handler with the `expression-handler` element of the regular `<http/>` security configuration.
-
-## OAuth 2.0 Client
-
-The OAuth 2.0 client mechanism is responsible for access the OAuth 2.0 protected resources of other servers. The configuration involves establishing the relevant protected resources to which users might have access. The client may also need to be supplied with mechanisms for storing authorization codes and access tokens for users.
-
-### Protected Resource Configuration
-
-Protected resources (or "remote resources") can be defined using bean definitions of type [`OAuth2ProtectedResourceDetails`][OAuth2ProtectedResourceDetails]. A protected resource has the following properties:
-
-* `id`: The id of the resource. The id is only used by the client to lookup the resource; it's never used in the OAuth protocol. It's also used as the id of the bean.
-* `clientId`: The OAuth client id. This is the id by which the OAuth provider identifies your client.
-* `clientSecret`: The secret associated with the resource. By default, no secret is empty.
-* `accessTokenUri`: The URI of the provider OAuth endpoint that provides the access token.
-* `scope`: Comma-separted list of strings specifying the scope of the access to the resource. By default, no scope will be specified.
-* `clientAuthenticationScheme`: The scheme used by your client to authenticate to the access token endpoint. Suggested values: "http\_basic" and "form". Default: "http\_basic". See section 2.1 of the OAuth 2 spec.
-
-Different grant types have different concrete implementations  of `OAuth2ProtectedResourceDetails` (e.g. `ClientCredentialsResource` for "client_credentials" grant type).  For grant types that require user authorization there is a further property:
-
-* `userAuthorizationUri`: The uri to which the user will be redirected if the user is ever needed to authorize access to the resource. Note that this is not always required, depending on which OAuth 2 profiles are supported.
-
-In XML there is a `<resource/>` element that can be used to create a bean of type `OAuth2ProtectedResourceDetails`. It has attributes matching all the properties above.
-
-
-### Client Configuration
-
-For the OAuth 2.0 client, configuration is simplified using `@EnableOAuth2Client`. This does 2 things:
-
-* Creates a filter bean (with ID `oauth2ClientContextFilter`) to store the current
-request and context. In the case of needing to authenticate during a
-request it manages the redirection to and from the OAuth
-authentication uri.
-
-* Creates a bean of type `AccessTokenRequest` in request scope. This
-can be used by authorization code (or implicit) grant clients to keep
-state related to individual users from colliding.
-
-The filter has to be wired into the application (e.g. using a Servlet
-initializer or `web.xml` configuration for a `DelegatingFilterProxy`
-with the same name).
-
-The `AccessTokenRequest` can be used in an
-`OAuth2RestTemplate` like this:
-
-```
-@Autowired
-private OAuth2ClientContext oauth2Context;
-
-@Bean
-public OAuth2RestTemplate sparklrRestTemplate() {
-	return new OAuth2RestTemplate(sparklr(), oauth2Context);
-}
-```
-
-The OAuth2ClientContext is placed (for you) in session scope to keep
-the state for different users separate. Without that you would have to
-manage the equivalent data structure yourself on the server, mapping
-incoming requests to users, and associating each user with a separate
-instance of the `OAuth2ClientContext`.
-
-In XML there is a `<client/>` element with an `id` attribute - this is the bean id for a servlet `Filter` that must be mapped as in the `@Configuration` case to a `DelegatingFilterProxy` (with the same name).
-
-
-### Accessing Protected Resources
-
-Once you've supplied all the configuration for the resources, you can now access those resources. The suggested method for accessing those resources is by using [the `RestTemplate` introduced in Spring 3][restTemplate]. OAuth for Spring Security has provided [an extension of RestTemplate][OAuth2RestTemplate] that only needs to be supplied an instance of [`OAuth2ProtectedResourceDetails`][OAuth2ProtectedResourceDetails].  To use it with user-tokens (authorization code grants) you should consider using the `@EnableOAuth2Client` configuration (or the XML equivalent `<oauth:rest-template/>`) which creates some request and session scoped context objects so that requests for different users do not collide at runtime.
-
-As a general rule, a web application should not use password grants, so avoid using `ResourceOwnerPasswordResourceDetails` if you can in favour of `AuthorizationCodeResourceDetails`. If you desparately need password grants to work from a Java client, then use the same mechanism to configure your `OAuth2RestTemplate` and add the credentials to the `AccessTokenRequest` (which is a `Map` and is ephemeral) not the `ResourceOwnerPasswordResourceDetails` (which is shared between all access tokens).
-
-### Persisting Tokens in a Client
-
-A client does not *need* to persist tokens, but it can be nice for users to not be required to approve a new token grant every time the client app is restarted. The [`ClientTokenServices`](/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java) interface defines the operations that are necessary to persist OAuth 2.0 tokens for specific users. There is a JDBC implementation provided, but you can if you prefer implement your own service for storing the access tokens and associated authentication instances in a persistent database.
-If you want to use this feature you need provide a specially configured `AccessTokenProvider` to the `OAuth2RestTemplate` e.g.
-
-```java
-@Bean
-@Scope(value = "session", proxyMode = ScopedProxyMode.INTERFACES)
-public OAuth2RestOperations restTemplate() {
-	OAuth2RestTemplate template = new OAuth2RestTemplate(resource(), new DefaultOAuth2ClientContext(accessTokenRequest));
-	AccessTokenProviderChain provider = new AccessTokenProviderChain(Arrays.asList(new AuthorizationCodeAccessTokenProvider()));
-	provider.setClientTokenServices(clientTokenServices());
-	template.setAccessTokenProvider(provider);
-	return template;
-}
-```
-
-## Customizations for Clients of External OAuth2 Providers
-
-Some external OAuth2 providers (e.g. [Facebook][Facebook]) do not quite implement the specification correctly, or else they are just stuck on an older version of the spec than Spring Security OAuth. To use those providers in your client application you might need to adapt various parts of the client-side infrastructure.
-
-To use Facebook as an example, there is a Facebook feature in the `tonr2` application (you need to change the configuration to add your own, valid, client id and secret - they are easy to generate on the Facebook website).
-
-Facebook token responses also contain a non-compliant JSON entry for the expiry time of the token (they use `expires` instead of `expires_in`), so if you want to use the expiry time in your application you will have to decode it manually using a custom `OAuth2SerializationService`.
-
-  [AuthorizationEndpoint]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.html "AuthorizationEndpoint"
-  [TokenEndpoint]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.html "TokenEndpoint"
-  [DefaultTokenServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/DefaultTokenServices.html "DefaultTokenServices"
-  [InMemoryTokenStore]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.html "InMemoryTokenStore"
-  [JdbcTokenStore]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.html "JdbcTokenStore"
-  [ClientDetailsService]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/ClientDetailsService.html "ClientDetailsService"
-  [ClientDetails]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/ClientDetails.html "ClientDetails"
-  [InMemoryClientDetailsService]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/InMemoryClientDetailsService.html "InMemoryClientDetailsService"
-  [BaseClientDetails]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/BaseClientDetails.html "BaseClientDetails"
-  [AuthorizationServerTokenServices]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.html "AuthorizationServerTokenServices"
-  [OAuth2AuthenticationProcessingFilter]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.html "OAuth2AuthenticationProcessingFilter"
-  [oauth2.xsd]: https://www.springframework.org/schema/security/spring-security-oauth2.xsd "oauth2.xsd"
-  [expressions]: https://docs.spring.io/spring-security/site/docs/3.2.5.RELEASE/reference/htmlsingle/#el-access "Expression Access Control"
-
-  [AccessTokenProviderChain]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
-  [OAuth2RestTemplate]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
-  [OAuth2ProtectedResourceDetails]: /spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
-  [restTemplate]: https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html "RestTemplate"
-  [Facebook]: https://developers.facebook.com/docs/authentication "Facebook"
diff --git a/docs/support.md b/docs/support.md
deleted file mode 100644
index a9958ae01..000000000
--- a/docs/support.md
+++ /dev/null
@@ -1,20 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Support
-
-Questions about OAuth for Spring Security can be posed on
-[Stackoverflow](https://stackoverflow.com/questions/tagged/spring-security+spring+oauth)
-using tags 'spring', 'spring-security' and 'oauth'. (There is also a
-[Spring Forum](https://forum.spring.io/forumdisplay.php?f=79)
-that might be useful, but most people prefer the interface at
-Stackoverflow).  To report bugs, submit enchancement requests or add
-something to the wish list, use
-[Github](https://github.com/spring-projects/spring-security-oauth/issues).
-
-Commercial support is available from [Pivotal](https://pivotal.io)
-or through [Web Cohesion](https://www.webcohesion.com).
diff --git a/docs/tutorial.md b/docs/tutorial.md
deleted file mode 100644
index ce578209d..000000000
--- a/docs/tutorial.md
+++ /dev/null
@@ -1,96 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# Tutorial
-
-## Introduction
-
-There's a good [getting started guide](https://www.hueniverse.com/hueniverse/2007/10/beginners-gui-1.html) that illustrates OAuth
-1.0 by describing two different (but related) services.  One is a photo-sharing application.  The other is a photo-printing
-application.  In OAuth terms, the photo sharing application is the OAuth _provider_ and the photo printing application
-is the OAuth _consumer_ or _client_.
-
-For this tutorial, we will see OAuth for Spring Security in action by deploying a photo-sharing application and a
-photo-printing application on our local machine.  We'll name the photo-sharing application "Sparklr" and the
-photo-printing application "Tonr".  A user named "Marissa" (who has an account at both Sparkr and Tonr) will use Tonr
-to access her photos on Sparklr without ever giving Tonr her credentials to Sparklr.
-
-There is a Sparklr application for both OAuth 1.0 and for OAuth 2.0,
-likewise Tonr. The best way to run them is to clone or download the
-[repo on github](https://github.com/spring-projects/spring-security-oauth)
-and run from source code See the
-[samples/README.md](https://github.com/spring-projects/spring-security-oauth/tree/master/samples)
-for detailed instructions. 
-
-OAuth 1.0|OAuth 2.0
----------|---------
-Sparklr 1 | Sparklr 2
-Tonr 1 | Tonr 2
-
-Each application is a standard [Maven](https://maven.apache.org/) project, so you will need Maven installed. Each
-application is also a Spring MVC application with Spring Security integrated. If you are familiar with Spring and Spring
-Security, the configuration files will look familiar to you (the OAuth2 samples use a single application context whereas
-many MVC applications use a root context and a child for the DispatcherServlet).
-
-## Setup
-
-Checkout the Sparklr and Tonr applications, and take a look around. Note especially the Spring configuration files in `src/main/webapp/WEB-INF`.
-  
-For Sparklr, you'll notice the definition of the OAuth provider mechanism and the consumer/client details along with the
-[standard spring security configuration](https://docs.spring.io/spring-security/site/docs/4.0.x/reference/html/ns-config.html) elements.  For Tonr,
-you'll notice the definition of the OAuth consumer/client mechanism and the resource details.  For more information about the necessary
-components of an OAuth provider and consumer, see the [developers guide](devguide.html).
-
-You'll also notice the Spring Security filter chain in `applicationContext.xml` and how it's configured for OAuth support.
-
-### Deploy Sparklr
-
-{% highlight text %}
-    mvn install
-    cd samples/oauth(2)/sparklr
-    mvn tomcat7:run
-{% endhighlight %}
-
-Sparklr should be started on port 8080.  Go ahead and browse to [http://localhost:8080/sparklr](http://localhost:8080/sparklr). Note the basic
-login page and the page that can be used to browse Marissa's photos. Logout to ensure Marissa's session is no longer valid.  (Of course,
-the logout isn't mandatory; an active Sparklr session will simply bypass the step that prompts for Marissa's credentials before
-confirming authorization for Marissa's protected resources.)
-
-### Start Tonr.
-
-Shutdown sparklr (it will be launched in the same container when tonr runs), then
-
-{% highlight text %}
-    mvn install
-    cd samples/oauth(2)/tonr
-    mvn tomcat7:run
-{% endhighlight %}
-
-Tonr should be started on port 8080.  Browse to [http://localhost:8080/tonr(2)](http://localhost:8080/tonr). Note Tonr's home page has a '2' on the end if it is the oauth2 version.
-
-### Observe...
-
-Now that you've got both applications deployed, you're ready to observe OAuth in action.
-
-1. Login to Tonr.
-
-   Marissa's credentials are already hardcoded into the login form.
-
-2. Click to view Marissa's Sparklr photos.
-
-   You will be redirected to the Sparklr site where you will be prompted for Marissa's credentials.
-
-3. Login to Sparklr.
-
-   Upon successful login, you will be prompted with a confirmation screen to authorize access to Tonr
-   for Marissa's pictures.
-    
-4. Click "authorize".
-  
-   Upon authorization, you should be redirected back to Tonr where Marissa's Sparklr photos are displayed
-   (presumably to be printed).
-
diff --git a/docs/twolegged.md b/docs/twolegged.md
deleted file mode 100644
index 6e5042691..000000000
--- a/docs/twolegged.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Docs
-layout: default
-home: ../
----
-
-
-# 2-Legged OAuth
-
-Two-legged OAuth (also known as "signed fetch") is basically OAuth without the user. It's a way for a consumer (i.e. client) to make a signed request
-to a provider (i.e. server) by leveraging the OAuth signature algorithm. This means that the provider has an extra level of trust with the consumer and will
-therefore provide data to the consumer without making an end-user authorize a token.
-
-This has particular applicability to gadget frameworks. For example, [OpenSocial](https://www.opensocial.org/) platforms often use 2-legged OAuth so gadget
-developers can have the gadget (the OAuth consumer) make Web service requests to their remote server (the OAuth provider). Since the gadget developer and
-the server developer are often the same entity, the server can trust the gadget without the need for the gadget to obtain special permission from the user to
-access the user's data.
-
-To implement 2-legged OAuth using _OAuth for Spring Security_, all that is needed is for the provider to indicate that a specific consumer has an extra
-level of trust. To do this, make sure your implementation of [`ConsumerDetailsService`][ConsumerDetailsService] returns instances of 
-[`ConsumerDetails`][ConsumerDetails] that implement [`ExtraTrustConsumerDetails`][ExtraTrustConsumerDetails]. Then, for each consumer
-that doesn't need to obtain a user-authorized token, make sure [`ExtraTrustConsumerDetails.isRequiredToObtainAuthenticatedToken()`][isRequiredToObtainAuthenticatedToken]
-returns `false`.
-
-In many instances, providers may want to manage the authentication that is set up in the security context. By default for 2-legged OAuth, only the consumer's
-authentication will be set up in the context. However, if a user authentication is needed in the context, provide an alternate implementation of
-`org.springframework.security.oauth.provider.OAuthAuthenticationHandler` that loads the user authentication, and provide a reference to the alternate
-implementation using the "auth-handler-ref" attribute of the "provider" configuration element.
-
-[ConsumerDetailsService]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetailsService.html
-[ConsumerDetails]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ConsumerDetails.html
-[ExtraTrustConsumerDetails]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.html
-[isRequiredToObtainAuthenticatedToken]: https://docs.spring.io/spring-security/oauth/apidocs/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.html#isRequiredToObtainAuthenticatedToken()
diff --git a/pom.xml b/pom.xml
index 47bfdc29f..c1837e581 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
   <name>OAuth for Spring Security</name>
   <description>Parent Project for OAuth Support for Spring Security</description>
   <packaging>pom</packaging>
-  <version>2.3.8.BUILD-SNAPSHOT</version>
+  <version>2.5.3.BUILD-SNAPSHOT</version>
   <url>https://docs.spring.io/spring-security/oauth</url>
 
   <modules>
@@ -18,9 +18,9 @@
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <commons-codec.version>1.9</commons-codec.version>
-    <spring.version>4.3.25.RELEASE</spring.version>
-    <spring.security.version>4.2.13.RELEASE</spring.security.version>
+    <commons-codec.version>1.14</commons-codec.version>
+    <spring.version>4.3.30.RELEASE</spring.version>
+    <spring.security.version>4.2.20.RELEASE</spring.security.version>
     <spring.data.redis.version>1.5.2.RELEASE</spring.data.redis.version>
     <redis.clients.version>2.6.3</redis.clients.version>
     <junit.version>4.12</junit.version>
@@ -169,7 +169,7 @@
     <profile>
       <id>spring5</id>
         <properties>
-            <spring.version>5.0.14.RELEASE</spring.version>
+            <spring.version>5.0.16.RELEASE</spring.version>
             <spring.security.version>5.0.3.RELEASE</spring.security.version>
             <spring.data.redis.version>2.0.5.RELEASE</spring.data.redis.version>
             <redis.clients.version>2.9.0</redis.clients.version>
@@ -192,12 +192,12 @@
 				<plugin>
 					<groupId>org.apache.maven.plugins</groupId>
 					<artifactId>maven-checkstyle-plugin</artifactId>
-					<version>3.1.0</version>
+					<version>3.1.1</version>
 					<dependencies>
 						<dependency>
 							<groupId>com.puppycrawl.tools</groupId>
 							<artifactId>checkstyle</artifactId>
-							<version>8.18</version>
+							<version>8.31</version>
 						</dependency>
 						<dependency>
 							<groupId>io.spring.nohttp</groupId>
@@ -261,6 +261,27 @@
             </plugins>
         </build>
     </profile>
+    <profile>
+      <id>tests-exclude-redis</id>
+      <build>
+          <plugins>
+              <plugin>
+                  <groupId>org.apache.maven.plugins</groupId>
+                  <artifactId>maven-surefire-plugin</artifactId>
+                  <configuration>
+                      <skip>${skipTests}</skip>
+                      <includes>
+                          <include>**/*Tests.java</include>
+                      </includes>
+                      <excludes>
+                          <exclude>**/RedisTokenStorePrefixTests.java</exclude>
+                          <exclude>**/RedisTokenStoreTests.java</exclude>
+                      </excludes>
+                  </configuration>
+              </plugin>
+          </plugins>
+      </build>
+    </profile>
   </profiles>
 
   <dependencyManagement>
@@ -446,7 +467,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-site-plugin</artifactId>
-          <version>3.1</version>
+          <version>3.3</version>
           <dependencies>
             <dependency><!-- add support for ssh/scp -->
               <groupId>org.apache.maven.wagon</groupId>
@@ -458,11 +479,15 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.20</version>
           <configuration>
             <skip>${skipTests}</skip>
             <includes>
               <include>**/*Tests.java</include>
             </includes>
+            <forkCount>3</forkCount>
+            <reuseForks>true</reuseForks>
+            <argLine>-Xmx1024m -XX:MaxPermSize=256m</argLine>
           </configuration>
         </plugin>
 	  </plugins>
@@ -527,6 +552,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-jxr-plugin</artifactId>
+        <version>2.4</version>
       </plugin>
     </plugins>
   </reporting>
@@ -534,8 +560,8 @@
   <distributionManagement>
 
     <site>
-      <id>static.springframework.org</id>
-      <url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth</url>
+      <id>static.spring.io</id>
+      <url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
     </site>
 
     <repository>
diff --git a/samples/README.md b/samples/README.md
index a7e0298a5..9140c388e 100644
--- a/samples/README.md
+++ b/samples/README.md
@@ -1,3 +1,9 @@
+### Deprecation Notice
+
+The Spring Security OAuth project is deprecated. The latest OAuth 2.0 support is provided by Spring Security. See the [OAuth 2.0 Migration Guide](https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide) for further details.
+
+---
+
 These are the Spring Security OAuth sample apps and integration tests.
 They are split into OAuth (1a) and OAuth2 samples.  Look in the
 subdirectory `oauth` and `oauth2` respectively for components of the
diff --git a/samples/oauth/sparklr/pom.xml b/samples/oauth/sparklr/pom.xml
index 1df6df27b..7d4bca68c 100644
--- a/samples/oauth/sparklr/pom.xml
+++ b/samples/oauth/sparklr/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
diff --git a/samples/oauth/tonr/pom.xml b/samples/oauth/tonr/pom.xml
index 885fe7659..69181c8a7 100644
--- a/samples/oauth/tonr/pom.xml
+++ b/samples/oauth/tonr/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
diff --git a/samples/oauth2/sparklr/pom.xml b/samples/oauth2/sparklr/pom.xml
index 31462d785..66dc607e4 100644
--- a/samples/oauth2/sparklr/pom.xml
+++ b/samples/oauth2/sparklr/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
@@ -15,7 +15,7 @@
 
 	<properties>
 		<m2eclipse.wtp.contextRoot>/sparklr2</m2eclipse.wtp.contextRoot>
-		<jackson2.version>2.9.10</jackson2.version>
+		<jackson2.version>2.10.5.1</jackson2.version>
 		<servlet-api.version>3.0.1</servlet-api.version>
 	</properties>
 
@@ -23,7 +23,7 @@
 		<profile>
 			<id>spring5</id>
 			<properties>
-				<jackson2.version>2.9.10</jackson2.version>
+				<jackson2.version>2.10.5.1</jackson2.version>
 				<servlet-api.version>3.1.0</servlet-api.version>
 			</properties>
 		</profile>
@@ -186,7 +186,7 @@
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
 			<artifactId>httpclient</artifactId>
-			<version>4.5.10</version>
+			<version>4.5.13</version>
 			<scope>test</scope>
 		</dependency>
 
diff --git a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java
index ebacd9eef..a054cf85c 100644
--- a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java
+++ b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/config/OAuth2ServerConfig.java
@@ -131,7 +131,7 @@ public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
 	 			        .authorizedGrantTypes("authorization_code", "client_credentials")
 	 			        .authorities("ROLE_CLIENT")
 	 			        .scopes("read", "trust")
-	 			        .redirectUris("https://anywhere/?key=value")
+	 			        .redirectUris("http://localhost:8080/tonr2/sparklr/photos")
 		 		    .and()
 	 		        .withClient("my-trusted-client")
  			            .authorizedGrantTypes("password", "authorization_code", "refresh_token", "implicit")
diff --git a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java
index 215b29653..20a37ac4c 100644
--- a/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java
+++ b/samples/oauth2/sparklr/src/main/java/org/springframework/security/oauth/examples/sparklr/mvc/AdminController.java
@@ -97,8 +97,7 @@ private void checkResourceOwner(String user, Principal principal) {
 		if (principal instanceof OAuth2Authentication) {
 			OAuth2Authentication authentication = (OAuth2Authentication) principal;
 			if (!authentication.isClientOnly() && !user.equals(principal.getName())) {
-				throw new AccessDeniedException(String.format("User '%s' cannot obtain tokens for user '%s'",
-						principal.getName(), user));
+				throw new AccessDeniedException("User cannot obtain tokens for user");
 			}
 		}
 	}
diff --git a/samples/oauth2/tonr/pom.xml b/samples/oauth2/tonr/pom.xml
index 92ed654be..43bdf16e4 100644
--- a/samples/oauth2/tonr/pom.xml
+++ b/samples/oauth2/tonr/pom.xml
@@ -6,7 +6,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 		<relativePath>../../..</relativePath>
 	</parent>
 
@@ -16,7 +16,7 @@
 
 	<properties>
 		<m2eclipse.wtp.contextRoot>/tonr2</m2eclipse.wtp.contextRoot>
-		<jackson2.version>2.9.10</jackson2.version>
+		<jackson2.version>2.10.5.1</jackson2.version>
 		<servlet-api.version>3.0.1</servlet-api.version>
 	</properties>
 
@@ -24,7 +24,7 @@
 		<profile>
 			<id>spring5</id>
 			<properties>
-				<jackson2.version>2.9.10</jackson2.version>
+				<jackson2.version>2.10.5.1</jackson2.version>
 				<servlet-api.version>3.1.0</servlet-api.version>
 			</properties>
 		</profile>
@@ -129,12 +129,6 @@
 			<groupId>${project.groupId}</groupId>
 			<artifactId>spring-security-oauth2</artifactId>
 			<version>${project.version}</version>
-			<exclusions>
-				<exclusion>
-					<groupId>org.codehaus.jackson</groupId>
-					<artifactId>jackson-mapper-asl</artifactId>
-				</exclusion>
-			</exclusions>
 		</dependency>
 
 		<dependency>
diff --git a/samples/pom.xml b/samples/pom.xml
index d1ed6c75c..4f4e8cf28 100755
--- a/samples/pom.xml
+++ b/samples/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth-parent</artifactId>
-    <version>2.3.8.BUILD-SNAPSHOT</version>
+    <version>2.5.3.BUILD-SNAPSHOT</version>
   </parent>
 
   <artifactId>spring-security-oauth-samples</artifactId>
@@ -37,8 +37,8 @@
   <distributionManagement>
 
     <site>
-      <id>static.springframework.org</id>
-      <url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth/samples</url>
+        <id>static.spring.io</id>
+        <url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
     </site>
 
   </distributionManagement>
diff --git a/spring-security-jwt/pom.xml b/spring-security-jwt/pom.xml
index 001707e6c..87b274878 100755
--- a/spring-security-jwt/pom.xml
+++ b/spring-security-jwt/pom.xml
@@ -5,7 +5,7 @@
 
 	<groupId>org.springframework.security</groupId>
 	<artifactId>spring-security-jwt</artifactId>
-	<version>1.0.12.BUILD-SNAPSHOT</version>
+	<version>1.1.2.BUILD-SNAPSHOT</version>
 	<packaging>jar</packaging>
 	<name>Spring Security JWT Library</name>
 
@@ -29,7 +29,7 @@
 		<dependency>
 			<groupId>org.bouncycastle</groupId>
 			<artifactId>bcpkix-jdk15on</artifactId>
-			<version>1.64</version>
+			<version>1.69</version>
 		</dependency>
 
 		<dependency>
@@ -124,8 +124,8 @@
 	<distributionManagement>
 
 		<site>
-			<id>static.springframework.org</id>
-			<url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth</url>
+			<id>static.spring.io</id>
+			<url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
 		</site>
 
 		<repository>
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java
index 029e563f3..da7775c2c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/AlgorithmMetadata.java
@@ -13,8 +13,12 @@
 package org.springframework.security.jwt;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface AlgorithmMetadata {
 	/**
 	 * @return the JCA/JCE algorithm name.
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java
index 1ca933a7f..c570c6599 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/BinaryFormat.java
@@ -13,8 +13,12 @@
 package org.springframework.security.jwt;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface BinaryFormat {
 	byte[] bytes();
 }
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java
index 97b67af47..1e1542a03 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/Jwt.java
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface Jwt extends BinaryFormat {
 	String getClaims();
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java
index cba16c5d0..4ea77b416 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtAlgorithms.java
@@ -18,8 +18,12 @@
 import org.springframework.security.jwt.crypto.cipher.CipherMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class JwtAlgorithms {
 	private static final Map<String,String> sigAlgs = new HashMap<String,String>();
 	private static final Map<String,String> javaToSigAlgs = new HashMap<String,String>();
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java
index b2d192155..04e743efb 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/JwtHelper.java
@@ -29,9 +29,13 @@
 import org.springframework.security.jwt.crypto.sign.Signer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class JwtHelper {
 	static byte[] PERIOD = utf8Encode(".");
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java
index d2f63894e..28f31c527 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/codec/Codecs.java
@@ -20,8 +20,12 @@
 /**
  * Functions for Hex, Base64 and Utf8 encoding/decoding
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class Codecs {
 	private static Charset UTF8 = Charset.forName("UTF-8");
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java
index 5e9d107f7..d65e6c2eb 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/cipher/CipherMetadata.java
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.AlgorithmMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface CipherMetadata extends AlgorithmMetadata {
 	/**
 	 * @return Size of the key in bits.
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java
index 38c7bffb9..505d6dafb 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/EllipticCurveVerifier.java
@@ -23,9 +23,13 @@
 /**
  * Verifies signatures using an Elliptic Curve public key.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Michael Duergner
  * @since 2.3
  */
+@Deprecated
 public class EllipticCurveVerifier implements SignatureVerifier {
 	private final ECPublicKey key;
 	private final String algorithm;
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java
index be63ca705..6c7ef3e3c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/InvalidSignatureException.java
@@ -13,8 +13,12 @@
 package org.springframework.security.jwt.crypto.sign;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class InvalidSignatureException extends RuntimeException {
     public InvalidSignatureException(String message) {
         super(message);
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java
index 2f6c0add2..1aabb2f42 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/MacSigner.java
@@ -18,8 +18,12 @@
 import javax.crypto.spec.SecretKeySpec;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class MacSigner implements SignerVerifier {
 	private static final String DEFAULT_ALGORITHM = "HMACSHA256";
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java
index f15862a5e..69a87874c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaKeyHelper.java
@@ -12,20 +12,23 @@
  */
 package org.springframework.security.jwt.crypto.sign;
 
-import static org.springframework.security.jwt.codec.Codecs.b64Decode;
-import static org.springframework.security.jwt.codec.Codecs.utf8Encode;
+import org.bouncycastle.asn1.ASN1Sequence;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.math.BigInteger;
 import java.security.*;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.*;
 import java.util.Arrays;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import org.bouncycastle.asn1.ASN1Sequence;
+import static org.springframework.security.jwt.codec.Codecs.b64Decode;
+import static org.springframework.security.jwt.codec.Codecs.utf8Encode;
 
 /**
  * Reads RSA key pairs using BC provider classes but without the
@@ -72,6 +75,10 @@ static KeyPair parseKeyPair(String pemData) {
 				org.bouncycastle.asn1.pkcs.RSAPublicKey key = org.bouncycastle.asn1.pkcs.RSAPublicKey.getInstance(seq);
 				RSAPublicKeySpec pubSpec = new RSAPublicKeySpec(key.getModulus(), key.getPublicExponent());
 				publicKey = fact.generatePublic(pubSpec);
+			} else if (type.equals("CERTIFICATE")) {
+				CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
+				Certificate certificate = certificateFactory.generateCertificate(new ByteArrayInputStream(content));
+				publicKey = certificate.getPublicKey();
 			} else {
 				throw new IllegalArgumentException(type + " is not a supported format");
 			}
@@ -81,12 +88,15 @@ static KeyPair parseKeyPair(String pemData) {
 		catch (InvalidKeySpecException e) {
 			throw new RuntimeException(e);
 		}
+		catch (CertificateException e) {
+			throw new RuntimeException(e);
+		}
 		catch (NoSuchAlgorithmException e) {
 			throw new IllegalStateException(e);
 		}
 	}
 
-	private static final Pattern SSH_PUB_KEY = Pattern.compile("ssh-(rsa|dsa) ([A-Za-z0-9/+]+=*) (.*)");
+	private static final Pattern SSH_PUB_KEY = Pattern.compile("ssh-(rsa|dsa) ([A-Za-z0-9/+]+=*) ?(.*)");
 
 	static RSAPublicKey parsePublicKey(String key) {
 		Matcher m = SSH_PUB_KEY.matcher(key);
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java
index 04ed3cff5..6439fed67 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaSigner.java
@@ -23,8 +23,12 @@
  * The key can be supplied directly, or as an SSH private key string (in
  * the standard format produced by <tt>ssh-keygen</tt>)
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class RsaSigner implements Signer {
 	static final String DEFAULT_ALGORITHM = "SHA256withRSA";
 
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java
index dc3944d21..0e7cede4c 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/RsaVerifier.java
@@ -22,8 +22,12 @@
  * The key can be supplied directly, or as an SSH public or private key string (in
  * the standard format produced by <tt>ssh-keygen</tt>).
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public class RsaVerifier implements SignatureVerifier {
 	private final RSAPublicKey key;
 	private final String algorithm;
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java
index a74fc6c88..41253fbae 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignatureVerifier.java
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.AlgorithmMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface SignatureVerifier extends AlgorithmMetadata {
 	void verify(byte[] content, byte[] signature);
 }
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java
index 5067e8b6f..ca675671f 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/Signer.java
@@ -15,8 +15,12 @@
 import org.springframework.security.jwt.AlgorithmMetadata;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface Signer extends AlgorithmMetadata {
 	byte[] sign(byte[] bytes);
 }
diff --git a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java
index 3e5307438..d75dd5f7e 100644
--- a/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java
+++ b/spring-security-jwt/src/main/java/org/springframework/security/jwt/crypto/sign/SignerVerifier.java
@@ -13,7 +13,11 @@
 package org.springframework.security.jwt.crypto.sign;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  */
+@Deprecated
 public interface SignerVerifier extends Signer, SignatureVerifier {
 }
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java
index b0901127d..5efbfe88d 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/cipher/RsaTestKeyData.java
@@ -97,6 +97,12 @@ public class RsaTestKeyData {
 			+ "eJQ4nUR0pkfEaeRWOmzWE/3wC9DHoSmYoTF7B3gwyPvuBFgB5KjSk+G6AuubLkMs+jFJQZJkQcI+UJ859MC3024ThjBukLAN8OZBv7"
 			+ "2d6rtDQ/Ca0/qMWtXhVneKvZxZg5MXoVwvtkidwbdoK9fGnylRDs0+KZh3vR0Q+67V blah@blah.local";
 
+	public static final String SSH_PUBLIC_KEY_STRING_WITHOUT_COMMENT = "ssh-rsa "
+			+ "AAAAB3NzaC1yc2EAAAADAQABAAABAQDABE3hLtnRqxISPrX5Ii+1RS4eil399+d7UJtodc3GP9wjitjSTkQtnZIYIVWCbH1cAMkmFi"
+			+ "hAiY768zEUCptbHI7jkHWtlHWrQKEQVYsY+Y0H59jxOsUciMlvzvezR3YVNgM7Cy3od0o+NeQt2AYc7grV8uc7VxAcoaCUEq9zhlJW"
+			+ "eJQ4nUR0pkfEaeRWOmzWE/3wC9DHoSmYoTF7B3gwyPvuBFgB5KjSk+G6AuubLkMs+jFJQZJkQcI+UJ859MC3024ThjBukLAN8OZBv7"
+			+ "2d6rtDQ/Ca0/qMWtXhVneKvZxZg5MXoVwvtkidwbdoK9fGnylRDs0+KZh3vR0Q+67V";
+
 
 	public static final String SSH_PUBLIC_KEY_OPENSSL_PEM_STRING = "-----BEGIN PUBLIC KEY-----\n" +
 			"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwARN4S7Z0asSEj61+SIv\n" +
@@ -117,4 +123,24 @@ public class RsaTestKeyData {
 			"L7ZIncG3aCvXxp8pUQ7NPimYd70dEPuu1QIDAQAB\n" +
 			"-----END RSA PUBLIC KEY-----";
 
+	public static final String SSH_X509_CERTIFICATE_PEM_STRING = "-----BEGIN CERTIFICATE-----\n" +
+			"MIIDHDCCAgSgAwIBAgIJAK+wnYpjtdVFMA0GCSqGSIb3DQEBCwUAMCMxITAfBgNV\n" +
+			"BAMMGHNwcmluZy1zZWN1cml0eS1qd3QtdGVzdDAeFw0xODA0MTcwOTQ4MzVaFw0x\n" +
+			"ODA1MTcwOTQ4MzVaMCMxITAfBgNVBAMMGHNwcmluZy1zZWN1cml0eS1qd3QtdGVz\n" +
+			"dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMAETeEu2dGrEhI+tfki\n" +
+			"L7VFLh6KXf3353tQm2h1zcY/3COK2NJORC2dkhghVYJsfVwAySYWKECJjvrzMRQK\n" +
+			"m1scjuOQda2UdatAoRBVixj5jQfn2PE6xRyIyW/O97NHdhU2AzsLLeh3Sj415C3Y\n" +
+			"BhzuCtXy5ztXEByhoJQSr3OGUlZ4lDidRHSmR8Rp5FY6bNYT/fAL0MehKZihMXsH\n" +
+			"eDDI++4EWAHkqNKT4boC65suQyz6MUlBkmRBwj5Qnzn0wLfTbhOGMG6QsA3w5kG/\n" +
+			"vZ3qu0ND8JrT+oxa1eFWd4q9nFmDkxehXC+2SJ3Bt2gr18afKVEOzT4pmHe9HRD7\n" +
+			"rtUCAwEAAaNTMFEwHQYDVR0OBBYEFPM7mHoBTz7Bgyblen9oSqd6gCVTMB8GA1Ud\n" +
+			"IwQYMBaAFPM7mHoBTz7Bgyblen9oSqd6gCVTMA8GA1UdEwEB/wQFMAMBAf8wDQYJ\n" +
+			"KoZIhvcNAQELBQADggEBAGfx6+D8YpYVHYbB9mdUDVmFKEq3rFBKaHXL8fDceHUi\n" +
+			"GOAG0dLqP+lxx/pPsgfW8dnu1h/I5+cvOsj/YmwLMlodhrGN0XpaWmATz7+ikif3\n" +
+			"VGGNXIWl/km+r30M4diFnSnycjYaOJdBqhLIkQd/w/JFFJ5J+C5b2281jYGw6Y1F\n" +
+			"Kq3pqLlQVCnQhcnDroCtwLK78hG7yZasYVBnjKilSkMB1k14Kfq8WUR3NsODRiXg\n" +
+			"EP+KsWrwS5l/cyUzkWDKgOvmlWeqSWp95WGhewuVAs34W0hzdT3JDd4TIX3NWMuw\n" +
+			"i9txCbagsrq/2+rKgsasCPlcQwFw6Umzd73HuqiHmoM=\n" +
+			"-----END CERTIFICATE-----\n";
+
 }
diff --git a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java
index 27e8dbb46..da83c9bc3 100644
--- a/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java
+++ b/spring-security-jwt/src/test/java/org/springframework/security/jwt/crypto/sign/RsaSigningTests.java
@@ -12,12 +12,12 @@
  */
 package org.springframework.security.jwt.crypto.sign;
 
-import static org.junit.Assert.assertNotNull;
-
 import org.junit.Test;
 import org.springframework.security.jwt.codec.Codecs;
 import org.springframework.security.jwt.crypto.cipher.RsaTestKeyData;
 
+import static org.junit.Assert.assertNotNull;
+
 /**
  * @author Luke Taylor
  */
@@ -35,6 +35,12 @@ public void rsaSignerValidKeyWithWhitespace() throws Exception {
 		assertNotNull(signer);
 	}
 
+	@Test
+	public void rsaVerifierValidKeyWithoutComment() throws Exception {
+		RsaVerifier verifier = new RsaVerifier(RsaTestKeyData.SSH_PUBLIC_KEY_STRING_WITHOUT_COMMENT);
+		assertNotNull(verifier);
+	}
+
 	@Test
 	public void keysFromPrivateAndPublicKeyStringDataAreCorrect() throws Exception {
 		// Do a test sign and verify
@@ -56,5 +62,8 @@ public void keysFromPrivateAndPublicKeyStringDataAreCorrect() throws Exception {
 
 		verifier = new RsaVerifier(RsaTestKeyData.SSH_PUBLIC_KEY_OPENSSL_PEM_STRING);
 		verifier.verify(content, signed);
+
+		verifier = new RsaVerifier(RsaTestKeyData.SSH_X509_CERTIFICATE_PEM_STRING);
+		verifier.verify(content, signed);
 	}
 }
diff --git a/spring-security-oauth/pom.xml b/spring-security-oauth/pom.xml
index 2adee4f91..7ea72e61d 100644
--- a/spring-security-oauth/pom.xml
+++ b/spring-security-oauth/pom.xml
@@ -4,7 +4,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>spring-security-oauth</artifactId>
@@ -169,7 +169,7 @@
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
 			<artifactId>httpclient</artifactId>
-			<version>4.5.10</version>
+			<version>4.5.13</version>
 		</dependency>
 
 		<dependency>
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java
index 0e917b772..393f6c3e2 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthCodec.java
@@ -25,8 +25,12 @@
 /**
  * Utility for parameter encoding according to the OAuth spec.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthCodec extends URLCodec {
 
   protected static final BitSet SAFE_CHARACTERS = (BitSet) URLCodec.WWW_FORM_URL.clone();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java
index 91127a909..66e6bc1f5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthConsumerParameter.java
@@ -19,8 +19,12 @@
 /**
  * Enumeration for consumer parameters.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public enum OAuthConsumerParameter {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java
index fc6e727a5..9c8b44a6a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthException.java
@@ -20,10 +20,14 @@
 
 /**
  * Base exception for OAuth processing.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthException extends AuthenticationException {
 
   public OAuthException(String message) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java
index fdcd0ceae..af5c8be4d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/OAuthProviderParameter.java
@@ -19,8 +19,12 @@
 /**
  * Parameters that can be used by the provider.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public enum OAuthProviderParameter {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java
index 87ed8e914..e2a2045c9 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/StringSplitUtils.java
@@ -10,7 +10,12 @@
 
 /**
  * Provides several <code>String</code> manipulation methods. Copied from deleted org.springframework.security.util.StringSplitUtils
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  */
+@Deprecated
 public class StringSplitUtils {
 
   private static final String[] EMPTY_STRING_ARRAY = new String[0];
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java
index 0e736d7b1..b8abb0940 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/CoreOAuthSignatureMethodFactory.java
@@ -30,8 +30,12 @@
 /**
  * Implements the signatures defined in OAuth Core 1.0. By default, PLAINTEXT signatures are not supported
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class CoreOAuthSignatureMethodFactory implements OAuthSignatureMethodFactory {
 
   private boolean supportPlainText = false;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java
index 6fb680f6b..baf4c0b52 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/HMAC_SHA1SignatureMethod.java
@@ -29,8 +29,12 @@
 /**
  * HMAC-SHA1 signature method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class HMAC_SHA1SignatureMethod implements OAuthSignatureMethod {
 
   private static final Log LOG = LogFactory.getLog(HMAC_SHA1SignatureMethod.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java
index 260bee365..0ff6d2cb5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/InvalidSignatureException.java
@@ -21,9 +21,13 @@
 /**
  * Thrown when a signature is invalid.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidSignatureException extends OAuthException {
 
   public InvalidSignatureException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java
index 348684003..883439681 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethod.java
@@ -17,8 +17,12 @@
 package org.springframework.security.oauth.common.signature;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthSignatureMethod {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java
index 00f015391..7aed490ca 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/OAuthSignatureMethodFactory.java
@@ -19,8 +19,12 @@
 /**
  * Factory for signature methods.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthSignatureMethodFactory {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java
index 31e6eae7d..673b24f60 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/PlainTextSignatureMethod.java
@@ -21,8 +21,12 @@
 /**
  * Plain text signature method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class PlainTextSignatureMethod implements OAuthSignatureMethod {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java
index 21b49bcd1..e4c1d8a68 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSAKeySecret.java
@@ -32,9 +32,13 @@
 /**
  * Signature secret for RSA.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class RSAKeySecret implements SignatureSecret {
 
   private final PrivateKey privateKey;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java
index 0c6a6cec9..f027f84df 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/RSA_SHA1SignatureMethod.java
@@ -25,8 +25,12 @@
  * RSA-SHA1 signature method. The RSA-SHA1 signature method uses the RSASSA-PKCS1-v1_5 signature algorithm as defined in RFC3447
  * section 8.2 (more simply known as PKCS#1), using SHA-1 as the hash function for EMSA-PKCS1-v1_5.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class RSA_SHA1SignatureMethod implements OAuthSignatureMethod {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java
index 7b5250506..ad433b5f5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SaltedConsumerSecret.java
@@ -3,8 +3,12 @@
 /**
  * Marker interface for indicating that a consumer secret has some salt.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface SaltedConsumerSecret {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java
index e2b4accdc..ef627ccf3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecret.java
@@ -19,9 +19,13 @@
 /**
  * A signature secret that consists of a consumer secret and a token secret.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author <a href="https://autayeu.com/">Aliaksandr Autayeu</a>
  */
+@Deprecated
 public interface SharedConsumerSecret extends SignatureSecret {
 
 	/**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java
index dff207c00..6eb66901f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SharedConsumerSecretImpl.java
@@ -19,9 +19,13 @@
 /**
  * Default implementation of a signature secret.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class SharedConsumerSecretImpl implements SharedConsumerSecret {
 
   private final String consumerSecret;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java
index 8110de2a9..44cde648b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecret.java
@@ -20,9 +20,13 @@
 
 /**
  * Marker interface for OAuth signature secrets.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface SignatureSecret extends Serializable {
 }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java
index 7702c508d..874e3624b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/SignatureSecretEditor.java
@@ -20,9 +20,13 @@
 
 /**
  * A signature secret that consists of a consumer secret and a tokent secret.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class SignatureSecretEditor extends PropertyEditorSupport {
 
 	public void setAsText(String text) throws IllegalArgumentException {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java
index 88f1a4782..be7852485 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/common/signature/UnsupportedSignatureMethodException.java
@@ -17,9 +17,13 @@
 package org.springframework.security.oauth.common.signature;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnsupportedSignatureMethodException extends RuntimeException {
 
   public UnsupportedSignatureMethodException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java
index 7d5e17c96..2922fad7e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConfigUtils.java
@@ -23,8 +23,12 @@
 /**
  * Common place for OAuth namespace configuration utils.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ConfigUtils {
   private static final Method createMatcherMethod3x = ReflectionUtils.findMethod(
           MatcherType.class, "createMatcher", String.class, String.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java
index 50f29b4ac..ad3c1e247 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerDetailsFactoryBean.java
@@ -32,9 +32,13 @@
 import org.springframework.security.oauth.provider.ConsumerDetails;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ConsumerDetailsFactoryBean implements FactoryBean<ConsumerDetails>, ResourceLoaderAware {
 	
 	private static final Log logger = LogFactory.getLog(ConsumerDetailsFactoryBean.class);
@@ -92,14 +96,14 @@ public ConsumerDetails getObject() throws Exception {
 				consumer.setSignatureSecret(new RSAKeySecret(cert.getPublicKey()));
 			}
 			catch (IOException e) {
-				throw new BeanCreationException("RSA certificate not found at " + secret + ".",
+				throw new BeanCreationException("RSA certificate not found",
 						e);
 			}
 			catch (CertificateException e) {
-				throw new BeanCreationException("Invalid RSA certificate at " + secret + ".", e);
+				throw new BeanCreationException("Invalid RSA certificate", e);
 			}
 			catch (NullPointerException e) {
-				throw new BeanCreationException("Could not load RSA certificate at " + secret + ".", e);
+				throw new BeanCreationException("Could not load RSA certificate", e);
 			}
 			finally {
 				try {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java
index d8cfba0d1..3f03de13c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ConsumerServiceBeanDefinitionParser.java
@@ -29,10 +29,14 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  * @author Dave Syer
  */
+@Deprecated
 public class ConsumerServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java
index 30e4118ac..0bc457f54 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ExpressionHandlerBeanDefinitionParser.java
@@ -21,9 +21,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ExpressionHandlerBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java
index 004fc87d5..c984e495a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthConsumerBeanDefinitionParser.java
@@ -34,10 +34,14 @@
 /**
  * Parser for the OAuth "consumer" element.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  * @author Luke Taylor
  */
+@Deprecated
 public class OAuthConsumerBeanDefinitionParser implements BeanDefinitionParser {
 
   public BeanDefinition parse(Element element, ParserContext parserContext) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java
index 5a1873e8c..6b1721050 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthProviderBeanDefinitionParser.java
@@ -39,9 +39,13 @@
 /**
  * Parser for the OAuth "provider" element.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class OAuthProviderBeanDefinitionParser implements BeanDefinitionParser {
 
   public BeanDefinition parse(Element element, ParserContext parserContext) {
@@ -203,7 +207,7 @@ private int insertIndex(List<BeanMetadataElement> filterChain) {
       BeanMetadataElement filter = filterChain.get(i);
       if (filter instanceof BeanDefinition) {
         String beanName = ((BeanDefinition) filter).getBeanClassName();
-        if (beanName.equals(ExceptionTranslationFilter.class.getName())) {
+        if (ExceptionTranslationFilter.class.getName().equals(beanName)) {
            return i + 1;
         }
       }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java
index 91cdaba92..f45565316 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/OAuthSecurityNamespaceHandler.java
@@ -19,8 +19,12 @@
 import org.springframework.beans.factory.xml.NamespaceHandlerSupport;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthSecurityNamespaceHandler extends NamespaceHandlerSupport {
 
   public void init() {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java
index ac4cdb905..4e77bbc56 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsBeanDefinitionParser.java
@@ -31,8 +31,12 @@
 import java.util.Map;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ProtectedResourceDetailsBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java
index 81fe4856f..e10b20015 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/ProtectedResourceDetailsServiceFactoryBean.java
@@ -12,8 +12,12 @@
 /**
  * Factory bean for the resource details service.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ProtectedResourceDetailsServiceFactoryBean extends AbstractFactoryBean<ProtectedResourceDetailsService>  {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java
index 784a69790..a63e08ade 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/TokenServiceBeanDefinitionParser.java
@@ -24,8 +24,12 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class TokenServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java
index 8f85b150a..d280e5c3d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/config/VerifierServiceBeanDefinitionParser.java
@@ -24,8 +24,12 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class VerifierServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
   @Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java
index c93385391..715973b2d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/AccessTokenRequiredException.java
@@ -3,9 +3,13 @@
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class AccessTokenRequiredException extends InsufficientAuthenticationException {
 
   private final ProtectedResourceDetails resource;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java
index 7a35df339..53059dda2 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/BaseProtectedResourceDetails.java
@@ -24,8 +24,12 @@
 /**
  * Basic implementation of protected resource details.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class BaseProtectedResourceDetails implements ProtectedResourceDetails {
 
   private String id;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java
index 3d50987c2..a0c188114 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InMemoryProtectedResourceDetailsService.java
@@ -22,8 +22,12 @@
 /**
  * Basic, in-memory implementation of a protected resource details service.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryProtectedResourceDetailsService implements ProtectedResourceDetailsService {
 
   private Map<String, ? extends ProtectedResourceDetails> resourceDetailsStore = new HashMap<String, ProtectedResourceDetails>();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java
index 4dfd1c010..8da4d544d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/InvalidOAuthRealmException.java
@@ -18,10 +18,14 @@
 
 /**
  * Thrown when a different realm appears to be the cause of the authorization failure.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidOAuthRealmException extends OAuthRequestFailedException {
 
   private final String requiredRealm;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java
index fda9d13b5..4ae98786f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerSupport.java
@@ -24,8 +24,12 @@
 /**
  * Consumer-side support for OAuth.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthConsumerSupport {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java
index 6472e24f5..1e93577b5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthConsumerToken.java
@@ -21,9 +21,13 @@
 
 /**
  * Interface for a consumer-side OAuth token.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthConsumerToken implements Serializable {
 
   private static final long serialVersionUID = -4057986970456346647L;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java
index 1e914cb36..60c735d05 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthRequestFailedException.java
@@ -21,9 +21,13 @@
 /**
  * Thrown when an OAuth request fails.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthRequestFailedException extends AccessDeniedException {
 
   public OAuthRequestFailedException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java
index 3a5ce0789..7e2a5e34e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContext.java
@@ -6,8 +6,12 @@
 /**
  * The OAuth 2 security context (for a specific user).
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthSecurityContext {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java
index 6ed43ad66..f61b05497 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextHolder.java
@@ -3,8 +3,12 @@
 /**
  * Holder for the current OAuth security context.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthSecurityContextHolder {
 
   private static final ThreadLocal<OAuthSecurityContext> CURRENT_CONTEXT = new ThreadLocal<OAuthSecurityContext>();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java
index 176240897..9a05d76b3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/OAuthSecurityContextImpl.java
@@ -4,8 +4,12 @@
 import java.util.Map;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthSecurityContextImpl implements OAuthSecurityContext {
 
   private Map<String, OAuthConsumerToken> accessTokens;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java
index 9e8ac672d..901137d4a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetails.java
@@ -23,9 +23,13 @@
 /**
  * Details about a protected resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public interface ProtectedResourceDetails {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java
index f690fc042..a6c6037aa 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/ProtectedResourceDetailsService.java
@@ -19,8 +19,12 @@
 /**
  * Service for loading protected resource details.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ProtectedResourceDetailsService {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java
index 876f8c674..68cd47791 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/UnverifiedRequestTokenException.java
@@ -19,9 +19,13 @@
 /**
  * Thrown when an attempt is made to use an unverified request token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnverifiedRequestTokenException extends OAuthRequestFailedException {
 
   public UnverifiedRequestTokenException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java
index 65703bab5..cfec33cc0 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/CoreOAuthConsumerSupport.java
@@ -52,9 +52,13 @@
  * OAuth provider.  A proxy will be selected, but it is assumed that the {@link javax.net.ssl.TrustManager}s
  * and other connection-related environment variables are already set up.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class CoreOAuthConsumerSupport implements OAuthConsumerSupport, InitializingBean {
 
   private static final Log logger = LogFactory.getLog(CoreOAuthConsumerSupport.class);
@@ -134,7 +138,7 @@ public OAuthConsumerToken getAccessToken(ProtectedResourceDetails details, OAuth
     Map<String, String> additionalParameters = new TreeMap<String, String>();
     if (details.isUse10a()) {
       if (verifier == null) {
-        throw new UnverifiedRequestTokenException("Unverified request token: " + requestToken);
+        throw new UnverifiedRequestTokenException("Unverified request token");
       }
       additionalParameters.put(OAuthConsumerParameter.oauth_verifier.toString(), verifier);
     }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java
index 1f00bf42d..d7015365c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthClientHttpRequestFactory.java
@@ -20,8 +20,12 @@
 /**
  * Request factory that extends all http requests with the OAuth credentials for a specific protected resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthClientHttpRequestFactory implements ClientHttpRequestFactory {
 
   private final ClientHttpRequestFactory delegate;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java
index 0d2e6b1fe..59d323394 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/client/OAuthRestTemplate.java
@@ -9,8 +9,12 @@
 /**
  * Rest template that is able to make OAuth-authenticated REST requests with the credentials of the provided resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthRestTemplate extends RestTemplate {
 
   private final ProtectedResourceDetails resource;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java
index 776750baa..5d8612fa0 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerContextFilter.java
@@ -65,8 +65,12 @@
 /**
  * OAuth filter that establishes an OAuth security context.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthConsumerContextFilter implements Filter, InitializingBean, MessageSourceAware {
 
 	public static final String ACCESS_TOKENS_DEFAULT_ATTRIBUTE = "OAUTH_ACCESS_TOKENS";
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java
index 4a38aeecb..29674ce68 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/filter/OAuthConsumerProcessingFilter.java
@@ -53,9 +53,13 @@
  * When servicing a request that requires protected resources, this filter sets a request attribute (default "OAUTH_ACCESS_TOKENS") that contains
  * the list of {@link org.springframework.security.oauth.consumer.OAuthConsumerToken}s.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class OAuthConsumerProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
 
   private static final Log LOG = LogFactory.getLog(OAuthConsumerProcessingFilter.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java
index b7b242900..db424e879 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/DefaultOAuthURLStreamHandlerFactory.java
@@ -26,8 +26,12 @@
 /**
  * Default implementation.  Assumes we're running on Sun's JVM.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class DefaultOAuthURLStreamHandlerFactory implements OAuthURLStreamHandlerFactory {
 
   public URLStreamHandler getHttpStreamHandler(ProtectedResourceDetails resourceDetails, OAuthConsumerToken accessToken, OAuthConsumerSupport support, String httpMethod, Map<String, String> additionalParameters) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java
index 321d27fea..055981f69 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpURLStreamHandler.java
@@ -30,9 +30,13 @@
 /**
  * Stream handler to handle the request stream to a protected resource over HTTP.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("restriction")
+@Deprecated
 public class OAuthOverHttpURLStreamHandler extends sun.net.www.protocol.http.Handler {
 
   private final ProtectedResourceDetails resourceDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java
index 1f1dc3159..7646b0f5b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthOverHttpsURLStreamHandler.java
@@ -30,9 +30,13 @@
 /**
  * Stream handler to handle the request stream to a protected resource over HTTP.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("restriction")
+@Deprecated
 public class OAuthOverHttpsURLStreamHandler extends sun.net.www.protocol.https.Handler {
 
   private final ProtectedResourceDetails resourceDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java
index 022d4719b..b34172184 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/net/OAuthURLStreamHandlerFactory.java
@@ -26,8 +26,12 @@
 /**
  * Factory for a OAuth URL stream handlers.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthURLStreamHandlerFactory {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java
index fa8315175..208190451 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/NonceFactory.java
@@ -19,8 +19,12 @@
 /**
  * A nonce factory.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface NonceFactory {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java
index ca22d5dca..af5906ad3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/nonce/UUIDNonceFactory.java
@@ -21,8 +21,12 @@
 /**
  * Nonce factory that uses a UUID to generate the nonce.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class UUIDNonceFactory implements NonceFactory {
 
   public String generateNonce() {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java
index bc218993d..b7b8a5fc1 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/HttpSessionOAuthRememberMeServices.java
@@ -12,10 +12,14 @@
 /**
  * Default implementation of the OAuth2 rememberme services. Just stores everything in the session by default. Storing
  * access token can be suppressed to reduce long-term expose of these tokens in the underlying HTTP session.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Alex Rau
  */
+@Deprecated
 public class HttpSessionOAuthRememberMeServices implements OAuthRememberMeServices {
 
 	public static final String REMEMBERED_TOKENS_KEY = HttpSessionOAuthRememberMeServices.class.getName()
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java
index 0d08b2513..4eb6e8e9a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/NoOpOAuthRememberMeServices.java
@@ -10,9 +10,13 @@
  * Basic, no-op implementation of the remember-me services. Not very useful in a 3-legged OAuth flow, but for a 2-legged
  * system where there are no request tokens to store in between requests it keeps the consumer stateless at the price of
  * obtaining a new access token for every request.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class NoOpOAuthRememberMeServices implements OAuthRememberMeServices {
 
 	public Map<String, OAuthConsumerToken> loadRememberedTokens(HttpServletRequest request, HttpServletResponse response) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java
index 905367c14..f68e45448 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/rememberme/OAuthRememberMeServices.java
@@ -9,8 +9,12 @@
 /**
  * Services for "remembering" the access tokens that have been obtained.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthRememberMeServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java
index 9f488a0c8..847a212c3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/HttpSessionBasedTokenServices.java
@@ -27,8 +27,12 @@
 /**
  * Stores the tokens in an HTTP session.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class HttpSessionBasedTokenServices implements OAuthConsumerTokenServices {
 
   public static final String KEY_PREFIX = "OAUTH_TOKEN";
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java
index a97c11a8b..40422998f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/consumer/token/OAuthConsumerTokenServices.java
@@ -21,9 +21,13 @@
 
 /**
  * Token services for an OAuth consumer.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthConsumerTokenServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java
index 2f4a402ef..003bfb096 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/BaseConsumerDetails.java
@@ -25,10 +25,14 @@
 /**
  * Base implementation for consumer details.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class BaseConsumerDetails implements ResourceSpecificConsumerDetails, ExtraTrustConsumerDetails {
 
   private String consumerKey;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java
index 3246e7e63..42597b46a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerAuthentication.java
@@ -22,10 +22,14 @@
 
 /**
  * Authentication for an OAuth consumer.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ConsumerAuthentication extends AbstractAuthenticationToken {
 
   private final ConsumerDetails consumerDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java
index 48b983954..8c09f2926 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerCredentials.java
@@ -21,9 +21,13 @@
 /**
  * The credentials for an OAuth consumer request.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ConsumerCredentials implements Serializable {
 
   private final String consumerKey;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java
index 9756f19fa..a72b18fb5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetails.java
@@ -25,8 +25,12 @@
 /**
  * Provides core OAuth consumer information.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ConsumerDetails extends Serializable {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java
index 41c52a421..76031a77f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ConsumerDetailsService.java
@@ -21,8 +21,12 @@
 /**
  * A service that provides the details about an oauth consumer.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ConsumerDetailsService {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java
index d1ad40eda..dfda4d254 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/DefaultAuthenticationHandler.java
@@ -9,8 +9,12 @@
 /**
  * The default authentication handler.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class DefaultAuthenticationHandler implements OAuthAuthenticationHandler {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java
index 4e5cd0d4c..7ec33d13b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ExtraTrustConsumerDetails.java
@@ -19,8 +19,12 @@
 /**
  * Consumer details for a specific resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ExtraTrustConsumerDetails extends ConsumerDetails {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java
index f8dc7cbd0..32be99d0c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InMemoryConsumerDetailsService.java
@@ -24,8 +24,12 @@
 /**
  * Basic, in-memory implementation of the consumer details service.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryConsumerDetailsService implements ConsumerDetailsService {
 
   private Map<String, ? extends ConsumerDetails> consumerDetailsStore = new HashMap<String, ConsumerDetails>();
@@ -33,7 +37,7 @@ public class InMemoryConsumerDetailsService implements ConsumerDetailsService {
   public ConsumerDetails loadConsumerByConsumerKey(String consumerKey) throws OAuthException {
     ConsumerDetails details = consumerDetailsStore.get(consumerKey);
     if (details == null) {
-      throw new InvalidOAuthParametersException("Consumer not found: " + consumerKey);
+      throw new InvalidOAuthParametersException("Consumer not found");
     }
     return details;
   }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java
index de4753471..c26d3e776 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/InvalidOAuthParametersException.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidOAuthParametersException extends OAuthException {
 
   public InvalidOAuthParametersException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java
index 58ee7ee59..c7a9d4de0 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationDetails.java
@@ -22,10 +22,14 @@
 
 /**
  * Authentication details and includes the details of the OAuth consumer.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthAuthenticationDetails extends WebAuthenticationDetails {
 
   private final ConsumerDetails consumerDetails;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java
index d0c277bb6..408a4b9c9 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthAuthenticationHandler.java
@@ -8,8 +8,12 @@
 /**
  * Callback interface for handing authentication details that are used when an authenticated request for a protected resource is received.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthAuthenticationHandler {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java
index 8125ad077..9ce9becc1 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProcessingFilterEntryPoint.java
@@ -28,8 +28,12 @@
 /**
  * Entry point for OAuth authentication requests.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthProcessingFilterEntryPoint implements AuthenticationEntryPoint {
 
   private String realmName;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java
index c44e0a177..6817bea5c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthProviderSupport.java
@@ -21,9 +21,13 @@
 
 /**
  * Support logic for OAuth providers.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthProviderSupport {
   
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java
index ea6a20eca..aabf1722b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/OAuthVersionUnsupportedException.java
@@ -17,9 +17,13 @@
 package org.springframework.security.oauth.provider;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuthVersionUnsupportedException extends InvalidOAuthParametersException {
 
   public OAuthVersionUnsupportedException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java
index 0622281dc..474a5126a 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/ResourceSpecificConsumerDetails.java
@@ -19,8 +19,12 @@
 /**
  * Consumer details for a specific resource.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ResourceSpecificConsumerDetails extends ConsumerDetails {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java
index 8d77626bf..5f70c138e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerKeysAllowed.java
@@ -24,10 +24,14 @@
 /**
  * The consumer keys that are allowed to access the specified method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface ConsumerKeysAllowed {
 
   String[] value();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java
index 31ffbb298..9e727afc3 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerRolesAllowed.java
@@ -24,10 +24,14 @@
 /**
  * The consumer roles that are allowed to access the specified method.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface ConsumerRolesAllowed {
 
   String[] value();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java
index e6ad3e9b1..8d56db062 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityConfig.java
@@ -20,10 +20,14 @@
 
 /**
  * Security config for consumer authorization of a method.
- * 
+ *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ConsumerSecurityConfig extends SecurityConfig {
 
   public static final ConsumerSecurityConfig DENY_ALL_ATTRIBUTE = new ConsumerSecurityConfig(DenyAllConsumers.class.getName(), null);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java
index 8fcd6fe40..16d3d5e13 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityMetadataSource.java
@@ -27,9 +27,13 @@
 import java.lang.annotation.Annotation;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ConsumerSecurityMetadataSource extends AbstractFallbackMethodSecurityMetadataSource {
 
   protected List<ConfigAttribute> findAttributes(Class<?> clazz) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java
index fc26ba7c1..94ee09b8e 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/ConsumerSecurityVoter.java
@@ -26,9 +26,13 @@
 import java.util.Collection;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ConsumerSecurityVoter implements AccessDecisionVoter<Object> {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java
index 667c097ab..9387c3c4b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/DenyAllConsumers.java
@@ -24,9 +24,13 @@
 /**
  * Annotation used to specify that a method is to be denied to all OAuth consumers.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface DenyAllConsumers {
 }
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java
index 859c105ee..11e705dba 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/attributes/PermitAllConsumers.java
@@ -25,9 +25,13 @@
  * Annotation used to specify that a method is to be permitted to all OAuth consumers. Note that just because
  * a consumer is permitted, that doesn't mean that the user that the consumer is representing is permitted.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @Target ( { ElementType.TYPE, ElementType.METHOD } )
 @Retention ( RetentionPolicy.RUNTIME )
+@Deprecated
 public @interface PermitAllConsumers {
 }
\ No newline at end of file
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java
index 44d20e173..0f6c2e14f 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/expression/OAuthMethodSecurityExpressionHandler.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.provider.OAuthAuthenticationDetails;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuthMethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
 
 	@Override
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java
index a35eddd76..52bc18003 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/AccessTokenProcessingFilter.java
@@ -35,9 +35,13 @@
 /**
  * Processing filter for handling a request for an OAuth access token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class AccessTokenProcessingFilter extends OAuthProviderProcessingFilter {
 
   // The OAuth spec doesn't specify a content-type of the response.  However, it's NOT
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java
index 93cbb612b..90ca0488b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/CoreOAuthProviderSupport.java
@@ -31,8 +31,12 @@
 /**
  * Utility for common logic for supporting an OAuth provider.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class CoreOAuthProviderSupport implements OAuthProviderSupport {
 
   private final Set<String> supportedOAuthParameters;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java
index e317593c8..aac199e34 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/OAuthProviderProcessingFilter.java
@@ -57,8 +57,12 @@
 /**
  * OAuth processing filter. This filter should be applied to requests for OAuth protected resources (see OAuth Core 1.0).
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public abstract class OAuthProviderProcessingFilter implements Filter, InitializingBean, MessageSourceAware {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java
index 9c75e1aa6..6d6252192 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/ProtectedResourceProcessingFilter.java
@@ -41,9 +41,13 @@
  * load a different authentication request into the security context). If the protected resource is available
  * ONLY via OAuth access token, set <code>ignoreMissingCredentials</code> to <code>false</code>. 
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ProtectedResourceProcessingFilter extends OAuthProviderProcessingFilter {
 
   private boolean allowAllMethods = true;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java
index f8df77f16..9128a4cb8 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UnauthenticatedRequestTokenProcessingFilter.java
@@ -36,9 +36,13 @@
  * Processing filter for handling a request for an OAuth token. The default implementation assumes a request for a new
  * unauthenticated request token. The default {@link #setFilterProcessesUrl(String) processes URL} is "/oauth_request_token".
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class UnauthenticatedRequestTokenProcessingFilter extends OAuthProviderProcessingFilter {
 
   // The OAuth spec doesn't specify a content-type of the response.  However, it's NOT
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java
index ecff6e192..317a2ff13 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationProcessingFilter.java
@@ -39,9 +39,13 @@
  * This filter looks for one request parameter for the token id that is being authorized. The
  * default name of the paramaters is "requestToken", but this can be configured.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class UserAuthorizationProcessingFilter extends AbstractAuthenticationProcessingFilter {
 
   protected static final String CALLBACK_ATTRIBUTE = UserAuthorizationProcessingFilter.class.getName() + "#CALLBACK";
@@ -76,12 +80,12 @@ public Authentication attemptAuthentication(HttpServletRequest request, HttpServ
 
     OAuthProviderToken token = getTokenServices().getToken(requestToken);
     if (token == null) {
-      throw new InvalidOAuthTokenException("No callback value has been provided for request token " + requestToken + ".");
+      throw new InvalidOAuthTokenException("No callback value has been provided for request token");
     }
 
     String callbackURL = token.getCallbackUrl();
     if (isRequire10a() && callbackURL == null) {
-      throw new InvalidOAuthTokenException("No callback value has been provided for request token " + requestToken + ".");
+      throw new InvalidOAuthTokenException("No callback value has been provided for request token");
     }
 
     if (callbackURL != null) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java
index c5558783f..0b228ad7b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/filter/UserAuthorizationSuccessfulAuthenticationHandler.java
@@ -37,8 +37,12 @@
  * success URL. Otherwise, the oauth_verifier and oauth_token parmeters are appended to the callback URL and the user
  * is redirected.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Andrew McCall
  */
+@Deprecated
 public class UserAuthorizationSuccessfulAuthenticationHandler extends SimpleUrlAuthenticationSuccessHandler {
 
   private static Log LOG = LogFactory.getLog(UserAuthorizationSuccessfulAuthenticationHandler.class);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java
index 8e3cf38e1..ed53dfd64 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/ExpiringTimestampNonceServices.java
@@ -28,8 +28,12 @@
  * is older than the configured validity window, the nonce is not valid. The default validity window is
  * 12 hours.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ExpiringTimestampNonceServices implements OAuthNonceServices {
 
   private long validityWindowSeconds = 60 * 60 * 12; //we'll default to a 12-hour validity window.
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java
index a4e726949..1548017b8 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/InMemoryNonceServices.java
@@ -37,9 +37,13 @@
  * this class has a per request memory overhead. Keeping the validity window short helps prevent wasting a lot of
  * memory. 10 minutes that allows for minor variations in time between servers.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  * @author Jilles van Gurp
  */
+@Deprecated
 public class InMemoryNonceServices implements OAuthNonceServices {
 
 	/**
@@ -61,7 +65,7 @@ public void validateNonce(ConsumerDetails consumerDetails, long timestamp, Strin
 
 		synchronized (NONCES) {
 			if (NONCES.contains(entry)) {
-				throw new NonceAlreadyUsedException("Nonce already used: " + nonce);
+				throw new NonceAlreadyUsedException("Nonce already used");
 			}
 			else {
 				NONCES.add(entry);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java
index 0a8d7845c..d728bbfe7 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NonceAlreadyUsedException.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class NonceAlreadyUsedException extends OAuthException {
   public NonceAlreadyUsedException(String msg) {
     super(msg);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java
index 084ad767c..6e8d86a03 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/NullNonceServices.java
@@ -23,8 +23,12 @@
  * No-op nonce services. Assumes all nonces are valid. This leaves the provider exposed to the dangers
  * of an unlimited timestamp validity window and OAuth request replay attacks.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class NullNonceServices implements OAuthNonceServices {
 
   public void validateNonce(ConsumerDetails consumerDetails, long timestamp, String nonce) throws AuthenticationException {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java
index 2c5710bf6..62de9e723 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/nonce/OAuthNonceServices.java
@@ -20,8 +20,12 @@
 import org.springframework.security.oauth.provider.ConsumerDetails;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthNonceServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java
index c29acbff0..0eaa0a9c7 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/ExpiredOAuthTokenException.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ExpiredOAuthTokenException extends OAuthException {
 
   public ExpiredOAuthTokenException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java
index f35ced78c..d73132a5d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemoryProviderTokenServices.java
@@ -21,8 +21,12 @@
 /**
  * Implementation of TokenServices that stores tokens in memory.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryProviderTokenServices extends RandomValueProviderTokenServices {
 
   protected final ConcurrentHashMap<String, OAuthProviderTokenImpl> tokenStore = new ConcurrentHashMap<String, OAuthProviderTokenImpl>();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java
index 7a8ce4bf6..45e9c3baf 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InMemorySelfCleaningProviderTokenServices.java
@@ -27,8 +27,12 @@
 /**
  * Implementation of TokenServices that stores tokens in memory. The token services will schedule a thread to do cleaning up of expired tokens.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemorySelfCleaningProviderTokenServices extends InMemoryProviderTokenServices implements DisposableBean {
 
   private ScheduledExecutorService scheduler;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java
index b9984615a..7874c8b14 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/InvalidOAuthTokenException.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidOAuthTokenException extends OAuthException {
 
   public InvalidOAuthTokenException(String msg) {
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java
index c37038a8d..b8cbc9858 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthAccessProviderToken.java
@@ -19,8 +19,12 @@
 import org.springframework.security.core.Authentication;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthAccessProviderToken extends OAuthProviderToken {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java
index 71cf6596b..375761ad5 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderToken.java
@@ -19,8 +19,12 @@
 import java.io.Serializable;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthProviderToken extends Serializable {
   /**
    * The value of the token.
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java
index b8244dc39..3a9916897 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenImpl.java
@@ -21,8 +21,12 @@
 /**
  * Basic implementation for an OAuth token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuthProviderTokenImpl implements OAuthAccessProviderToken {
 
   private static final long serialVersionUID = -1794426591002744140L;
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java
index 4dff7d643..db8f42a6b 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthProviderTokenServices.java
@@ -20,8 +20,12 @@
 import org.springframework.security.core.AuthenticationException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthProviderTokenServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java
index a09738624..375ba701c 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleListener.java
@@ -3,8 +3,12 @@
 /**
  * Interface for listening to the lifecycle of a token.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthTokenLifecycleListener {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java
index 16a46a7bb..f5906a084 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/OAuthTokenLifecycleRegistry.java
@@ -7,8 +7,12 @@
 /**
  * Interface for a registry of token lifecycle listeners.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthTokenLifecycleRegistry {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java
index 6d8e4df96..67218cd99 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/token/RandomValueProviderTokenServices.java
@@ -32,8 +32,12 @@
  * This base implementation creates tokens that have an expiration.  For request tokens, the default validity is
  * 10 minutes.  For access tokens, the default validity is 12 hours.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public abstract class RandomValueProviderTokenServices implements OAuthProviderTokenServices, InitializingBean, OAuthTokenLifecycleRegistry {
 
   private Random random;
@@ -80,7 +84,7 @@ public OAuthProviderToken getToken(String token) throws AuthenticationException
     OAuthProviderTokenImpl tokenImpl = readToken(token);
 
     if (tokenImpl == null) {
-      throw new InvalidOAuthTokenException("Invalid token: " + token);
+      throw new InvalidOAuthTokenException("Invalid token");
     }
     else if (isExpired(tokenImpl)) {
       removeToken(token);
@@ -134,7 +138,7 @@ public void authorizeRequestToken(String requestToken, String verifier, Authenti
     OAuthProviderTokenImpl tokenImpl = readToken(requestToken);
 
     if (tokenImpl == null) {
-      throw new InvalidOAuthTokenException("Invalid token: " + requestToken);
+      throw new InvalidOAuthTokenException("Invalid token");
     }
     else if (isExpired(tokenImpl)) {
       removeToken(requestToken);
@@ -155,7 +159,7 @@ public OAuthAccessProviderToken createAccessToken(String requestToken) throws Au
     OAuthProviderTokenImpl tokenImpl = readToken(requestToken);
 
     if (tokenImpl == null) {
-      throw new InvalidOAuthTokenException("Invalid token: " + requestToken);
+      throw new InvalidOAuthTokenException("Invalid token");
     }
     else if (isExpired(tokenImpl)) {
       removeToken(requestToken);
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java
index a775b9449..020ba3a5d 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/OAuthVerifierServices.java
@@ -3,8 +3,12 @@
 /**
  * Service for generating a verifier.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface OAuthVerifierServices {
 
   /**
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java
index db3f26040..a163cec47 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/RandomValueVerifierServices.java
@@ -8,8 +8,12 @@
 /**
  * Basic implementation of the verifier services that creates a random-value verifier and stores it in an in-memory map.
  *
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class RandomValueVerifierServices implements OAuthVerifierServices, InitializingBean {
 
   private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".toCharArray();
diff --git a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java
index 2c8a04a88..986218f40 100644
--- a/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java
+++ b/spring-security-oauth/src/main/java/org/springframework/security/oauth/provider/verifier/VerificationFailedException.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth.common.OAuthException;
 
 /**
+ * <p>
+ * @deprecated The OAuth 1.0 Protocol <a href="https://tools.ietf.org/html/rfc5849">RFC 5849</a> is obsoleted by the OAuth 2.0 Authorization Framework <a href="https://tools.ietf.org/html/rfc6749">RFC 6749</a>.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class VerificationFailedException extends OAuthException {
   public VerificationFailedException(String msg) {
     super(msg);
diff --git a/spring-security-oauth2/pom.xml b/spring-security-oauth2/pom.xml
index d499e47de..c3bc56706 100644
--- a/spring-security-oauth2/pom.xml
+++ b/spring-security-oauth2/pom.xml
@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.security.oauth</groupId>
 		<artifactId>spring-security-oauth-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<artifactId>spring-security-oauth2</artifactId>
@@ -13,10 +13,9 @@
 	<description>Module for providing OAuth2 support to Spring Security</description>
 
 	<properties>
-		<jackson1.version>1.9.13</jackson1.version>
-		<jackson2.version>2.9.10</jackson2.version>
+		<jackson2.version>2.10.5.1</jackson2.version>
 		<servlet-api.version>3.0.1</servlet-api.version>
-		<spring.security.jwt.version>1.0.11.RELEASE</spring.security.jwt.version>
+		<spring.security.jwt.version>1.1.1.RELEASE</spring.security.jwt.version>
 		<powermock.version>1.7.4</powermock.version>
 	</properties>
 
@@ -24,7 +23,7 @@
 		<profile>
 			<id>spring5</id>
 			<properties>
-				<jackson2.version>2.9.10</jackson2.version>
+				<jackson2.version>2.10.5.1</jackson2.version>
 				<servlet-api.version>3.1.0</servlet-api.version>
 				<powermock.version>1.6.1</powermock.version>
 			</properties>
@@ -150,12 +149,6 @@
 			<artifactId>commons-codec</artifactId>
 		</dependency>
 
-		<dependency>
-			<groupId>org.codehaus.jackson</groupId>
-			<artifactId>jackson-mapper-asl</artifactId>
-			<version>${jackson1.version}</version>
-		</dependency>
-
 		<dependency>
         	<groupId>org.springframework.data</groupId>
 			<artifactId>spring-data-redis</artifactId>
@@ -173,7 +166,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
-            <version>${jackson2.version}</version>
+            <version>2.10.5</version>
             <optional>true</optional>
         </dependency>
 
@@ -187,7 +180,7 @@
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
 			<artifactId>httpclient</artifactId>
-			<version>4.5.10</version>
+			<version>4.5.13</version>
             <optional>true</optional>
 		</dependency>
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
index dc4657c2e..18b737279 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContext.java
@@ -1,8 +1,8 @@
 package org.springframework.security.oauth2.client;
 
 import java.io.Serializable;
-import java.util.HashMap;
 import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
 
 import org.springframework.security.oauth2.client.token.AccessTokenRequest;
 import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
@@ -10,9 +10,13 @@
 
 /**
  * The OAuth 2 security context (for a specific user or client or combination thereof).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultOAuth2ClientContext implements OAuth2ClientContext, Serializable {
 
 	private static final long serialVersionUID = 914967629530462926L;
@@ -21,7 +25,7 @@ public class DefaultOAuth2ClientContext implements OAuth2ClientContext, Serializ
 
 	private AccessTokenRequest accessTokenRequest;
 
-	private Map<String, Object> state = new HashMap<String, Object>();
+	private Map<String, Object> state = new ConcurrentHashMap<String, Object>();
 
 	public DefaultOAuth2ClientContext() {
 		this(new DefaultAccessTokenRequest());
@@ -50,6 +54,7 @@ public AccessTokenRequest getAccessTokenRequest() {
 	}
 
 	public void setPreservedState(String stateKey, Object preservedState) {
+		state.clear();
 		state.put(stateKey, preservedState);
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java
index a6114b9fe..c6b8d5a26 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/DefaultOAuth2RequestAuthenticator.java
@@ -20,9 +20,13 @@
 import org.springframework.util.StringUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultOAuth2RequestAuthenticator implements OAuth2RequestAuthenticator {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java
index 9af13b874..dc02aaf3a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2ClientContext.java
@@ -16,9 +16,13 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface OAuth2ClientContext {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java
index 6b668bd6b..4cbed416d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RequestAuthenticator.java
@@ -17,9 +17,13 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface OAuth2RequestAuthenticator {
 
 	void authenticate(OAuth2ProtectedResourceDetails resource, OAuth2ClientContext clientContext, ClientHttpRequest request);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java
index 8a3967f7e..839f5fd77 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestOperations.java
@@ -22,9 +22,13 @@
 import org.springframework.web.client.RestOperations;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface OAuth2RestOperations extends RestOperations {
 
 	OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
index e44efd15b..3f8c18452 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/OAuth2RestTemplate.java
@@ -2,10 +2,12 @@
 
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.lang.reflect.Field;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLEncoder;
 import java.util.Arrays;
+import java.util.Calendar;
 
 import org.springframework.http.HttpMethod;
 import org.springframework.http.client.ClientHttpRequest;
@@ -24,6 +26,8 @@
 import org.springframework.security.oauth2.common.AuthenticationScheme;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.util.Assert;
+import org.springframework.util.ReflectionUtils;
 import org.springframework.web.client.RequestCallback;
 import org.springframework.web.client.ResponseErrorHandler;
 import org.springframework.web.client.ResponseExtractor;
@@ -32,10 +36,14 @@
 
 /**
  * Rest template that is able to make OAuth2-authenticated REST requests with the credentials of the provided resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuth2RestTemplate extends RestTemplate implements OAuth2RestOperations {
 
 	private final OAuth2ProtectedResourceDetails resource;
@@ -50,6 +58,8 @@ public class OAuth2RestTemplate extends RestTemplate implements OAuth2RestOperat
 
 	private OAuth2RequestAuthenticator authenticator = new DefaultOAuth2RequestAuthenticator();
 
+	private int clockSkew = 30;
+
 	public OAuth2RestTemplate(OAuth2ProtectedResourceDetails resource) {
 		this(resource, new DefaultOAuth2ClientContext());
 	}
@@ -168,7 +178,7 @@ public OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException {
 
 		OAuth2AccessToken accessToken = context.getAccessToken();
 
-		if (accessToken == null || accessToken.isExpired()) {
+		if (accessToken == null || hasTokenExpired(accessToken)) {
 			try {
 				accessToken = acquireAccessToken(context);
 			}
@@ -189,6 +199,16 @@ public OAuth2AccessToken getAccessToken() throws UserRedirectRequiredException {
 		return accessToken;
 	}
 
+	private boolean hasTokenExpired(OAuth2AccessToken accessToken) {
+		Calendar now = Calendar.getInstance();
+		Calendar expiresAt = (Calendar) now.clone();
+		if (accessToken.getExpiration() != null) {
+			expiresAt.setTime(accessToken.getExpiration());
+			expiresAt.add(Calendar.SECOND, -this.clockSkew);
+		}
+		return now.after(expiresAt);
+	}
+
 	/**
 	 * @return the context for this template
 	 */
@@ -269,6 +289,42 @@ protected URI appendQueryParameter(URI uri, OAuth2AccessToken accessToken) {
 
 	public void setAccessTokenProvider(AccessTokenProvider accessTokenProvider) {
 		this.accessTokenProvider = accessTokenProvider;
+		propagateClockSkewToAccessTokenProvider(this.clockSkew, accessTokenProvider);
+	}
+
+	/**
+	 * Sets the maximum acceptable clock skew, which is used when checking the
+	 * {@link OAuth2AccessToken access token} expiry. The default is 30 seconds.
+	 *
+	 * @param clockSkew the maximum acceptable clock skew
+	 */
+	public void setClockSkew(int clockSkew) {
+		Assert.isTrue(clockSkew >= 0, "clockSkew must be >= 0");
+		this.clockSkew = clockSkew;
+		propagateClockSkewToAccessTokenProvider(clockSkew, this.accessTokenProvider);
 	}
 
-}
+	/**
+	 * Propagates the maximum acceptable clock skew, which is used when checking the
+	 * {@link OAuth2AccessToken access token} expiry into the given {@link AccessTokenProvider} if it is an instance of
+	 * {@link AccessTokenProviderChain}.
+	 * <p>
+	 * <b>Note:</b> The clock skew value is injected via reflection as version 2.5.0 was the final minor release before EOL of
+	 * this project and the public API must not be changed in patch releases.
+	 *
+	 * @param clockSkew the maximum acceptable clock skew
+	 * @param accessTokenProvider the access token provider
+	 */
+	private static void propagateClockSkewToAccessTokenProvider(int clockSkew, AccessTokenProvider accessTokenProvider) {
+		if (!(accessTokenProvider instanceof AccessTokenProviderChain)) {
+			return;
+		}
+
+		Field field = ReflectionUtils.findField(accessTokenProvider.getClass(), "clockSkew");
+		if (field == null) {
+			return;
+		}
+		field.setAccessible(true);
+		ReflectionUtils.setField(field, accessTokenProvider, clockSkew);
+	}
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java
index 2ec7938e2..43caf5989 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderConfiguration.java
@@ -21,11 +21,15 @@
 /**
  * Configuration information for an <i>OAuth 2.0 Provider</i>.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see ProviderDiscoveryClient
  * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
  */
+@Deprecated
 public class ProviderConfiguration {
 	private URL issuer;
 	private URL authorizationEndpoint;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java
index 7f456a6d5..d33fa7c97 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/discovery/ProviderDiscoveryClient.java
@@ -31,11 +31,15 @@
  * <b>NOTE:</b> This is a partial implementation that only discovers a small subset
  * of the available provider configuration information.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see ProviderConfiguration
  * @see <a target="_blank" href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
  */
+@Deprecated
 public class ProviderDiscoveryClient {
 	private static final String PROVIDER_END_PATH = "/.well-known/openid-configuration";
 	private static final String ISSUER_ATTR_NAME = "issuer";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java
index 9d3c4f0ed..a32ccd1cc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2AuthenticationFailureEvent.java
@@ -4,7 +4,13 @@
 import org.springframework.security.authentication.event.AbstractAuthenticationFailureEvent;
 import org.springframework.security.core.AuthenticationException;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuth2AuthenticationFailureEvent extends AbstractAuthenticationFailureEvent {
 
 	public OAuth2AuthenticationFailureEvent(AuthenticationException exception) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java
index aeb8f477e..39e693bb0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientAuthenticationProcessingFilter.java
@@ -46,10 +46,14 @@
 /**
  * An OAuth2 client filter that can be used to acquire an OAuth2 access token from an authorization server, and load an
  * authentication object into the SecurityContext
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Vidya Valmikinathan
  * 
  */
+@Deprecated
 public class OAuth2ClientAuthenticationProcessingFilter extends AbstractAuthenticationProcessingFilter {
 
 	public OAuth2RestOperations restTemplate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java
index 2aa69c30c..42ce00370 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/OAuth2ClientContextFilter.java
@@ -27,10 +27,14 @@
 
 /**
  * Security filter for an OAuth2 client.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuth2ClientContextFilter implements Filter, InitializingBean {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java
index 94af21a2c..7bf3bb131 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/DefaultStateKeyGenerator.java
@@ -16,9 +16,13 @@
 import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultStateKeyGenerator implements StateKeyGenerator {
 
 	private RandomValueStringGenerator generator = new RandomValueStringGenerator();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java
index 81cbd9511..bb904f7e0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/filter/state/StateKeyGenerator.java
@@ -17,10 +17,14 @@
 /**
  * Stategy for generating random keys for state. The state key is important protection for client apps against
  * cross-site request forgery.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface StateKeyGenerator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java
index fc4d42f72..e8509a6f9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/AccessTokenRequiredException.java
@@ -4,9 +4,13 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class AccessTokenRequiredException extends InsufficientAuthenticationException {
 
   private final OAuth2ProtectedResourceDetails resource;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java
index 8b2b42038..cfb495cfd 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/OAuth2ErrorHandler.java
@@ -37,8 +37,13 @@
 
 /**
  * Error handler specifically for an oauth 2 response.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuth2ErrorHandler implements ResponseErrorHandler {
 
 	private final ResponseErrorHandler errorHandler;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java
index 6eab12a45..e2c592e73 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/http/StringSplitUtils.java
@@ -10,7 +10,12 @@
 
 /**
  * Provides several <code>String</code> manipulation methods. Copied from deleted org.springframework.security.util.StringSplitUtils
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public class StringSplitUtils {
 
   private static final String[] EMPTY_STRING_ARRAY = new String[0];
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java
index 3608eb1f4..788b0b45e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/BaseOAuth2ProtectedResourceDetails.java
@@ -7,9 +7,13 @@
 import org.springframework.util.StringUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class BaseOAuth2ProtectedResourceDetails implements OAuth2ProtectedResourceDetails {
 
 	private String id;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java
index 072748cb6..0037c7d40 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2AccessDeniedException.java
@@ -5,11 +5,15 @@
 /**
  * When access is denied we usually want a 403, but we want the same treatment as all the other OAuth2Exception types,
  * so this is not a Spring Security AccessDeniedException.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuth2AccessDeniedException extends OAuth2Exception {
 
 	private OAuth2ProtectedResourceDetails resource;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
index a539f758d..145ae383d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/OAuth2ProtectedResourceDetails.java
@@ -6,10 +6,14 @@
 
 /**
  * Details for an OAuth2-protected resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface OAuth2ProtectedResourceDetails {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java
index f885264d8..d7505f946 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserApprovalRequiredException.java
@@ -20,11 +20,15 @@
 
 /**
  * Exception indicating that user approval is required, with some indication of how to signal the approval.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UserApprovalRequiredException extends RuntimeException {
 
 	private final String approvalUri;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java
index 3146d9199..6b8a60b9b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/resource/UserRedirectRequiredException.java
@@ -4,10 +4,14 @@
 
 /**
  * Special exception thrown when a user redirect is required in order to obtain an OAuth2 access token.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UserRedirectRequiredException extends RuntimeException {
 
 	private final String redirectUri;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java
index 1fa2fbdd3..a289eb6ee 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/BeforeOAuth2Context.java
@@ -21,11 +21,15 @@
  * Marker annotation for methods to be run before the OAuth2Context is setup by the {@link OAuth2ContextSetup} rule, and
  * consequently before the regular JUnit <code>&#64;Before</code> methods, which are executed only <em>after</em> the
  * OAuth2Context is setup.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.METHOD)
+@Deprecated
 public @interface BeforeOAuth2Context {
 }
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java
index e4bf56ed4..06a68b5db 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextConfiguration.java
@@ -30,12 +30,16 @@
  * Annotation to signal that an OAuth2 authentication should be created and and provided to the enclosing scope (method
  * or class). Used at the class level it will apply to all test methods (and {@link BeforeOAuth2Context} initializers).
  * Used at the method level it will apply only to the method, overriding any value found on the enclosing class.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Retention(RetentionPolicy.RUNTIME)
 @Target({ ElementType.TYPE, ElementType.METHOD })
+@Deprecated
 public @interface OAuth2ContextConfiguration {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java
index 1f0db2cbc..9633ef9cf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/OAuth2ContextSetup.java
@@ -92,11 +92,15 @@
  * 
  * @see OAuth2ContextConfiguration
  * @see BeforeOAuth2Context
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("deprecation")
+@Deprecated
 public class OAuth2ContextSetup extends TestWatchman {
 
 	private static Log logger = LogFactory.getLog(OAuth2ContextSetup.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java
index c14aabf5f..db8f9b513 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/RestTemplateHolder.java
@@ -16,10 +16,14 @@
 
 /**
  * Marker interface for an object that has a getter and setter for a {@link RestOperations}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface RestTemplateHolder {
 
 	void setRestTemplate(RestOperations restTemplate);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java
index 782532ce7..8d9706e53 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/test/TestAccounts.java
@@ -17,9 +17,13 @@
 import org.springframework.security.oauth2.client.token.grant.password.ResourceOwnerPasswordResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface TestAccounts {
 
 	String getUserName();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java
index bd3e3a382..a803c3df6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProvider.java
@@ -24,10 +24,14 @@
 
 /**
  * A strategy which knows how to obtain an access token for a specific resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface AccessTokenProvider {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
index 86e5abc0e..51cc6c9f3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChain.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2011 the original author or authors.
+ * Copyright 2002-2021 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,6 +15,7 @@
  */
 package org.springframework.security.oauth2.client.token;
 
+import java.util.Calendar;
 import java.util.Collections;
 import java.util.List;
 
@@ -36,9 +37,13 @@
  * chain to find the first provider that supports the resource and use it to obtain the
  * access token. Note that the order of the chain is relevant.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AccessTokenProviderChain extends OAuth2AccessTokenSupport
 		implements AccessTokenProvider {
 
@@ -46,6 +51,8 @@ public class AccessTokenProviderChain extends OAuth2AccessTokenSupport
 
 	private ClientTokenServices clientTokenServices;
 
+	private int clockSkew = 30;
+
 	public AccessTokenProviderChain(List<? extends AccessTokenProvider> chain) {
 		this.chain = chain == null ? Collections.<AccessTokenProvider> emptyList()
 				: Collections.unmodifiableList(chain);
@@ -100,7 +107,7 @@ public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails resour
 			}
 
 			if (existingToken != null) {
-				if (existingToken.isExpired()) {
+				if (hasTokenExpired(existingToken)) {
 					if (clientTokenServices != null) {
 						clientTokenServices.removeAccessToken(resource, auth);
 					}
@@ -184,4 +191,20 @@ public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resou
 				resource);
 	}
 
+	/**
+	 * Checks if the given {@link OAuth2AccessToken access token} should be considered to have expired based on the
+	 * token's expiration time and the clock skew.
+	 *
+	 * @param token        the token to be checked
+	 * @return <code>true</code> if the token should be considered expired, <code>false</code> otherwise
+	 */
+	private boolean hasTokenExpired(OAuth2AccessToken token) {
+		Calendar now = Calendar.getInstance();
+		Calendar expiresAt = (Calendar) now.clone();
+		if (token.getExpiration() != null) {
+			expiresAt.setTime(token.getExpiration());
+			expiresAt.add(Calendar.SECOND, -this.clockSkew);
+		}
+		return now.after(expiresAt);
+	}
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java
index 85d0c2a67..02c23baf8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/AccessTokenRequest.java
@@ -21,6 +21,12 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.util.MultiValueMap;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public interface AccessTokenRequest extends MultiValueMap<String, String> {
 
 	OAuth2AccessToken getExistingToken();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java
index 58f376277..cdc58adf2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientKeyGenerator.java
@@ -18,9 +18,13 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ClientKeyGenerator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java
index 0aef5cc19..2f3937b58 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/ClientTokenServices.java
@@ -19,9 +19,13 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface ClientTokenServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java
index 72a8f21af..3136fd6b4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultAccessTokenRequest.java
@@ -25,10 +25,14 @@
 /**
  * Local context for an access token request encapsulating the parameters that are sent by the client requesting the
  * token, as opposed to the more static variables representing the client itself and the resource being targeted.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultAccessTokenRequest implements AccessTokenRequest, Serializable {
 
 	private static final long serialVersionUID = 914967629530462926L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java
index b473d77c2..a083ceacf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultClientKeyGenerator.java
@@ -25,10 +25,14 @@
 
 /**
  * Basic key generator taking into account the client id, scope and username (principal name) if they exist.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultClientKeyGenerator implements ClientKeyGenerator {
 
 	private static final String CLIENT_ID = "client_id";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java
index 09ca76bd7..322d58ec7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/DefaultRequestEnhancer.java
@@ -21,6 +21,12 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 import org.springframework.util.MultiValueMap;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public class DefaultRequestEnhancer implements RequestEnhancer {
 
 	private Set<String> parameterIncludes = Collections.emptySet();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java
index fbc8c9d45..4f4474541 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServices.java
@@ -20,9 +20,13 @@
 
 /**
  * Implementation of token services that stores tokens in a database for retrieval by client applications.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class JdbcClientTokenServices implements ClientTokenServices {
 
 	private static final Log LOG = LogFactory.getLog(JdbcClientTokenServices.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java
index 0cf556a34..c31822633 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupport.java
@@ -39,17 +39,21 @@
 
 /**
  * Base support logic for obtaining access tokens.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class OAuth2AccessTokenSupport {
 
 	protected final Log logger = LogFactory.getLog(getClass());
 
 	private static final FormHttpMessageConverter FORM_MESSAGE_CONVERTER = new FormHttpMessageConverter();
 
-	private RestOperations restTemplate;
+	private volatile RestOperations restTemplate;
 
 	private List<HttpMessageConverter<?>> messageConverters;
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java
index b6442bb1b..c49d1a841 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/RequestEnhancer.java
@@ -16,6 +16,12 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 import org.springframework.util.MultiValueMap;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public interface RequestEnhancer {
 	
 	void enhance(AccessTokenRequest request, OAuth2ProtectedResourceDetails resource, MultiValueMap<String, String> form,
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java
index b62669fda..91b625653 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/ClientAuthenticationHandler.java
@@ -18,10 +18,14 @@
 
 /**
  * Logic for handling client authentication.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface ClientAuthenticationHandler {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java
index 88a0a6fa0..331c26f4c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/auth/DefaultClientAuthenticationHandler.java
@@ -11,10 +11,14 @@
 
 /**
  * Default implementation of the client authentication handler.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultClientAuthenticationHandler implements ClientAuthenticationHandler {
 
 	public void authenticateTokenRequest(OAuth2ProtectedResourceDetails resource, MultiValueMap<String, String> form,
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java
index b7adaecb5..4d7c664c7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsAccessTokenProvider.java
@@ -13,14 +13,19 @@
 import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport;
 import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
 /**
  * Provider for obtaining an oauth2 access token by using client credentials.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ClientCredentialsAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
@@ -48,7 +53,7 @@ public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails detail
 	private MultiValueMap<String, String> getParametersForTokenRequest(ClientCredentialsResourceDetails resource) {
 
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.set("grant_type", "client_credentials");
+		form.set(OAuth2Utils.GRANT_TYPE, "client_credentials");
 
 		if (resource.isScoped()) {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java
index 9ddc01b8d..fe2e1a001 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/client/ClientCredentialsResourceDetails.java
@@ -3,8 +3,12 @@
 import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ClientCredentialsResourceDetails extends BaseOAuth2ProtectedResourceDetails {
 	
 	public ClientCredentialsResourceDetails() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java
index 8a6ea6390..4e48c9685 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProvider.java
@@ -65,10 +65,14 @@
 
 /**
  * Provider for obtaining an oauth2 access token by using an authorization code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AuthorizationCodeAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	private StateKeyGenerator stateKeyGenerator = new DefaultStateKeyGenerator();
@@ -215,7 +219,7 @@ public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resou
 			OAuth2RefreshToken refreshToken, AccessTokenRequest request) throws UserRedirectRequiredException,
 			OAuth2AccessDeniedException {
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.add("grant_type", "refresh_token");
+		form.add(OAuth2Utils.GRANT_TYPE, "refresh_token");
 		form.add("refresh_token", refreshToken.getValue());
 		try {
 			return retrieveToken(request, resource, form, getHeadersForTokenRequest(request));
@@ -244,7 +248,7 @@ private MultiValueMap<String, String> getParametersForTokenRequest(Authorization
 			AccessTokenRequest request) {
 
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.set("grant_type", "authorization_code");
+		form.set(OAuth2Utils.GRANT_TYPE, "authorization_code");
 		form.set("code", request.getAuthorizationCode());
 
 		Object preservedState = request.getPreservedState();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java
index 1e445c178..790b6b966 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeResourceDetails.java
@@ -3,9 +3,13 @@
 import org.springframework.security.oauth2.client.token.grant.redirect.AbstractRedirectResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AuthorizationCodeResourceDetails extends AbstractRedirectResourceDetails {
 
 	public AuthorizationCodeResourceDetails() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java
index 664de42d4..35b451ebe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitAccessTokenProvider.java
@@ -34,9 +34,13 @@
  * parameters, together with any other information available (e.g. from a cookie), and decide if a user can be
  * authenticated and if the user has approved the grant of the access token. Only if those two conditions are met should
  * an access token be available through this provider.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ImplicitAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java
index 6acb5ba47..9593b63a7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/implicit/ImplicitResourceDetails.java
@@ -3,8 +3,12 @@
 import org.springframework.security.oauth2.client.token.grant.redirect.AbstractRedirectResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ImplicitResourceDetails extends AbstractRedirectResourceDetails {
 
 	public ImplicitResourceDetails() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java
index 3fa397bcb..fb53594a7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordAccessTokenProvider.java
@@ -13,14 +13,19 @@
 import org.springframework.security.oauth2.client.token.OAuth2AccessTokenSupport;
 import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
 /**
  * Provider for obtaining an oauth2 access token by using resource owner password.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ResourceOwnerPasswordAccessTokenProvider extends OAuth2AccessTokenSupport implements AccessTokenProvider {
 
 	public boolean supportsResource(OAuth2ProtectedResourceDetails resource) {
@@ -35,7 +40,7 @@ public OAuth2AccessToken refreshAccessToken(OAuth2ProtectedResourceDetails resou
 			OAuth2RefreshToken refreshToken, AccessTokenRequest request) throws UserRedirectRequiredException,
 			OAuth2AccessDeniedException {
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.add("grant_type", "refresh_token");
+		form.add(OAuth2Utils.GRANT_TYPE, "refresh_token");
 		form.add("refresh_token", refreshToken.getValue());
 		return retrieveToken(request, resource, form, new HttpHeaders());
 	}
@@ -51,7 +56,7 @@ public OAuth2AccessToken obtainAccessToken(OAuth2ProtectedResourceDetails detail
 	private MultiValueMap<String, String> getParametersForTokenRequest(ResourceOwnerPasswordResourceDetails resource, AccessTokenRequest request) {
 
 		MultiValueMap<String, String> form = new LinkedMultiValueMap<String, String>();
-		form.set("grant_type", "password");
+		form.set(OAuth2Utils.GRANT_TYPE, "password");
 
 		form.set("username", resource.getUsername());
 		form.set("password", resource.getPassword());
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java
index 54fde4247..21ac5338f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/password/ResourceOwnerPasswordResourceDetails.java
@@ -18,8 +18,12 @@
 import org.springframework.security.oauth2.client.resource.BaseOAuth2ProtectedResourceDetails;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public class ResourceOwnerPasswordResourceDetails extends BaseOAuth2ProtectedResourceDetails {
 	
 	private String username;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java
index 8b43a2cd4..15805dbf5 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/client/token/grant/redirect/AbstractRedirectResourceDetails.java
@@ -5,8 +5,12 @@
 import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
+@Deprecated
 public abstract class AbstractRedirectResourceDetails extends BaseOAuth2ProtectedResourceDetails {
 
 	private String preEstablishedRedirectUri;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java
index 86b6e30e6..0ed5d6b67 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/AuthenticationScheme.java
@@ -14,7 +14,11 @@
 
 /**
  * Enumeration of possible methods for transmitting authentication credentials.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  */
+@Deprecated
 public enum AuthenticationScheme {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java
index 841480d52..4806e2a4c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultExpiringOAuth2RefreshToken.java
@@ -3,8 +3,12 @@
 import java.util.Date;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class DefaultExpiringOAuth2RefreshToken extends DefaultOAuth2RefreshToken implements ExpiringOAuth2RefreshToken {
 
 	private static final long serialVersionUID = 3449554332764129719L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java
index 4ecf4a186..eeb5b6527 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2AccessToken.java
@@ -11,11 +11,15 @@
 
 /**
  * Basic access token for OAuth 2.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  * @author Rob Winch
  */
+@Deprecated
 public class DefaultOAuth2AccessToken implements Serializable, OAuth2AccessToken {
 
 	private static final long serialVersionUID = 914967629530462926L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java
index c8df418d1..c78bb5410 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultOAuth2RefreshToken.java
@@ -2,15 +2,19 @@
 
 import java.io.Serializable;
 
-import org.codehaus.jackson.annotate.JsonCreator;
-import org.codehaus.jackson.annotate.JsonValue;
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
  * An OAuth 2 refresh token.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultOAuth2RefreshToken implements Serializable, OAuth2RefreshToken {
 
 	private static final long serialVersionUID = 8349970621900575838L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java
index 72ba20a09..2f341c2f2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/DefaultThrowableAnalyzer.java
@@ -8,7 +8,11 @@
 /**
  * Default implementation of <code>ThrowableAnalyzer</code> which is capable of also unwrapping
  * <code>ServletException</code>s.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  */
+@Deprecated
 public final class DefaultThrowableAnalyzer extends ThrowableAnalyzer {
   /**
    * @see org.springframework.security.web.util.ThrowableAnalyzer#initExtractorMap()
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java
index d69672935..eb5fd46fe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/ExpiringOAuth2RefreshToken.java
@@ -15,9 +15,13 @@
 import java.util.Date;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ExpiringOAuth2RefreshToken extends OAuth2RefreshToken {
 
 	Date getExpiration();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java
index 4176cf8b4..de4b0ada0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessToken.java
@@ -17,14 +17,15 @@
 import java.util.Set;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
-@org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2AccessTokenJackson1Serializer.class)
-@org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2AccessTokenJackson1Deserializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonSerialize(using = OAuth2AccessTokenJackson2Serializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = OAuth2AccessTokenJackson2Deserializer.class)
-
+@Deprecated
 public interface OAuth2AccessToken {
 
 	public static String BEARER_TYPE = "Bearer";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Deserializer.java
deleted file mode 100644
index f5288bde7..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Deserializer.java
+++ /dev/null
@@ -1,104 +0,0 @@
-/*
- * Copyright 2006-2010 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common;
-
-import java.io.IOException;
-import java.util.Date;
-import java.util.LinkedHashMap;
-import java.util.Map;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonParseException;
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.JsonToken;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.JsonDeserializer;
-import org.codehaus.jackson.map.deser.StdDeserializer;
-import org.springframework.security.oauth2.common.util.OAuth2Utils;
-
-/**
- * <p>
- * Provides the ability to deserialize JSON response into an {@link OAuth2AccessToken} with jackson by implementing
- * {@link JsonDeserializer}.
- * </p>
- * <p>
- * The expected format of the access token is defined by <a
- * href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.1">Successful Response</a>.
- * </p>
- *
- * @author Rob Winch
- * @see OAuth2AccessTokenJackson1Serializer
- */
-@SuppressWarnings("deprecation")
-public final class OAuth2AccessTokenJackson1Deserializer extends StdDeserializer<OAuth2AccessToken> {
-
-	public OAuth2AccessTokenJackson1Deserializer() {
-		super(OAuth2AccessToken.class);
-	}
-
-	@Override
-	public OAuth2AccessToken deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException,
-			JsonProcessingException {
-
-		String tokenValue = null;
-		String tokenType = null;
-		String refreshToken = null;
-		Long expiresIn = null;
-		Set<String> scope = null;
-		Map<String, Object> additionalInformation = new LinkedHashMap<String, Object>();
-
-		// TODO What should occur if a parameter exists twice
-		while (jp.nextToken() != JsonToken.END_OBJECT) {
-			String name = jp.getCurrentName();
-			jp.nextToken();
-			if (OAuth2AccessToken.ACCESS_TOKEN.equals(name)) {
-				tokenValue = jp.getText();
-			}
-			else if (OAuth2AccessToken.TOKEN_TYPE.equals(name)) {
-				tokenType = jp.getText();
-			}
-			else if (OAuth2AccessToken.REFRESH_TOKEN.equals(name)) {
-				refreshToken = jp.getText();
-			}
-			else if (OAuth2AccessToken.EXPIRES_IN.equals(name)) {
-				try {
-					expiresIn = jp.getLongValue();
-				} catch (JsonParseException e) {
-					expiresIn = Long.valueOf(jp.getText());
-				}
-			}
-			else if (OAuth2AccessToken.SCOPE.equals(name)) {
-				String text = jp.getText();
-				scope = OAuth2Utils.parseParameterList(text);
-			} else {
-				additionalInformation.put(name, jp.readValueAs(Object.class));
-			}
-		}
-
-		// TODO What should occur if a required parameter (tokenValue or tokenType) is missing?
-
-		DefaultOAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(tokenValue);
-		accessToken.setTokenType(tokenType);
-		if (expiresIn != null) {
-			accessToken.setExpiration(new Date(System.currentTimeMillis() + (expiresIn * 1000)));
-		}
-		if (refreshToken != null) {
-			accessToken.setRefreshToken(new DefaultOAuth2RefreshToken(refreshToken));
-		}
-		accessToken.setScope(scope);
-		accessToken.setAdditionalInformation(additionalInformation);
-
-		return accessToken;
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Serializer.java
deleted file mode 100644
index 1fd3fe777..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1Serializer.java
+++ /dev/null
@@ -1,72 +0,0 @@
-/*
- * Copyright 2006-2010 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common;
-
-import java.io.IOException;
-import java.util.Date;
-import java.util.Map;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonGenerationException;
-import org.codehaus.jackson.JsonGenerator;
-import org.codehaus.jackson.map.JsonSerializer;
-import org.codehaus.jackson.map.SerializerProvider;
-import org.codehaus.jackson.map.ser.SerializerBase;
-import org.springframework.util.Assert;
-
-/**
- * Provides the ability to serialize an {@link OAuth2AccessToken} with jackson by implementing {@link JsonSerializer}.
- * Refer to {@link OAuth2AccessTokenJackson1Deserializer} to learn more about the JSON format that is used.
- * 
- * @author Rob Winch
- * @see OAuth2AccessTokenJackson1Deserializer
- */
-@SuppressWarnings("deprecation")
-public final class OAuth2AccessTokenJackson1Serializer extends SerializerBase<OAuth2AccessToken> {
-
-	public OAuth2AccessTokenJackson1Serializer() {
-		super(OAuth2AccessToken.class);
-	}
-
-	@Override
-	public void serialize(OAuth2AccessToken token, JsonGenerator jgen, SerializerProvider provider) throws IOException,
-			JsonGenerationException {
-		jgen.writeStartObject();
-		jgen.writeStringField(OAuth2AccessToken.ACCESS_TOKEN, token.getValue());
-		jgen.writeStringField(OAuth2AccessToken.TOKEN_TYPE, token.getTokenType());
-		OAuth2RefreshToken refreshToken = token.getRefreshToken();
-		if (refreshToken != null) {
-			jgen.writeStringField(OAuth2AccessToken.REFRESH_TOKEN, refreshToken.getValue());
-		}
-		Date expiration = token.getExpiration();
-		if (expiration != null) {
-			long now = System.currentTimeMillis();
-			jgen.writeNumberField(OAuth2AccessToken.EXPIRES_IN, (expiration.getTime() - now) / 1000);
-		}
-		Set<String> scope = token.getScope();
-		if (scope != null && !scope.isEmpty()) {
-			StringBuffer scopes = new StringBuffer();
-			for (String s : scope) {
-				Assert.hasLength(s, "Scopes cannot be null or empty. Got " + scope + "");
-				scopes.append(s);
-				scopes.append(" ");
-			}
-			jgen.writeStringField(OAuth2AccessToken.SCOPE, scopes.substring(0, scopes.length() - 1));
-		}
-		Map<String, Object> additionalInformation = token.getAdditionalInformation();
-		for (String key : additionalInformation.keySet()) {
-			jgen.writeObjectField(key, additionalInformation.get(key));
-		}
-		jgen.writeEndObject();
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java
index a9294e74b..ff0084019 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Deserializer.java
@@ -39,11 +39,15 @@
  * href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.1">Successful Response</a>.
  * </p>
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Brian Clozel
  * @see org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Serializer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public final class OAuth2AccessTokenJackson2Deserializer extends StdDeserializer<OAuth2AccessToken> {
 
 	public OAuth2AccessTokenJackson2Deserializer() {
@@ -92,7 +96,7 @@ else if (OAuth2AccessToken.SCOPE.equals(name)) {
 
 		DefaultOAuth2AccessToken accessToken = new DefaultOAuth2AccessToken(tokenValue);
 		accessToken.setTokenType(tokenType);
-		if (expiresIn != null) {
+		if (expiresIn != null && expiresIn != 0) {
 			accessToken.setExpiration(new Date(System.currentTimeMillis() + (expiresIn * 1000)));
 		}
 		if (refreshToken != null) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java
index 60632949b..01fcb0921 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2Serializer.java
@@ -26,12 +26,17 @@
 
 /**
  * Provides the ability to serialize an {@link org.springframework.security.oauth2.common.OAuth2AccessToken} with jackson2 by implementing {@link com.fasterxml.jackson.databind.JsonDeserializer}.
- * Refer to {@link org.springframework.security.oauth2.common.OAuth2AccessTokenJackson1Deserializer} to learn more about the JSON format that is used.
+ *
+ * The expected format of the access token is defined by <a href="https://tools.ietf.org/html/draft-ietf-oauth-v2-22#section-5.1">Successful Response</a>.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  *
  * @author Rob Winch
  * @author Brian Clozel
  * @see org.springframework.security.oauth2.common.OAuth2AccessTokenJackson2Deserializer
  */
+@Deprecated
 public final class OAuth2AccessTokenJackson2Serializer extends StdSerializer<OAuth2AccessToken> {
 
 	public OAuth2AccessTokenJackson2Serializer() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java
index 2caf151e7..495fda30d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/OAuth2RefreshToken.java
@@ -12,12 +12,16 @@
  */
 package org.springframework.security.oauth2.common;
 
-import org.codehaus.jackson.annotate.JsonValue;
+import com.fasterxml.jackson.annotation.JsonValue;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface OAuth2RefreshToken {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java
index e928185f5..522af2175 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/BadClientCredentialsException.java
@@ -3,10 +3,14 @@
 /**
  * Exception thrown when a client was unable to authenticate.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class BadClientCredentialsException extends ClientAuthenticationException {
 
 	public BadClientCredentialsException() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java
index 5c0eb31d6..42d8dfe24 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/ClientAuthenticationException.java
@@ -2,11 +2,15 @@
 
 /**
  * Base exception
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public abstract class ClientAuthenticationException extends OAuth2Exception {
 
 	public ClientAuthenticationException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java
index c512f60aa..ff80461a2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InsufficientScopeException.java
@@ -8,10 +8,14 @@
 /**
  * Exception representing insufficient scope in a token when a request is handled by a Resource Server. It is akin to an
  * {@link AccessDeniedException} and should result in a 403 (FORBIDDEN) HTTP status.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InsufficientScopeException extends OAuth2Exception {
 
 	public InsufficientScopeException(String msg, Set<String> validScope) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java
index fd10e7b26..6aefe7d37 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidClientException.java
@@ -3,10 +3,14 @@
 /**
  * Exception thrown when a client was unable to authenticate.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidClientException extends ClientAuthenticationException {
 
 	public InvalidClientException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java
index b492d9452..2294cdffa 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidGrantException.java
@@ -1,10 +1,14 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidGrantException extends ClientAuthenticationException {
 
 	public InvalidGrantException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java
index 32b14681e..7b18897f4 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidRequestException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidRequestException extends ClientAuthenticationException {
 
 	public InvalidRequestException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java
index f5989edd1..4a8f4b3b1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidScopeException.java
@@ -8,11 +8,15 @@
  * Exception representing an invalid scope in a token or authorization request (i.e. from an Authorization Server). Note
  * that this is not the same as an access denied exception if the scope presented to a Resource Server is insufficient.
  * The spec in this case mandates a 400 status code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidScopeException extends OAuth2Exception {
 
 	public InvalidScopeException(String msg, Set<String> validScope) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java
index 555cc4a7c..e8cb37507 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/InvalidTokenException.java
@@ -16,10 +16,14 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class InvalidTokenException extends ClientAuthenticationException {
 
 	public InvalidTokenException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java
index 17819a1e3..4b4e9a802 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2Exception.java
@@ -6,16 +6,18 @@
 
 /**
  * Base exception for OAuth 2 exceptions.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Rob Winch
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
-@org.codehaus.jackson.map.annotate.JsonSerialize(using = OAuth2ExceptionJackson1Serializer.class)
-@org.codehaus.jackson.map.annotate.JsonDeserialize(using = OAuth2ExceptionJackson1Deserializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonSerialize(using = OAuth2ExceptionJackson2Serializer.class)
 @com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = OAuth2ExceptionJackson2Deserializer.class)
+@Deprecated
 public class OAuth2Exception extends RuntimeException {
 
 	public static final String ERROR = "error";
@@ -36,36 +38,11 @@ public class OAuth2Exception extends RuntimeException {
 	private Map<String, String> additionalInformation = null;
 
 	public OAuth2Exception(String msg, Throwable t) {
-		super(assertErrorDescription(msg), t);
+		super(msg, t);
 	}
 
 	public OAuth2Exception(String msg) {
-		super(assertErrorDescription(msg));
-	}
-
-	private static String assertErrorDescription(String description) {
-		if (!isErrorDescriptionValid(description)) {
-			throw new IllegalArgumentException("error_description contains invalid ASCII characters, it must conform to RFC 6749");
-		}
-		return description;
-	}
-
-	private static boolean isErrorDescriptionValid(String description) {
-		if (description == null) {
-			return true;
-		}
-		for (char c : description.toCharArray()) {
-			if (withinTheRangeOf(c, 0x20, 0x21) ||
-					withinTheRangeOf(c, 0x23, 0x5B) ||
-					withinTheRangeOf(c, 0x5D, 0x7E)) {
-		 		return true;
-		 	}
-		}
-		return false;
-	}
-
-	private static boolean withinTheRangeOf(int c, int min, int max) {
-		return c >= min && c <= max;
+		super(msg);
 	}
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Deserializer.java
deleted file mode 100644
index a32e4e521..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Deserializer.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/*
- * Copyright 2006-2011 the original author or authors.
- * 
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * 
- * https://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common.exceptions;
-
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.JsonToken;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.JsonDeserializer;
-import org.springframework.security.oauth2.common.util.OAuth2Utils;
-
-/**
- * @author Dave Syer
- * 
- */
-public class OAuth2ExceptionJackson1Deserializer extends JsonDeserializer<OAuth2Exception> {
-
-	@Override
-	public OAuth2Exception deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException,
-			JsonProcessingException {
-
-		JsonToken t = jp.getCurrentToken();
-		if (t == JsonToken.START_OBJECT) {
-			t = jp.nextToken();
-		}
-		Map<String, Object> errorParams = new HashMap<String, Object>();
-		for (; t == JsonToken.FIELD_NAME; t = jp.nextToken()) {
-			// Must point to field name
-			String fieldName = jp.getCurrentName();
-			// And then the value...
-			t = jp.nextToken();
-			// Note: must handle null explicitly here; value deserializers won't
-			Object value;
-			if (t == JsonToken.VALUE_NULL) {
-				value = null;
-			}
-			// Some servers might send back complex content
-			else if (t == JsonToken.START_ARRAY) {
-				value = jp.readValueAs(List.class);
-			}
-			else if (t == JsonToken.START_OBJECT) {
-				value = jp.readValueAs(Map.class);
-			}
-			else {
-				value = jp.getText();
-			}
-			errorParams.put(fieldName, value);
-		}
-
-		Object errorCode = errorParams.get("error");
-		String errorMessage = errorParams.containsKey("error_description") ? errorParams.get("error_description")
-				.toString() : null;
-		if (errorMessage == null) {
-			errorMessage = errorCode == null ? "OAuth Error" : errorCode.toString();
-		}
-
-		OAuth2Exception ex;
-		if ("invalid_client".equals(errorCode)) {
-			ex = new InvalidClientException(errorMessage);
-		}
-		else if ("unauthorized_client".equals(errorCode)) {
-			ex = new UnauthorizedClientException(errorMessage);
-		}
-		else if ("invalid_grant".equals(errorCode)) {
-			if (errorMessage.toLowerCase().contains("redirect") && errorMessage.toLowerCase().contains("match")) {
-				ex = new RedirectMismatchException(errorMessage);
-			}
-			else {
-				ex = new InvalidGrantException(errorMessage);
-			}
-		}
-		else if ("invalid_scope".equals(errorCode)) {
-			ex = new InvalidScopeException(errorMessage);
-		}
-		else if ("invalid_token".equals(errorCode)) {
-			ex = new InvalidTokenException(errorMessage);
-		}
-		else if ("invalid_request".equals(errorCode)) {
-			ex = new InvalidRequestException(errorMessage);
-		}
-		else if ("redirect_uri_mismatch".equals(errorCode)) {
-			ex = new RedirectMismatchException(errorMessage);
-		}
-		else if ("unsupported_grant_type".equals(errorCode)) {
-			ex = new UnsupportedGrantTypeException(errorMessage);
-		}
-		else if ("unsupported_response_type".equals(errorCode)) {
-			ex = new UnsupportedResponseTypeException(errorMessage);
-		}
-		else if ("access_denied".equals(errorCode)) {
-			ex = new UserDeniedAuthorizationException(errorMessage);
-		}
-		else if ("insufficient_scope".equals(errorCode)) {
-			ex = new InsufficientScopeException(errorMessage, OAuth2Utils.parseParameterList((String) errorParams
-					.get("scope")));
-		}
-		else {
-			ex = new OAuth2Exception(errorMessage);
-		}
-
-		Set<Map.Entry<String, Object>> entries = errorParams.entrySet();
-		for (Map.Entry<String, Object> entry : entries) {
-			String key = entry.getKey();
-			if (!"error".equals(key) && !"error_description".equals(key)) {
-				Object value = entry.getValue();
-				ex.addAdditionalInformation(key, value == null ? null : value.toString());
-			}
-		}
-
-		return ex;
-
-	}
-
-}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Serializer.java
deleted file mode 100644
index 6ebeb13a6..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson1Serializer.java
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright 2006-2011 the original author or authors.
- * 
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- * 
- * https://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common.exceptions;
-
-import java.io.IOException;
-import java.util.Map.Entry;
-
-import org.codehaus.jackson.JsonGenerator;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.map.JsonSerializer;
-import org.codehaus.jackson.map.SerializerProvider;
-
-/**
- * @author Dave Syer
- *
- */
-public class OAuth2ExceptionJackson1Serializer extends JsonSerializer<OAuth2Exception> {
-
-	@Override
-	public void serialize(OAuth2Exception value, JsonGenerator jgen, SerializerProvider provider) throws IOException,
-			JsonProcessingException {
-        jgen.writeStartObject();
-		jgen.writeStringField("error", value.getOAuth2ErrorCode());
-		jgen.writeStringField("error_description", value.getMessage());
-		if (value.getAdditionalInformation()!=null) {
-			for (Entry<String, String> entry : value.getAdditionalInformation().entrySet()) {
-				String key = entry.getKey();
-				String add = entry.getValue();
-				jgen.writeStringField(key, add);				
-			}
-		}
-        jgen.writeEndObject();
-	}
-
-}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java
index 516f39f41..0cd8dbba1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Deserializer.java
@@ -27,10 +27,14 @@
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Brian Clozel
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class OAuth2ExceptionJackson2Deserializer extends StdDeserializer<OAuth2Exception> {
 
 	public OAuth2ExceptionJackson2Deserializer() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java
index 2ab32c8cc..0ed45881d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionJackson2Serializer.java
@@ -21,9 +21,13 @@
 import com.fasterxml.jackson.databind.ser.std.StdSerializer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Brian Clozel
  *
  */
+@Deprecated
 public class OAuth2ExceptionJackson2Serializer extends StdSerializer<OAuth2Exception> {
 
     public OAuth2ExceptionJackson2Serializer() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java
index 4e66b52f2..989980291 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/RedirectMismatchException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class RedirectMismatchException extends ClientAuthenticationException {
 
   public RedirectMismatchException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java
index 2b46c26eb..14d41a53f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/SerializationException.java
@@ -3,9 +3,13 @@
 /**
  * Thrown during a problem serialization/deserialization.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class SerializationException extends RuntimeException {
 
   public SerializationException() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java
index f288bc679..1a787bffd 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnapprovedClientAuthenticationException.java
@@ -3,9 +3,13 @@
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnapprovedClientAuthenticationException extends InsufficientAuthenticationException {
 
   public UnapprovedClientAuthenticationException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java
index cb25b01d5..595fe52eb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedClientException.java
@@ -2,10 +2,14 @@
 
 /**
  * Exception thrown when a client was unable to authenticate.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnauthorizedClientException extends ClientAuthenticationException {
 
 	public UnauthorizedClientException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java
index 795fe2d1a..ba0ebf466 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnauthorizedUserException.java
@@ -2,10 +2,14 @@
 
 /**
  * Exception thrown when a user was unable to authenticate.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnauthorizedUserException extends OAuth2Exception {
 
 	public UnauthorizedUserException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java
index 113c7fefb..4fba4ff0a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedGrantTypeException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnsupportedGrantTypeException extends OAuth2Exception {
 
   public UnsupportedGrantTypeException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java
index 8129964ac..588600f88 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UnsupportedResponseTypeException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UnsupportedResponseTypeException extends OAuth2Exception {
 
   public UnsupportedResponseTypeException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java
index 0ec3cc75c..94715b6e7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/exceptions/UserDeniedAuthorizationException.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.common.exceptions;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class UserDeniedAuthorizationException extends OAuth2Exception {
 
   public UserDeniedAuthorizationException(String msg, Throwable t) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java
index 37347befe..61a397fbc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultJdbcListFactory.java
@@ -23,9 +23,13 @@
 import org.springframework.jdbc.core.namedparam.NamedParameterJdbcOperations;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultJdbcListFactory implements JdbcListFactory {
 
 	private final NamedParameterJdbcOperations jdbcTemplate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultSerializationStrategy.java
new file mode 100644
index 000000000..f8ade4824
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/DefaultSerializationStrategy.java
@@ -0,0 +1,92 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+import org.springframework.core.ConfigurableObjectInputStream;
+
+import java.io.*;
+
+/**
+ * The default {@link SerializationStrategy} which uses the built-in Java serialization mechanism.
+ * <p>
+ * Note that this class should not be used if data for deserialization comes from an untrusted source.
+ * Instead, please use {@link WhitelistedSerializationStrategy} with a list of allowed classes for deserialization.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Artem Smotrakov
+ * @since 2.4
+ */
+@Deprecated
+public class DefaultSerializationStrategy implements SerializationStrategy {
+
+    public byte[] serialize(Object state) {
+        ObjectOutputStream oos = null;
+        try {
+            ByteArrayOutputStream bos = new ByteArrayOutputStream(512);
+            oos = new ObjectOutputStream(bos);
+            oos.writeObject(state);
+            oos.flush();
+            return bos.toByteArray();
+        } catch (IOException e) {
+            throw new IllegalArgumentException(e);
+        } finally {
+            if (oos != null) {
+                try {
+                    oos.close();
+                } catch (IOException e) {
+                    // eat it
+                }
+            }
+        }
+    }
+
+    public <T> T deserialize(byte[] byteArray) {
+        ObjectInputStream oip = null;
+        try {
+            oip = createObjectInputStream(byteArray);
+            @SuppressWarnings("unchecked")
+            T result = (T) oip.readObject();
+            return result;
+        } catch (IOException e) {
+            throw new IllegalArgumentException(e);
+        } catch (ClassNotFoundException e) {
+            throw new IllegalArgumentException(e);
+        } finally {
+            if (oip != null) {
+                try {
+                    oip.close();
+                } catch (IOException e) {
+                    // eat it
+                }
+            }
+        }
+    }
+
+    /**
+     * Creates an {@link ObjectInputStream} for deserialization.
+     *
+     * @param byteArray Data to be deserialized.
+     * @return An instance of {@link ObjectInputStream} which should be used for deserialization.
+     * @throws IOException If something went wrong.
+     */
+    protected ObjectInputStream createObjectInputStream(byte[] byteArray) throws IOException {
+        return new ConfigurableObjectInputStream(new ByteArrayInputStream(byteArray),
+                Thread.currentThread().getContextClassLoader());
+    }
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java
index e8ca0adfb..6537d0304 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/Jackson2JsonParser.java
@@ -20,9 +20,13 @@
 
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class Jackson2JsonParser implements JsonParser {
 	
 	private ObjectMapper mapper = new ObjectMapper();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JacksonJsonParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JacksonJsonParser.java
deleted file mode 100644
index a79502e52..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JacksonJsonParser.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright 2013-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-
-package org.springframework.security.oauth2.common.util;
-
-import java.util.Map;
-
-import org.codehaus.jackson.map.ObjectMapper;
-
-/**
- * @author Dave Syer
- *
- */
-public class JacksonJsonParser implements JsonParser {
-	
-	private ObjectMapper mapper = new ObjectMapper();
-
-	@SuppressWarnings("unchecked")
-	@Override
-	public Map<String, Object> parseMap(String json) {
-		try {
-			return mapper.readValue(json, Map.class);
-		}
-		catch (Exception e) {
-			throw new IllegalArgumentException("Cannot parse json", e);
-		}
-	}
-
-	@Override
-	public String formatMap(Map<String, ?> map) {
-		try {
-			return mapper.writeValueAsString(map);
-		}
-		catch (Exception e) {
-			throw new IllegalArgumentException("Cannot format json", e);
-		}
-	}
-
-}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java
index fb7492b60..9c5b11cfe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JdbcListFactory.java
@@ -22,9 +22,13 @@
 import org.springframework.jdbc.core.RowMapper;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface JdbcListFactory {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java
index c17125c7d..a2b1a9705 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateDeserializer.java
@@ -1,40 +1,47 @@
 /*
- * Cloud Foundry 2012.02.03 Beta
- * Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+ * Copyright 2002-2019 the original author or authors.
  *
- * This product is licensed to you under the Apache License, Version 2.0 (the "License").
- * You may not use this product except in compliance with the License.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * This product includes a number of subcomponents with
- * separate copyright notices and license terms. Your use of these
- * subcomponents is subject to the terms and conditions of the
- * subcomponent's license, as noted in the LICENSE file.
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
-package org.springframework.security.oauth2.common.util;
 
-import org.codehaus.jackson.JsonParseException;
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.JsonDeserializer;
+package org.springframework.security.oauth2.common.util;
 
 import java.io.IOException;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 
+import com.fasterxml.jackson.core.JsonParseException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+
 /**
  * JSON deserializer for Jackson to handle regular date instances as timestamps in ISO format.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class JsonDateDeserializer extends JsonDeserializer<Date> {
 	 
     private static final SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
  
 	@Override
-	public Date deserialize(JsonParser parser, DeserializationContext context) throws IOException, JsonProcessingException {
+	public Date deserialize(com.fasterxml.jackson.core.JsonParser parser, DeserializationContext context) throws IOException, JsonProcessingException {
 		try {
 			synchronized (dateFormat) {				
 				return dateFormat.parse(parser.getText());
@@ -44,5 +51,4 @@ public Date deserialize(JsonParser parser, DeserializationContext context) throw
 			throw new JsonParseException("Could not parse date", parser.getCurrentLocation(), e);
 		}
 	}
- 
 }
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java
index d4df5c793..11fea8daf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonDateSerializer.java
@@ -1,32 +1,40 @@
 /*
- * Cloud Foundry 2012.02.03 Beta
- * Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+ * Copyright 2002-2019 the original author or authors.
  *
- * This product is licensed to you under the Apache License, Version 2.0 (the "License").
- * You may not use this product except in compliance with the License.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * This product includes a number of subcomponents with
- * separate copyright notices and license terms. Your use of these
- * subcomponents is subject to the terms and conditions of the
- * subcomponent's license, as noted in the LICENSE file.
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  */
-package org.springframework.security.oauth2.common.util;
 
-import org.codehaus.jackson.JsonGenerator;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.map.JsonSerializer;
-import org.codehaus.jackson.map.SerializerProvider;
+package org.springframework.security.oauth2.common.util;
 
 import java.io.IOException;
 import java.text.SimpleDateFormat;
 import java.util.Date;
 
+import com.fasterxml.jackson.core.JsonGenerator;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonSerializer;
+import com.fasterxml.jackson.databind.SerializerProvider;
+
 /**
  * JSON serializer for Jackson to handle regular date instances as timestamps in ISO format.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class JsonDateSerializer extends JsonSerializer<Date> {
 
 	private static final SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java
index c2905ca5c..be1e0cc58 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParser.java
@@ -16,9 +16,13 @@
 import java.util.Map;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface JsonParser {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java
index 2ec9aa2da..aeadcbd7d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/JsonParserFactory.java
@@ -16,19 +16,20 @@
 import org.springframework.util.ClassUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class JsonParserFactory {
 
 	public static JsonParser create() {
 		if (ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", null)) {
 			return new Jackson2JsonParser();
 		}
-		if (ClassUtils.isPresent("org.codehaus.jackson.map.ObjectMapper", null)) {
-			return new JacksonJsonParser();
-		}
-		throw new IllegalStateException("No Jackson parser found. Please add Jackson to your classpath.");
+		throw new IllegalStateException("No Jackson 2 parser found. Please add Jackson 2 to your classpath.");
 	}
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java
index 4c22f34b3..ba9988362 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/OAuth2Utils.java
@@ -27,9 +27,13 @@
 import org.springframework.util.StringUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class OAuth2Utils {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java
index b842648c7..c3562bf52 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/ProxyCreator.java
@@ -21,9 +21,13 @@
 import org.springframework.beans.factory.ObjectFactory;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class ProxyCreator {
 
 	@SuppressWarnings("unchecked")
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java
index 6dd551d42..33a3791ae 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/RandomValueStringGenerator.java
@@ -1,3 +1,18 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 package org.springframework.security.oauth2.common.util;
 
 import java.security.SecureRandom;
@@ -5,13 +20,17 @@
 
 /**
  * Utility that generates a random-value ASCII string.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class RandomValueStringGenerator {
 
-	private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+	private static final char[] DEFAULT_CODEC = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-_"
 			.toCharArray();
 
 	private Random random = new SecureRandom();
@@ -43,7 +62,7 @@ public String generate() {
 	/**
 	 * Convert these random bytes to a verifier string. The length of the byte array can be
 	 * {@link #setLength(int) configured}. The default implementation mods the bytes to fit into the
-	 * ASCII letters 1-9, A-Z, a-z .
+	 * ASCII letters 1-9, A-Z, a-z, -_ .
 	 * 
 	 * @param verifierBytes The bytes.
 	 * @return The string.
@@ -66,11 +85,14 @@ public void setRandom(Random random) {
 	}
 	
 	/**
-	 * The length of string to generate.
+	 * The length of string to generate.  A length less than or equal to 0 will result in an {@code IllegalArgumentException}.
 	 * 
 	 * @param length the length to set
 	 */
 	public void setLength(int length) {
+		if (length <= 0) {
+			throw new IllegalArgumentException("length must be greater than 0");
+		}
 		this.length = length;
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationStrategy.java
new file mode 100644
index 000000000..72f9f6060
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationStrategy.java
@@ -0,0 +1,48 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+/**
+ * Defines how objects are serialized and deserialized.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Artem Smotrakov
+ * @since 2.4
+ */
+@Deprecated
+public interface SerializationStrategy {
+
+    /**
+     * Serializes an object.
+     *
+     * @param object The object to be serialized.
+     * @return A byte array.
+     */
+    byte[] serialize(Object object);
+
+    /**
+     * Deserializes an object from a byte array.
+     *
+     * @param byteArray The byte array.
+     * @param <T>       The type of the object.
+     * @return The deserialized object.
+     */
+    <T> T deserialize(byte[] byteArray);
+
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java
index e622c6797..fe554e88e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/SerializationUtils.java
@@ -1,64 +1,80 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.springframework.security.oauth2.common.util;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
+import org.springframework.core.io.support.SpringFactoriesLoader;
+import org.springframework.util.Assert;
 
-import org.springframework.core.ConfigurableObjectInputStream;
+import java.util.List;
 
+/**
+ * This is a helper class for serializing and deserializing objects with a {@link SerializationStrategy}.
+ * The class looks for the strategy in {@code META-INF/spring.factories},
+ * or the strategy can also be set by calling {@link #setSerializationStrategy(SerializationStrategy)}.
+ * If no strategy is specified, the default is {@link DefaultSerializationStrategy}.
+ * <p>
+ * Note that the default strategy allows deserializing arbitrary classes which may result in security problems
+ * if data comes from an untrusted source. To prevent possible issues, use {@link WhitelistedSerializationStrategy}
+ * with a list of allowed classes for deserialization.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public class SerializationUtils {
 
-	public static byte[] serialize(Object state) {
-		ObjectOutputStream oos = null;
-		try {
-			ByteArrayOutputStream bos = new ByteArrayOutputStream(512);
-			oos = new ObjectOutputStream(bos);
-			oos.writeObject(state);
-			oos.flush();
-			return bos.toByteArray();
-		}
-		catch (IOException e) {
-			throw new IllegalArgumentException(e);
-		}
-		finally {
-			if (oos != null) {
-				try {
-					oos.close();
-				}
-				catch (IOException e) {
-					// eat it
-				}
-			}
-		}
-	}
+    private static SerializationStrategy strategy = new DefaultSerializationStrategy();
+
+    static {
+        List<SerializationStrategy> strategies = SpringFactoriesLoader.loadFactories(
+                SerializationStrategy.class, SerializationUtils.class.getClassLoader());
+        if (strategies.size() > 1) {
+            throw new IllegalArgumentException(
+                    "Too many serialization strategies in META-INF/spring.factories");
+        }
+        if (strategies.size() == 1) {
+            strategy = strategies.get(0);
+        }
+    }
+
+    /**
+     * @return The current serialization strategy.
+     */
+    public static SerializationStrategy getSerializationStrategy() {
+        return strategy;
+    }
+
+    /**
+     * Sets a new serialization strategy.
+     *
+     * @param serializationStrategy The serialization strategy.
+     */
+    public static void setSerializationStrategy(SerializationStrategy serializationStrategy) {
+        Assert.notNull(serializationStrategy, "serializationStrategy cannot be null");
+        strategy = serializationStrategy;
+    }
+
+    public static byte[] serialize(Object object) {
+        return strategy.serialize(object);
+    }
 
-	public static <T> T deserialize(byte[] byteArray) {
-		ObjectInputStream oip = null;
-		try {
-			oip = new ConfigurableObjectInputStream(new ByteArrayInputStream(byteArray),
-					Thread.currentThread().getContextClassLoader());
-			@SuppressWarnings("unchecked")
-			T result = (T) oip.readObject();
-			return result;
-		}
-		catch (IOException e) {
-			throw new IllegalArgumentException(e);
-		}
-		catch (ClassNotFoundException e) {
-			throw new IllegalArgumentException(e);
-		}
-		finally {
-			if (oip != null) {
-				try {
-					oip.close();
-				}
-				catch (IOException e) {
-					// eat it
-				}
-			}
-		}
-	}
+    public static <T> T deserialize(byte[] byteArray) {
+        return strategy.deserialize(byteArray);
+    }
 
-}
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy.java
new file mode 100644
index 000000000..f4a32ba3b
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/common/util/WhitelistedSerializationStrategy.java
@@ -0,0 +1,147 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.NotSerializableException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+import org.springframework.util.ClassUtils;
+
+/**
+ * A {@link SerializationStrategy} which uses a whitelist of allowed classes for deserialization.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Artem Smotrakov
+ * @since 2.4
+ */
+@Deprecated
+public class WhitelistedSerializationStrategy extends DefaultSerializationStrategy {
+
+    /**
+     * A list of classes which are allowed to deserialize by default.
+     */
+    private static final List<String> DEFAULT_ALLOWED_CLASSES;
+
+    static {
+        List<String> classes = new ArrayList<String>();
+        classes.add("java.lang.");
+        classes.add("java.util.");
+        classes.add("org.springframework.security.");
+        DEFAULT_ALLOWED_CLASSES = Collections.unmodifiableList(classes);
+    }
+
+    /**
+     * A list of classes which are allowed to deserialize.
+     */
+    private final List<String> allowedClasses;
+
+    /**
+     * Initializes {@link WhitelistedSerializationStrategy} with the list of classes
+     * which are allowed to deserialize by default.
+     */
+    public WhitelistedSerializationStrategy() {
+        this(DEFAULT_ALLOWED_CLASSES);
+    }
+
+    /**
+     * Initializes {@link WhitelistedSerializationStrategy} with specified allowed classes.
+     *
+     * @param allowedClasses The allowed classes for deserialization.
+     */
+    public WhitelistedSerializationStrategy(List<String> allowedClasses) {
+        this.allowedClasses = Collections.unmodifiableList(allowedClasses);
+    }
+
+    protected ObjectInputStream createObjectInputStream(byte[] byteArray) throws IOException {
+        return new WhitelistedObjectInputStream(new ByteArrayInputStream(byteArray),
+                Thread.currentThread().getContextClassLoader(), allowedClasses);
+    }
+
+    /**
+     * Special ObjectInputStream subclass that checks if classes are allowed to deserialize. The class
+     * should be configured with a whitelist of only allowed (safe) classes to deserialize.
+     */
+    private static class WhitelistedObjectInputStream extends ObjectInputStream {
+
+        /**
+         * The list of classes which are allowed for deserialization.
+         */
+        private final List<String> allowedClasses;
+
+        /**
+         * The class loader to use for loading local classes.
+         */
+        private final ClassLoader classLoader;
+
+        /**
+         * Create a new WhitelistedObjectInputStream for the given InputStream, class loader and
+         * allowed class names.
+         *
+         * @param in             The InputStream to read from.
+         * @param classLoader    The ClassLoader to use for loading local classes.
+         * @param allowedClasses The list of allowed classes for deserialization.
+         * @throws IOException If something went wrong.
+         */
+        private WhitelistedObjectInputStream(InputStream in, ClassLoader classLoader, List<String> allowedClasses)
+                throws IOException {
+            super(in);
+            this.classLoader = classLoader;
+            this.allowedClasses = Collections.unmodifiableList(allowedClasses);
+        }
+
+        /**
+         * Resolve the class only if it's allowed to deserialize.
+         *
+         * @see ObjectInputStream#resolveClass(ObjectStreamClass)
+         */
+        @Override
+        protected Class<?> resolveClass(ObjectStreamClass classDesc)
+                throws IOException, ClassNotFoundException {
+            if (isProhibited(classDesc.getName())) {
+                throw new NotSerializableException("Not allowed to deserialize " + classDesc.getName());
+            }
+            if (this.classLoader != null) {
+                return ClassUtils.forName(classDesc.getName(), this.classLoader);
+            }
+            return super.resolveClass(classDesc);
+        }
+
+        /**
+         * Check if the class is allowed to be deserialized.
+         *
+         * @param className The class to check.
+         * @return True if the class is not allowed to be deserialized, false otherwise.
+         */
+        private boolean isProhibited(String className) {
+            for (String allowedClass : this.allowedClasses) {
+                if (className.startsWith(allowedClass)) {
+                    return false;
+                }
+            }
+            return true;
+        }
+    }
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java
index a47b3608c..5296f1a55 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/ClientDetailsServiceBuilder.java
@@ -34,10 +34,14 @@
 /**
  * Builder for OAuth2 client details service. Can be used to construct either an in-memory or a JDBC implementation of
  * the {@link ClientDetailsService} and populate it with data.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientDetailsServiceBuilder<B extends ClientDetailsServiceBuilder<B>> extends
 		SecurityConfigurerAdapter<ClientDetailsService, B> implements SecurityBuilder<ClientDetailsService> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java
index 8c6f37c3a..f5ff55989 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/InMemoryClientDetailsServiceBuilder.java
@@ -23,9 +23,13 @@
 import org.springframework.security.oauth2.provider.client.InMemoryClientDetailsService;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class InMemoryClientDetailsServiceBuilder extends
 		ClientDetailsServiceBuilder<InMemoryClientDetailsServiceBuilder> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java
index 4a9d26a87..af9d2cc8a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/builders/JdbcClientDetailsServiceBuilder.java
@@ -27,9 +27,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class JdbcClientDetailsServiceBuilder extends ClientDetailsServiceBuilder<JdbcClientDetailsServiceBuilder> {
 
 	private Set<ClientDetails> clientDetails = new HashSet<ClientDetails>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java
index d7ad2e699..da4f0a251 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configuration/ClientDetailsServiceConfiguration.java
@@ -25,10 +25,14 @@
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * 
  */
 @Configuration
+@Deprecated
 public class ClientDetailsServiceConfiguration {
 
 	@SuppressWarnings("rawtypes")
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java
index e1ec33053..84a080b08 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/configurers/ClientDetailsServiceConfigurer.java
@@ -24,9 +24,13 @@
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * 
  */
+@Deprecated
 public class ClientDetailsServiceConfigurer extends
 		SecurityConfigurerAdapter<ClientDetailsService, ClientDetailsServiceBuilder<?>> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java
index f81dfc06c..3e01c32ce 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurer.java
@@ -22,10 +22,14 @@
 /**
  * Convenient strategy for configuring an OAUth2 Authorization Server. Beans of this type are applied to the Spring
  * context automatically if you {@link EnableAuthorizationServer @EnableAuthorizationServer}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface AuthorizationServerConfigurer {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java
index 4e8342ac1..9e5e3d537 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerConfigurerAdapter.java
@@ -18,9 +18,13 @@
 import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class AuthorizationServerConfigurerAdapter implements AuthorizationServerConfigurer {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java
index aa32758a5..ccc18971d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerEndpointsConfiguration.java
@@ -57,11 +57,15 @@
 import org.springframework.stereotype.Component;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
 @Configuration
 @Import(TokenKeyEndpointRegistrar.class)
+@Deprecated
 public class AuthorizationServerEndpointsConfiguration {
 
 	private AuthorizationServerEndpointsConfigurer endpoints = new AuthorizationServerEndpointsConfigurer();
@@ -78,7 +82,7 @@ public void init() {
 			try {
 				configurer.configure(endpoints);
 			} catch (Exception e) {
-				throw new IllegalStateException("Cannot configure enpdoints", e);
+				throw new IllegalStateException("Cannot configure endpoints", e);
 			}
 		}
 		endpoints.setClientDetailsService(clientDetailsService);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java
index cc7601d03..a95b4bcf3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/AuthorizationServerSecurityConfiguration.java
@@ -34,6 +34,9 @@
 import java.util.List;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * 
@@ -41,6 +44,7 @@
 @Configuration
 @Order(0)
 @Import({ ClientDetailsServiceConfiguration.class, AuthorizationServerEndpointsConfiguration.class })
+@Deprecated
 public class AuthorizationServerSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
 	@Autowired
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java
index 1b4415269..68ce85496 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableAuthorizationServer.java
@@ -35,7 +35,10 @@
  * &#064;EnableWebSecurity} etc.), but the Token Endpoint (/oauth/token) will be automatically secured using HTTP Basic
  * authentication on the client's credentials. Clients <em>must</em> be registered by providing a
  * {@link ClientDetailsService} through one or more AuthorizationServerConfigurers.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
@@ -43,6 +46,7 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
 @Import({AuthorizationServerEndpointsConfiguration.class, AuthorizationServerSecurityConfiguration.class})
+@Deprecated
 public @interface EnableAuthorizationServer {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java
index 3bac72c3c..2b6a2c933 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableOAuth2Client.java
@@ -49,7 +49,10 @@
  * token when necessary. Apps that use password grants need to set the authentication properties in the
  * OAuth2ProtectedResourceDetails before using the RestOperations, and this means the resource details themselves also
  * have to be per session (assuming there are multiple users in the system).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
@@ -57,6 +60,7 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
 @Import(OAuth2ClientConfiguration.class)
+@Deprecated
 public @interface EnableOAuth2Client {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java
index 52c532833..7ceef0307 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/EnableResourceServer.java
@@ -36,7 +36,10 @@
  * The annotation creates a {@link WebSecurityConfigurerAdapter} with a hard-coded {@link Order} (of 3). It's not
  * possible to change the order right now owing to technical limitations in Spring, so you must avoid using order=3 in
  * other WebSecurityConfigurerAdapters in your application (Spring Security will let you know if you forget).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
@@ -44,6 +47,7 @@
 @Retention(RetentionPolicy.RUNTIME)
 @Documented
 @Import(ResourceServerConfiguration.class)
+@Deprecated
 public @interface EnableResourceServer {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java
index b79985202..a618d95ba 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/OAuth2ClientConfiguration.java
@@ -30,10 +30,14 @@
 import org.springframework.security.oauth2.client.token.DefaultAccessTokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Configuration
+@Deprecated
 public class OAuth2ClientConfiguration {
 
 	@Bean
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java
index 1833fab9f..9e1224846 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfiguration.java
@@ -40,10 +40,14 @@
 import org.springframework.util.ReflectionUtils;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Configuration
+@Deprecated
 public class ResourceServerConfiguration extends WebSecurityConfigurerAdapter implements Ordered {
 
 	private int order = 3;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java
index d2a60f747..490e01562 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurer.java
@@ -23,10 +23,14 @@
  * rules and paths that are protected by OAuth2 security. Applications may provide multiple instances of this interface,
  * and in general (like with other Security configurers), if more than one configures the same property, then the last
  * one wins. The configurers are sorted by {@link Order} before being applied.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface ResourceServerConfigurer {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java
index 2cf23e139..cea39d37b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configuration/ResourceServerConfigurerAdapter.java
@@ -16,9 +16,13 @@
 import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class ResourceServerConfigurerAdapter implements ResourceServerConfigurer {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java
index 9bb56fa2a..6785fb430 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerEndpointsConfigurer.java
@@ -81,11 +81,15 @@
 
 /**
  * Configure the properties and enhanced functionality of the Authorization Server endpoints.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * @since 2.0
  */
+@Deprecated
 public final class AuthorizationServerEndpointsConfigurer {
 
 	private AuthorizationServerTokenServices tokenServices;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java
index 80b5d9cd3..c0962ac73 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/AuthorizationServerSecurityConfigurer.java
@@ -22,7 +22,10 @@
 import javax.servlet.Filter;
 
 import org.springframework.http.MediaType;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -47,11 +50,15 @@
 import org.springframework.web.accept.HeaderContentNegotiationStrategy;
 
 /**
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * @since 2.0
  */
+@Deprecated
 public final class AuthorizationServerSecurityConfigurer extends
 		SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
 
@@ -76,7 +83,11 @@ public final class AuthorizationServerSecurityConfigurer extends
 	 * BasicAuthenticationFilter.
 	 */
 	private List<Filter> tokenEndpointAuthenticationFilters = new ArrayList<Filter>();
-
+	
+	private List<AuthenticationProvider> authenticationProviders = new ArrayList<AuthenticationProvider>();
+	
+	private AuthenticationEventPublisher authenticationEventPublisher;
+	
 	public AuthorizationServerSecurityConfigurer sslOnly() {
 		this.sslOnly = true;
 		return this;
@@ -108,6 +119,29 @@ public AuthorizationServerSecurityConfigurer accessDeniedHandler(AccessDeniedHan
 		return this;
 	}
 
+	/**
+	 * Authentication provider(s) to use with the {@link AuthenticationManager}.
+	 * Adding an authentication provider here will replace the default {@link DaoAuthenticationProvider}.
+	 * 
+	 * @param authenticationProvider the authentication provider to add
+	 */	
+	public AuthorizationServerSecurityConfigurer addAuthenticationProvider(AuthenticationProvider authenticationProvider) {
+		Assert.notNull(authenticationProvider, "authenticationProvider must not be null");
+		this.authenticationProviders.add(authenticationProvider);
+		return this;
+	}
+	
+    /**
+     * {@link AuthenticationEventPublisher} to use with the {@link AuthenticationManager}.
+     * 
+     * @param authenticationEventPublisher the {@link AuthenticationEventPublisher} to use
+     */ 
+    public AuthorizationServerSecurityConfigurer authenticationEventPublisher(AuthenticationEventPublisher authenticationEventPublisher) {
+        Assert.notNull(authenticationEventPublisher, "authenticationEventPublisher must not be null");
+        this.authenticationEventPublisher = authenticationEventPublisher;
+        return this;
+    }	
+
 	public AuthorizationServerSecurityConfigurer tokenKeyAccess(String tokenKeyAccess) {
 		this.tokenKeyAccess = tokenKeyAccess;
 		return this;
@@ -128,17 +162,22 @@ public String getCheckTokenAccess() {
 
 	@Override
 	public void init(HttpSecurity http) throws Exception {
-
 		registerDefaultAuthenticationEntryPoint(http);
-		if (passwordEncoder != null) {
-			ClientDetailsUserDetailsService clientDetailsUserDetailsService = new ClientDetailsUserDetailsService(clientDetailsService());
-			clientDetailsUserDetailsService.setPasswordEncoder(passwordEncoder());
-			http.getSharedObject(AuthenticationManagerBuilder.class)
-					.userDetailsService(clientDetailsUserDetailsService)
-					.passwordEncoder(passwordEncoder());
+		AuthenticationManagerBuilder builder = http.getSharedObject(AuthenticationManagerBuilder.class);
+		if (authenticationEventPublisher != null) {
+		    builder.authenticationEventPublisher(authenticationEventPublisher);
 		}
-		else {
-			http.userDetailsService(new ClientDetailsUserDetailsService(clientDetailsService()));
+		if (authenticationProviders.isEmpty()) {
+			if (passwordEncoder != null) {
+				builder.userDetailsService(new ClientDetailsUserDetailsService(clientDetailsService()))
+					.passwordEncoder(passwordEncoder());
+			} else {
+				builder.userDetailsService(new ClientDetailsUserDetailsService(clientDetailsService()));
+			}
+		} else { 
+			for (AuthenticationProvider provider: authenticationProviders) {
+				builder.authenticationProvider(provider);
+			}
 		}
 		http.securityContext().securityContextRepository(new NullSecurityContextRepository()).and().csrf().disable()
 				.httpBasic().authenticationEntryPoint(this.authenticationEntryPoint).realmName(realm);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java
index 7251e85da..e6b6d36b6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/annotation/web/configurers/ResourceServerSecurityConfigurer.java
@@ -50,12 +50,15 @@
 import javax.servlet.http.HttpServletRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  *
  * @author Rob Winch
  * @author Dave Syer
  * 
  * @since 2.0.0
  */
+@Deprecated
 public final class ResourceServerSecurityConfigurer extends
 		SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java
index 61047191d..78b15f304 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/AuthorizationServerBeanDefinitionParser.java
@@ -41,10 +41,14 @@
 
 /**
  * Parser for the OAuth "provider" element.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class AuthorizationServerBeanDefinitionParser
 		extends ProviderBeanDefinitionParser {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java
index d8034750c..a8796ec2f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientBeanDefinitionParser.java
@@ -24,10 +24,14 @@
 
 /**
  * Parser for the OAuth "client" element supporting client apps using {@link OAuth2RestTemplate}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ClientBeanDefinitionParser extends AbstractBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java
index 21fe53fe6..e67945547 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ClientDetailsServiceBeanDefinitionParser.java
@@ -30,9 +30,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Andrew McCall
  */
+@Deprecated
 public class ClientDetailsServiceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java
index 77fde32c3..fc11e3d9e 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ConfigUtils.java
@@ -22,8 +22,12 @@
 /**
  * Common place for OAuth namespace configuration utils.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ConfigUtils {
   private static final Method createMatcherMethod3x = ReflectionUtils.findMethod(
           MatcherType.class, "createMatcher", String.class, String.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java
index 9b8f9e7f7..fc7880107 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ExpressionHandlerBeanDefinitionParser.java
@@ -21,9 +21,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ExpressionHandlerBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java
index 8b8d702c9..dc865ffc0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2ClientContextFactoryBean.java
@@ -23,10 +23,14 @@
  * Convenience factory for OAuth2ClientContext that is aware of the need for a different context if the resource is for a
  * client credentials grant. Client credentials grants will always have the same credentials for all requests, so
  * there's no point protecting the context with session and request scopes.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2ClientContextFactoryBean implements FactoryBean<OAuth2ClientContext> {
 
 	private OAuth2ProtectedResourceDetails resource;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java
index 01210ba8b..b92184402 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/OAuth2SecurityNamespaceHandler.java
@@ -16,9 +16,13 @@
 import org.springframework.beans.factory.xml.NamespaceHandlerSupport;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class OAuth2SecurityNamespaceHandler extends NamespaceHandlerSupport {
 
 	public void init() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java
index 364c16013..93b16525e 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ProviderBeanDefinitionParser.java
@@ -25,9 +25,13 @@
 /**
  * Parser for the OAuth "provider" element.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class ProviderBeanDefinitionParser extends AbstractBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java
index 23c9fc62b..23c76ee29 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceBeanDefinitionParser.java
@@ -36,8 +36,12 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class ResourceBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java
index d7d261e1e..d6d8d7403 100755
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/ResourceServerBeanDefinitionParser.java
@@ -24,10 +24,14 @@
 /**
  * Parser for the OAuth "resource-server" element. Creates a filter that can be added to the standard Spring Security
  * filter chain.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ResourceServerBeanDefinitionParser extends ProviderBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java
index c4aeca280..7054d99df 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/RestTemplateBeanDefinitionParser.java
@@ -25,9 +25,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class RestTemplateBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java
index dff530bb3..def339b0d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/config/xml/WebExpressionHandlerBeanDefinitionParser.java
@@ -21,9 +21,13 @@
 import org.w3c.dom.Element;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class WebExpressionHandlerBeanDefinitionParser extends AbstractSingleBeanDefinitionParser {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java
index f64ea48b0..6bdf83f2f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2AccessTokenMessageConverter.java
@@ -28,11 +28,15 @@
 /**
  * Converter that can handle inbound form data and convert it to an access token. Needed to support external servers,
  * like Facebook that might not send JSON token data.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class FormOAuth2AccessTokenMessageConverter extends AbstractHttpMessageConverter<OAuth2AccessToken> {
 
 	private final FormHttpMessageConverter delegateMessageConverter;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java
index d81a0ecf7..264a528d5 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/FormOAuth2ExceptionHttpMessageConverter.java
@@ -31,11 +31,15 @@
 /**
  * Converter that can handle inbound form data and convert it to an OAuth2 exception. Needed to support external servers,
  * like Facebook that might not send JSON data.
- * 
-@author Rob Winch
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Rob Winch
  * @author Dave Syer
  *
  */
+@Deprecated
 public final class FormOAuth2ExceptionHttpMessageConverter implements HttpMessageConverter<OAuth2Exception> {
 
 	private static final List<MediaType> SUPPORTED_MEDIA = Collections.singletonList(MediaType.APPLICATION_FORM_URLENCODED);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java
index 5bc7c0191..6b9e8c418 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/AbstractJaxbMessageConverter.java
@@ -84,7 +84,7 @@ protected final void writeToResult(E accessToken, HttpHeaders headers, Result re
 			createMarshaller().marshal(convertedAccessToken, result);
 		}
 		catch (MarshalException ex) {
-			throw new HttpMessageNotWritableException("Could not marshal [" + accessToken + "]: " + ex.getMessage(), ex);
+			throw new HttpMessageNotWritableException("Could not marshal accessToken: " + ex.getMessage(), ex);
 		}
 		catch (JAXBException ex) {
 			throw new HttpMessageConversionException("Could not instantiate JAXBContext: " + ex.getMessage(), ex);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java
index be71dafae..ac4e45724 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2AccessTokenMessageConverter.java
@@ -19,6 +19,12 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public final class JaxbOAuth2AccessTokenMessageConverter extends AbstractJaxbMessageConverter<JaxbOAuth2AccessToken,OAuth2AccessToken> {
 
 	public JaxbOAuth2AccessTokenMessageConverter() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java
index 72ae1cd6f..3b2f1146b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/http/converter/jaxb/JaxbOAuth2ExceptionMessageConverter.java
@@ -14,6 +14,12 @@
 
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public final class JaxbOAuth2ExceptionMessageConverter extends
 		AbstractJaxbMessageConverter<JaxbOAuth2Exception, OAuth2Exception> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java
index ddb90e808..520f66960 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/AuthorizationRequest.java
@@ -30,12 +30,16 @@
  * authorization request as a {@link SessionAttributes} member while the end
  * user through the authorization process (which may span several page
  * requests).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  * @author Amanda Anganes
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class AuthorizationRequest extends BaseRequest implements Serializable {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java
index b7875f603..2459ccd2d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientAlreadyExistsException.java
@@ -17,11 +17,15 @@
 
 /**
  * Exception indicating that a client registration already exists (e.g. if someone tries to create a duplicate).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ClientAlreadyExistsException extends ClientRegistrationException {
 
 	public ClientAlreadyExistsException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java
index f9e8d1c2f..5aacd8917 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetails.java
@@ -9,9 +9,13 @@
 
 /**
  * Client details for OAuth 2
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ClientDetails extends Serializable {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java
index f9e4166b9..2137fe459 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientDetailsService.java
@@ -20,8 +20,12 @@
 /**
  * A service that provides the details about an OAuth2 client.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface ClientDetailsService {
 
   /**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java
index 731577ee5..29d1b6975 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationException.java
@@ -16,10 +16,14 @@
 package org.springframework.security.oauth2.provider;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ClientRegistrationException extends RuntimeException {
 	
 	public ClientRegistrationException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java
index a388c1b5b..d032db2c4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/ClientRegistrationService.java
@@ -20,10 +20,14 @@
 /**
  * Interface for client registration, handling add, update and remove of {@link ClientDetails} from an Authorization
  * Server.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface ClientRegistrationService {
 
 	void addClientDetails(ClientDetails clientDetails) throws ClientAlreadyExistsException;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java
index fab6fbf89..a880d581d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/CompositeTokenGranter.java
@@ -22,9 +22,13 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class CompositeTokenGranter implements TokenGranter {
 
 	private final List<TokenGranter> tokenGranters;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java
index 46915dc66..deb892923 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/DefaultSecurityContextAccessor.java
@@ -23,10 +23,14 @@
 
 /**
  * Strategy for accessing useful information about the current security context.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultSecurityContextAccessor implements SecurityContextAccessor {
 
 	@Override
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java
index 0083d4d51..3712afaeb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/NoSuchClientException.java
@@ -16,10 +16,14 @@
 package org.springframework.security.oauth2.provider;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class NoSuchClientException extends ClientRegistrationException {
 
 	public NoSuchClientException(String msg) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java
index d2f3cf045..d4543c853 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Authentication.java
@@ -7,9 +7,13 @@
 /**
  * An OAuth 2 authentication token can contain two authentications: one for the client and one for the user. Since some
  * OAuth authorization grants don't require user authentication, the user authentication may be null.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class OAuth2Authentication extends AbstractAuthenticationToken {
 
 	private static final long serialVersionUID = -4809832298438307309L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java
index 61dcd5660..a3d2fbae3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2Request.java
@@ -14,11 +14,15 @@
  * Represents a stored authorization or token request. Used as part of the OAuth2Authentication object to store a
  * request's authentication information. Does not expose public setters so that clients can not mutate state if they
  * respect the declared type of the request.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2Request extends BaseRequest implements Serializable {
 
 	private static final long serialVersionUID = 1L;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java
index 278b25b0c..22762e649 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestFactory.java
@@ -17,11 +17,15 @@
 
 /**
  * Strategy for managing OAuth2 requests: {@link AuthorizationRequest}, {@link TokenRequest}, {@link OAuth2Request}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Amanda Anganes
  * 
  */
+@Deprecated
 public interface OAuth2RequestFactory {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java
index b88a765bf..548ab4a6d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/OAuth2RequestValidator.java
@@ -6,10 +6,14 @@
 
 /**
  * Validation interface for OAuth2 requests to the {@link AuthorizationEndpoint} and {@link TokenEndpoint}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  *
  */
+@Deprecated
 public interface OAuth2RequestValidator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java
index cd6522724..c051179f4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/SecurityContextAccessor.java
@@ -19,10 +19,14 @@
 
 /**
  * Strategy for accessing useful information about the current security context.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface SecurityContextAccessor {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java
index fcd9ef1f8..7c31f571c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenGranter.java
@@ -21,10 +21,14 @@
 /**
  * Interface for granters of access tokens. Various grant types are defined in the specification, and each of those has
  * an implementation, leaving room for extensions to the specification as needed.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface TokenGranter {
 
 	OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java
index ebc13a56d..b04919afe 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/TokenRequest.java
@@ -15,12 +15,16 @@
  * In the implicit flow, a token is requested through the {@link AuthorizationEndpoint} directly, and in that case the
  * {@link AuthorizationRequest} is converted into a {@link TokenRequest} for processing through the token granting
  * chain.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  * @author Dave Syer
  * 
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class TokenRequest extends BaseRequest {
 
 	private String grantType;
@@ -90,7 +94,7 @@ public OAuth2Request createOAuth2Request(ClientDetails client) {
 		modifiable.remove("password");
 		modifiable.remove("client_secret");
 		// Add grant type so it can be retrieved from OAuth2Request
-		modifiable.put("grant_type", grantType);
+		modifiable.put(OAuth2Utils.GRANT_TYPE, grantType);
 		return new OAuth2Request(modifiable, client.getClientId(), client.getAuthorities(), true, this.getScope(),
 				client.getResourceIds(), null, null, null);
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java
index 27bbf8262..c9a2503f9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/Approval.java
@@ -19,18 +19,23 @@
 import java.util.Calendar;
 import java.util.Date;
 
-import org.codehaus.jackson.annotate.JsonIgnore;
-import org.codehaus.jackson.map.annotate.JsonDeserialize;
-import org.codehaus.jackson.map.annotate.JsonSerialize;
+import com.fasterxml.jackson.annotation.JsonIgnore;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+
 import org.springframework.security.oauth2.common.util.JsonDateDeserializer;
 import org.springframework.security.oauth2.common.util.JsonDateSerializer;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Vidya Val
  *
  */
 @JsonSerialize(include = JsonSerialize.Inclusion.NON_NULL)
+@Deprecated
 public class Approval {
 
 	private String userId;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java
index 88209e612..85a67f4d3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStore.java
@@ -19,10 +19,14 @@
 
 /**
  * Interface for saving, retrieving and revoking user approvals (per client, per scope). 
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ApprovalStore {
 
 	public boolean addApprovals(Collection<Approval> approvals);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java
index 33804a776..2bda1ae40 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/ApprovalStoreUserApprovalHandler.java
@@ -40,10 +40,14 @@
 
 /**
  * A user approval handler that remembers approval decisions by consulting existing approvals.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ApprovalStoreUserApprovalHandler implements UserApprovalHandler, InitializingBean {
 
 	private static Log logger = LogFactory.getLog(ApprovalStoreUserApprovalHandler.class);
@@ -131,7 +135,7 @@ public AuthorizationRequest checkForPreApproval(AuthorizationRequest authorizati
 				}
 			}
 			catch (ClientRegistrationException e) {
-				logger.warn("Client registration problem prevent autoapproval check for client=" + clientId);
+				logger.warn("Client registration problem prevent autoapproval check for client");
 			}
 		}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java
index 2344627f5..5aa3813b1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/DefaultUserApprovalHandler.java
@@ -25,10 +25,14 @@
 
 /**
  * A default user approval handler that doesn't remember any decisions.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultUserApprovalHandler implements UserApprovalHandler {
 
 	private String approvalParameter = OAuth2Utils.USER_OAUTH_APPROVAL;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java
index b70818196..51b765905 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/InMemoryApprovalStore.java
@@ -23,9 +23,13 @@
 import java.util.concurrent.ConcurrentMap;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class InMemoryApprovalStore implements ApprovalStore {
 
 	private ConcurrentMap<Key, Collection<Approval>> map = new ConcurrentHashMap<Key, Collection<Approval>>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java
index d200e22ee..11e5bfb7f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/JdbcApprovalStore.java
@@ -37,9 +37,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class JdbcApprovalStore implements ApprovalStore {
 
 	private final JdbcTemplate jdbcTemplate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java
index e9f0ebb30..2a45946f6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenApprovalStore.java
@@ -32,10 +32,14 @@
  * approvals even if they are not really represented in such a way internally. For full fine-grained control of user
  * approvals don't use a TokenStore at all, and don't use this ApprovalStore with Approval-based
  * {@link AuthorizationServerTokenServices} implementations.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenApprovalStore implements ApprovalStore {
 
 	private TokenStore store;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java
index ad69f0d10..8c60bea7f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/TokenStoreUserApprovalHandler.java
@@ -38,10 +38,14 @@
 
 /**
  * A user approval handler that remembers approval decisions by consulting existing tokens.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenStoreUserApprovalHandler implements UserApprovalHandler, InitializingBean {
 
 	private static Log logger = LogFactory.getLog(TokenStoreUserApprovalHandler.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java
index ab741bb2e..e57ebba3d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/approval/UserApprovalHandler.java
@@ -8,11 +8,15 @@
 /**
  * Basic interface for determining whether a given client authentication request has been
  * approved by the current user.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  * @author Amanda Anganes
  */
+@Deprecated
 public interface UserApprovalHandler {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java
index 4d224556d..a11c6fae9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java
@@ -27,10 +27,14 @@
  * {@link TokenExtractor} that strips the authenticator from a bearer token request (with an Authorization header in the
  * form "Bearer <code>&lt;TOKEN&gt;</code>", or as a request parameter if that fails). The access token is the principal in
  * the authentication token that is extracted.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class BearerTokenExtractor implements TokenExtractor {
 
 	private final static Log logger = LogFactory.getLog(BearerTokenExtractor.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java
index d7a14ce8e..820ef1556 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetails.java
@@ -21,10 +21,14 @@
 
 /**
  * A holder of selected HTTP details related to an OAuth2 authentication request.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationDetails implements Serializable {
 	
 	private static final long serialVersionUID = -4809832298438307309L;
@@ -63,19 +67,22 @@ public OAuth2AuthenticationDetails(HttpServletRequest request) {
 		if (remoteAddress!=null) {
 			builder.append("remoteAddress=").append(remoteAddress);
 		}
-		if (builder.length()>1) {
-			builder.append(", ");
-		}
 		if (sessionId!=null) {
-			builder.append("sessionId=<SESSION>");
-			if (builder.length()>1) {
+			if (builder.length() > 1) {
 				builder.append(", ");
 			}
+			builder.append("sessionId=<SESSION>");
 		}
 		if (tokenType!=null) {
+			if (builder.length() > 1) {
+				builder.append(", ");
+			}
 			builder.append("tokenType=").append(this.tokenType);
 		}
 		if (tokenValue!=null) {
+			if (builder.length() > 1) {
+				builder.append(", ");
+			}
 			builder.append("tokenValue=<TOKEN>");
 		}
 		this.display = builder.toString();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java
index 880c374e0..8358c77f3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationDetailsSource.java
@@ -20,10 +20,14 @@
 
 /**
  * A source for authentication details in an OAuth2 protected Resource.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationDetailsSource implements
 		AuthenticationDetailsSource<HttpServletRequest, OAuth2AuthenticationDetails> {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java
index f81470cda..4d94f0598 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationManager.java
@@ -31,10 +31,14 @@
 
 /**
  * An {@link AuthenticationManager} for OAuth2 protected resources.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationManager implements AuthenticationManager, InitializingBean {
 
 	private ResourceServerTokenServices tokenServices;
@@ -82,7 +86,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		String token = (String) authentication.getPrincipal();
 		OAuth2Authentication auth = tokenServices.loadAuthentication(token);
 		if (auth == null) {
-			throw new InvalidTokenException("Invalid token: " + token);
+			throw new InvalidTokenException("Invalid token");
 		}
 
 		Collection<String> resourceIds = auth.getOAuth2Request().getResourceIds();
@@ -119,7 +123,7 @@ private void checkClientDetails(OAuth2Authentication auth) {
 			for (String scope : auth.getOAuth2Request().getScope()) {
 				if (!allowed.contains(scope)) {
 					throw new OAuth2AccessDeniedException(
-							"Invalid token contains disallowed scope (" + scope + ") for this client");
+							"Invalid token contains disallowed scope for this client");
 				}
 			}
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java
index cc27d8d26..7152691cb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/OAuth2AuthenticationProcessingFilter.java
@@ -47,10 +47,14 @@
  * A pre-authentication filter for OAuth2 protected resources. Extracts an OAuth2 token from the incoming request and
  * uses it to populate the Spring Security context with an {@link OAuth2Authentication} (if used in conjunction with an
  * {@link OAuth2AuthenticationManager}).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationProcessingFilter implements Filter, InitializingBean {
 
 	private final static Log logger = LogFactory.getLog(OAuth2AuthenticationProcessingFilter.class);
@@ -70,7 +74,9 @@ public class OAuth2AuthenticationProcessingFilter implements Filter, Initializin
 	/**
 	 * Flag to say that this filter guards stateless resources (default true). Set this to true if the only way the
 	 * resource can be accessed is with a token. If false then an incoming cookie can populate the security context and
-	 * allow access to a caller that isn't an OAuth2 client.
+	 * allow access to a caller that isn't an OAuth2 client. When false, remember to also allow sessions to be created
+	 * by configuring session management with a session creation policy that allows sessions to be set.
+	 * See {@link org.springframework.security.config.http.SessionCreationPolicy} for your choices.
 	 * 
 	 * @param stateless the flag to set (default true)
 	 */
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java
index d0864e6c4..2537b1eb2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/TokenExtractor.java
@@ -18,9 +18,13 @@
 import org.springframework.security.core.Authentication;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface TokenExtractor {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java
index 0dccf8230..e1a82439e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/BaseClientDetails.java
@@ -19,64 +19,52 @@
 /**
  * Base implementation of
  * {@link org.springframework.security.oauth2.provider.ClientDetails}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
 @SuppressWarnings("serial")
-@org.codehaus.jackson.map.annotate.JsonSerialize(include = org.codehaus.jackson.map.annotate.JsonSerialize.Inclusion.NON_DEFAULT)
-@org.codehaus.jackson.annotate.JsonIgnoreProperties(ignoreUnknown = true)
 @com.fasterxml.jackson.annotation.JsonInclude(com.fasterxml.jackson.annotation.JsonInclude.Include.NON_DEFAULT)
 @com.fasterxml.jackson.annotation.JsonIgnoreProperties(ignoreUnknown = true)
+@Deprecated
 public class BaseClientDetails implements ClientDetails {
 
-	@org.codehaus.jackson.annotate.JsonProperty("client_id")
 	@com.fasterxml.jackson.annotation.JsonProperty("client_id")
 	private String clientId;
 
-	@org.codehaus.jackson.annotate.JsonProperty("client_secret")
 	@com.fasterxml.jackson.annotation.JsonProperty("client_secret")
 	private String clientSecret;
 
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> scope = Collections.emptySet();
 
-	@org.codehaus.jackson.annotate.JsonProperty("resource_ids")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("resource_ids")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> resourceIds = Collections.emptySet();
 
-	@org.codehaus.jackson.annotate.JsonProperty("authorized_grant_types")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("authorized_grant_types")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> authorizedGrantTypes = Collections.emptySet();
 
-	@org.codehaus.jackson.annotate.JsonProperty("redirect_uri")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("redirect_uri")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> registeredRedirectUris;
 
-	@org.codehaus.jackson.annotate.JsonProperty("autoapprove")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("autoapprove")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private Set<String> autoApproveScopes;
 
 	private List<GrantedAuthority> authorities = Collections.emptyList();
 
-	@org.codehaus.jackson.annotate.JsonProperty("access_token_validity")
 	@com.fasterxml.jackson.annotation.JsonProperty("access_token_validity")
 	private Integer accessTokenValiditySeconds;
 
-	@org.codehaus.jackson.annotate.JsonProperty("refresh_token_validity")
 	@com.fasterxml.jackson.annotation.JsonProperty("refresh_token_validity")
 	private Integer refreshTokenValiditySeconds;
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	private Map<String, Object> additionalInformation = new LinkedHashMap<String, Object>();
 
@@ -142,7 +130,6 @@ public BaseClientDetails(String clientId, String resourceIds,
 		}
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public String getClientId() {
 		return clientId;
@@ -169,19 +156,16 @@ public boolean isAutoApprove(String scope) {
 		return false;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getAutoApproveScopes() {
 		return autoApproveScopes;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public boolean isSecretRequired() {
 		return this.clientSecret != null;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public String getClientSecret() {
 		return clientSecret;
@@ -191,7 +175,6 @@ public void setClientSecret(String clientSecret) {
 		this.clientSecret = clientSecret;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public boolean isScoped() {
 		return this.scope != null && !this.scope.isEmpty();
@@ -206,7 +189,6 @@ public void setScope(Collection<String> scope) {
 				: new LinkedHashSet<String>(scope);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getResourceIds() {
 		return resourceIds;
@@ -217,7 +199,6 @@ public void setResourceIds(Collection<String> resourceIds) {
 				.<String> emptySet() : new LinkedHashSet<String>(resourceIds);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getAuthorizedGrantTypes() {
 		return authorizedGrantTypes;
@@ -228,7 +209,6 @@ public void setAuthorizedGrantTypes(Collection<String> authorizedGrantTypes) {
 				authorizedGrantTypes);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Set<String> getRegisteredRedirectUri() {
 		return registeredRedirectUris;
@@ -239,15 +219,12 @@ public void setRegisteredRedirectUri(Set<String> registeredRedirectUris) {
 				: new LinkedHashSet<String>(registeredRedirectUris);
 	}
 
-	@org.codehaus.jackson.annotate.JsonProperty("authorities")
 	@com.fasterxml.jackson.annotation.JsonProperty("authorities")
 	private List<String> getAuthoritiesAsStrings() {
 		return new ArrayList<String>(
 				AuthorityUtils.authorityListToSet(authorities));
 	}
 
-	@org.codehaus.jackson.annotate.JsonProperty("authorities")
-	@org.codehaus.jackson.map.annotate.JsonDeserialize(using = JacksonArrayOrStringDeserializer.class)
 	@com.fasterxml.jackson.annotation.JsonProperty("authorities")
 	@com.fasterxml.jackson.databind.annotation.JsonDeserialize(using = Jackson2ArrayOrStringDeserializer.class)
 	private void setAuthoritiesAsStrings(Set<String> values) {
@@ -255,20 +232,17 @@ private void setAuthoritiesAsStrings(Set<String> values) {
 				.toArray(new String[values.size()])));
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Collection<GrantedAuthority> getAuthorities() {
 		return authorities;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public void setAuthorities(
 			Collection<? extends GrantedAuthority> authorities) {
 		this.authorities = new ArrayList<GrantedAuthority>(authorities);
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Integer getAccessTokenValiditySeconds() {
 		return accessTokenValiditySeconds;
@@ -278,7 +252,6 @@ public void setAccessTokenValiditySeconds(Integer accessTokenValiditySeconds) {
 		this.accessTokenValiditySeconds = accessTokenValiditySeconds;
 	}
 
-	@org.codehaus.jackson.annotate.JsonIgnore
 	@com.fasterxml.jackson.annotation.JsonIgnore
 	public Integer getRefreshTokenValiditySeconds() {
 		return refreshTokenValiditySeconds;
@@ -294,13 +267,11 @@ public void setAdditionalInformation(Map<String, ?> additionalInformation) {
 				additionalInformation);
 	}
 
-	@org.codehaus.jackson.annotate.JsonAnyGetter
 	@com.fasterxml.jackson.annotation.JsonAnyGetter
 	public Map<String, Object> getAdditionalInformation() {
 		return Collections.unmodifiableMap(this.additionalInformation);
 	}
 
-	@org.codehaus.jackson.annotate.JsonAnySetter
 	@com.fasterxml.jackson.annotation.JsonAnySetter
 	public void addAdditionalInformation(String key, Object value) {
 		this.additionalInformation.put(key, value);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
index 22d3d57b9..f4fb58f33 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenEndpointFilter.java
@@ -38,10 +38,14 @@
  * parameters if included as a security filter, as permitted by the specification (but not recommended). It is
  * recommended by the specification that you permit HTTP basic authentication for clients, and not use this filter at
  * all.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientCredentialsTokenEndpointFilter extends AbstractAuthenticationProcessingFilter {
 
 	private AuthenticationEntryPoint authenticationEntryPoint = new OAuth2AuthenticationEntryPoint();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java
index 2ddfff51d..e56d1593a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientCredentialsTokenGranter.java
@@ -25,9 +25,13 @@
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientCredentialsTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "client_credentials";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java
index ed49f6845..bcc6c9967 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/ClientDetailsUserDetailsService.java
@@ -22,9 +22,13 @@
 import org.springframework.security.oauth2.provider.NoSuchClientException;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientDetailsUserDetailsService implements UserDetailsService {
 
 	private final ClientDetailsService clientDetailsService;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java
index bc519b5bb..1ce56e397 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/InMemoryClientDetailsService.java
@@ -27,8 +27,12 @@
 /**
  * Basic, in-memory implementation of the client details service.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public class InMemoryClientDetailsService implements ClientDetailsService {
 
   private Map<String, ClientDetails> clientDetailsStore = new HashMap<String, ClientDetails>();
@@ -36,7 +40,7 @@ public class InMemoryClientDetailsService implements ClientDetailsService {
   public ClientDetails loadClientByClientId(String clientId) throws ClientRegistrationException {
     ClientDetails details = clientDetailsStore.get(clientId);
     if (details == null) {
-      throw new NoSuchClientException("No client with requested id: " + clientId);
+      throw new NoSuchClientException("No client with requested id");
     }
     return details;
   }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java
index 20698f491..4e6285c9b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/Jackson2ArrayOrStringDeserializer.java
@@ -16,7 +16,13 @@
 import com.fasterxml.jackson.databind.deser.std.StdDeserializer;
 import com.fasterxml.jackson.databind.type.SimpleType;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
 @SuppressWarnings("serial")
+@Deprecated
 public class Jackson2ArrayOrStringDeserializer extends StdDeserializer<Set<String>> {
 
 	public Jackson2ArrayOrStringDeserializer() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JacksonArrayOrStringDeserializer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JacksonArrayOrStringDeserializer.java
deleted file mode 100644
index 18677562a..000000000
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JacksonArrayOrStringDeserializer.java
+++ /dev/null
@@ -1,41 +0,0 @@
-package org.springframework.security.oauth2.provider.client;
-
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.LinkedHashSet;
-import java.util.Set;
-
-import org.codehaus.jackson.JsonParser;
-import org.codehaus.jackson.JsonProcessingException;
-import org.codehaus.jackson.JsonToken;
-import org.codehaus.jackson.map.DeserializationContext;
-import org.codehaus.jackson.map.deser.std.StdDeserializer;
-import org.codehaus.jackson.map.type.SimpleType;
-import org.codehaus.jackson.type.JavaType;
-import org.codehaus.jackson.type.TypeReference;
-import org.springframework.util.StringUtils;
-
-public class JacksonArrayOrStringDeserializer extends StdDeserializer<Set<String>> {
-
-	public JacksonArrayOrStringDeserializer() {
-		super(Set.class);
-	}
-
-	@Override
-	public JavaType getValueType() {
-		return SimpleType.construct(String.class);
-	}
-
-	@Override
-	public Set<String> deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException,
-			JsonProcessingException {
-		JsonToken token = jp.getCurrentToken();
-		if (token.isScalarValue()) {
-			String list = jp.getText();
-			list = list.replaceAll("\\s+", ",");
-			return new LinkedHashSet<String>(Arrays.asList(StringUtils.commaDelimitedListToStringArray(list)));
-		}
-		return jp.readValueAs(new TypeReference<Set<String>>() {
-		});
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java
index d4a4ef465..1c9439abb 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/client/JdbcClientDetailsService.java
@@ -23,11 +23,12 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
-
 import javax.sql.DataSource;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.dao.EmptyResultDataAccessException;
 import org.springframework.jdbc.core.JdbcTemplate;
@@ -49,7 +50,12 @@
 
 /**
  * Basic, JDBC implementation of the client details service.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public class JdbcClientDetailsService implements ClientDetailsService, ClientRegistrationService {
 
 	private static final Log logger = LogFactory.getLog(JdbcClientDetailsService.class);
@@ -119,7 +125,7 @@ public ClientDetails loadClientByClientId(String clientId) throws InvalidClientE
 			details = jdbcTemplate.queryForObject(selectClientDetailsSql, new ClientDetailsRowMapper(), clientId);
 		}
 		catch (EmptyResultDataAccessException e) {
-			throw new NoSuchClientException("No client with requested id: " + clientId);
+			throw new NoSuchClientException("No client with requested id");
 		}
 
 		return details;
@@ -130,28 +136,28 @@ public void addClientDetails(ClientDetails clientDetails) throws ClientAlreadyEx
 			jdbcTemplate.update(insertClientDetailsSql, getFields(clientDetails));
 		}
 		catch (DuplicateKeyException e) {
-			throw new ClientAlreadyExistsException("Client already exists: " + clientDetails.getClientId(), e);
+			throw new ClientAlreadyExistsException("Client already exists", e);
 		}
 	}
 
 	public void updateClientDetails(ClientDetails clientDetails) throws NoSuchClientException {
 		int count = jdbcTemplate.update(updateClientDetailsSql, getFieldsForUpdate(clientDetails));
 		if (count != 1) {
-			throw new NoSuchClientException("No client found with id = " + clientDetails.getClientId());
+			throw new NoSuchClientException("No client found with requested id");
 		}
 	}
 
 	public void updateClientSecret(String clientId, String secret) throws NoSuchClientException {
 		int count = jdbcTemplate.update(updateClientSecretSql, passwordEncoder.encode(secret), clientId);
 		if (count != 1) {
-			throw new NoSuchClientException("No client found with id = " + clientId);
+			throw new NoSuchClientException("No client found with requested id");
 		}
 	}
 
 	public void removeClientDetails(String clientId) throws NoSuchClientException {
 		int count = jdbcTemplate.update(deleteClientDetailsSql, clientId);
 		if (count != 1) {
-			throw new NoSuchClientException("No client found with id = " + clientId);
+			throw new NoSuchClientException("No client found with requested id");
 		}
 	}
 
@@ -287,29 +293,12 @@ interface JsonMapper {
 	}
 
 	private static JsonMapper createJsonMapper() {
-		if (ClassUtils.isPresent("org.codehaus.jackson.map.ObjectMapper", null)) {
-			return new JacksonMapper();
-		}
-		else if (ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", null)) {
+		if (ClassUtils.isPresent("com.fasterxml.jackson.databind.ObjectMapper", null)) {
 			return new Jackson2Mapper();
 		}
 		return new NotSupportedJsonMapper();
 	}
 
-	private static class JacksonMapper implements JsonMapper {
-		private org.codehaus.jackson.map.ObjectMapper mapper = new org.codehaus.jackson.map.ObjectMapper();
-
-		@Override
-		public String write(Object input) throws Exception {
-			return mapper.writeValueAsString(input);
-		}
-
-		@Override
-		public <T> T read(String input, Class<T> type) throws Exception {
-			return mapper.readValue(input, type);
-		}
-	}
-
 	private static class Jackson2Mapper implements JsonMapper {
 		private com.fasterxml.jackson.databind.ObjectMapper mapper = new com.fasterxml.jackson.databind.ObjectMapper();
 
@@ -328,13 +317,13 @@ private static class NotSupportedJsonMapper implements JsonMapper {
 		@Override
 		public String write(Object input) throws Exception {
 			throw new UnsupportedOperationException(
-					"Neither Jackson 1 nor 2 is available so JSON conversion cannot be done");
+					"Jackson 2 is not available so JSON conversion cannot be done");
 		}
 
 		@Override
 		public <T> T read(String input, Class<T> type) throws Exception {
 			throw new UnsupportedOperationException(
-					"Neither Jackson 1 nor 2 is available so JSON conversion cannot be done");
+					"Jackson 2 is not available so JSON conversion cannot be done");
 		}
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java
index 3c6ee338a..809823649 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeServices.java
@@ -5,9 +5,13 @@
 
 /**
  * Services for issuing and storing authorization codes.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface AuthorizationCodeServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java
index c7be47b54..968e677c8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/AuthorizationCodeTokenGranter.java
@@ -36,10 +36,14 @@
 
 /**
  * Token granter for the authorization code grant type.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class AuthorizationCodeTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "authorization_code";
@@ -70,7 +74,7 @@ protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, Tok
 
 		OAuth2Authentication storedAuth = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
 		if (storedAuth == null) {
-			throw new InvalidGrantException("Invalid authorization code: " + authorizationCode);
+			throw new InvalidGrantException("Invalid authorization code");
 		}
 
 		OAuth2Request pendingOAuth2Request = storedAuth.getOAuth2Request();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java
index d75dfa108..47e0d03be 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/InMemoryAuthorizationCodeServices.java
@@ -6,10 +6,14 @@
 
 /**
  * Implementation of authorization code services that stores the codes and authentication in memory.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class InMemoryAuthorizationCodeServices extends RandomValueAuthorizationCodeServices {
 
 	protected final ConcurrentHashMap<String, OAuth2Authentication> authorizationCodeStore = new ConcurrentHashMap<String, OAuth2Authentication>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java
index a02fef029..e7c90d42e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServices.java
@@ -16,10 +16,14 @@
 
 /**
  * Implementation of authorization code services that stores the codes and authentication in a database.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ken Dombeck
  * @author Dave Syer
  */
+@Deprecated
 public class JdbcAuthorizationCodeServices extends RandomValueAuthorizationCodeServices {
 
 	private static final String DEFAULT_SELECT_STATEMENT = "select code, authentication from oauth_code where code = ?";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java
index be091bab0..154d12987 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RandomValueAuthorizationCodeServices.java
@@ -6,10 +6,14 @@
 
 /**
  * Base implementation for authorization code services that generates a random-value authorization code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public abstract class RandomValueAuthorizationCodeServices implements AuthorizationCodeServices {
 
 	private RandomValueStringGenerator generator = new RandomValueStringGenerator();
@@ -28,7 +32,7 @@ public OAuth2Authentication consumeAuthorizationCode(String code)
 			throws InvalidGrantException {
 		OAuth2Authentication auth = this.remove(code);
 		if (auth == null) {
-			throw new InvalidGrantException("Invalid authorization code: " + code);
+			throw new InvalidGrantException("Invalid authorization code");
 		}
 		return auth;
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServices.java
new file mode 100644
index 000000000..083bc72ca
--- /dev/null
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServices.java
@@ -0,0 +1,143 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.provider.code;
+
+import java.lang.reflect.Method;
+import java.util.List;
+
+import org.springframework.data.redis.connection.RedisConnection;
+import org.springframework.data.redis.connection.RedisConnectionFactory;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.token.store.redis.JdkSerializationStrategy;
+import org.springframework.security.oauth2.provider.token.store.redis.RedisTokenStoreSerializationStrategy;
+import org.springframework.util.ClassUtils;
+import org.springframework.util.ReflectionUtils;
+
+/**
+ * Implementation of authorization code services that stores the codes and authentication in Redis.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ * @author Stefan Rempfer
+ */
+@Deprecated
+public class RedisAuthorizationCodeServices extends RandomValueAuthorizationCodeServices {
+
+	private static final boolean springDataRedis_2_0 = ClassUtils.isPresent(
+			"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
+			RedisAuthorizationCodeServices.class.getClassLoader());
+
+	private static final String AUTH_CODE = "auth_code:";
+
+	private final RedisConnectionFactory connectionFactory;
+
+	private String prefix = "";
+
+	private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy();
+
+	private Method redisConnectionSet_2_0;
+
+	/**
+	 * Default constructor.
+	 *
+	 * @param connectionFactory the connection factory which should be used to obtain a connection to Redis
+	 */
+	public RedisAuthorizationCodeServices(RedisConnectionFactory connectionFactory) {
+		this.connectionFactory = connectionFactory;
+		if (springDataRedis_2_0) {
+			this.loadRedisConnectionMethods_2_0();
+		}
+	}
+
+	@Override
+	protected void store(String code, OAuth2Authentication authentication) {
+		byte[] key = serializeKey(AUTH_CODE + code);
+		byte[] auth = serialize(authentication);
+
+		RedisConnection conn = getConnection();
+		try {
+			if (springDataRedis_2_0) {
+				try {
+					this.redisConnectionSet_2_0.invoke(conn, key, auth);
+				} catch (Exception ex) {
+					throw new RuntimeException(ex);
+				}
+			} else {
+				conn.set(key, auth);
+			}
+		}
+		finally {
+			conn.close();
+		}
+	}
+
+	@Override
+	protected OAuth2Authentication remove(String code) {
+		byte[] key = serializeKey(AUTH_CODE + code);
+
+		List<Object> results = null;
+		RedisConnection conn = getConnection();
+		try {
+			conn.openPipeline();
+			conn.get(key);
+			conn.del(key);
+			results = conn.closePipeline();
+		}
+		finally {
+			conn.close();
+		}
+
+		if (results == null) {
+			return null;
+		}
+		byte[] bytes = (byte[]) results.get(0);
+		return deserializeAuthentication(bytes);
+	}
+
+	private void loadRedisConnectionMethods_2_0() {
+		this.redisConnectionSet_2_0 = ReflectionUtils.findMethod(
+				RedisConnection.class, "set", byte[].class, byte[].class);
+	}
+
+	private byte[] serializeKey(String object) {
+		return serialize(prefix + object);
+	}
+
+	private byte[] serialize(Object object) {
+		return serializationStrategy.serialize(object);
+	}
+
+	private byte[] serialize(String string) {
+		return serializationStrategy.serialize(string);
+	}
+
+	private RedisConnection getConnection() {
+		return connectionFactory.getConnection();
+	}
+
+	private OAuth2Authentication deserializeAuthentication(byte[] bytes) {
+		return serializationStrategy.deserialize(bytes, OAuth2Authentication.class);
+	}
+
+	public void setSerializationStrategy(RedisTokenStoreSerializationStrategy serializationStrategy) {
+		this.serializationStrategy = serializationStrategy;
+	}
+
+	public void setPrefix(String prefix) {
+		this.prefix = prefix;
+	}
+}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java
index d50da6219..db2b85a5c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AbstractEndpoint.java
@@ -29,9 +29,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class AbstractEndpoint implements InitializingBean {
 
 	protected final Log logger = LogFactory.getLog(getClass());
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java
index ba5d8deca..2cc3bbcc1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/AuthorizationEndpoint.java
@@ -87,13 +87,17 @@
  * This endpoint should be secured so that it is only accessible to fully authenticated users (as a minimum requirement)
  * since it represents a request from a valid user to act on his or her behalf.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Vladimir Kryachko
  * 
  */
 @FrameworkEndpoint
 @SessionAttributes({AuthorizationEndpoint.AUTHORIZATION_REQUEST_ATTR_NAME, AuthorizationEndpoint.ORIGINAL_AUTHORIZATION_REQUEST_ATTR_NAME})
+@Deprecated
 public class AuthorizationEndpoint extends AbstractEndpoint {
 	static final String AUTHORIZATION_REQUEST_ATTR_NAME = "authorizationRequest";
 
@@ -135,7 +139,7 @@ public ModelAndView authorize(Map<String, Object> model, @RequestParam Map<Strin
 		Set<String> responseTypes = authorizationRequest.getResponseTypes();
 
 		if (!responseTypes.contains("token") && !responseTypes.contains("code")) {
-			throw new UnsupportedResponseTypeException("Unsupported response types: " + responseTypes);
+			throw new UnsupportedResponseTypeException("Unsupported response types");
 		}
 
 		if (authorizationRequest.getClientId() == null) {
@@ -412,7 +416,7 @@ private String appendAccessToken(AuthorizationRequest authorizationRequest, OAut
 		}
 		String originalScope = authorizationRequest.getRequestParameters().get(OAuth2Utils.SCOPE);
 		if (originalScope == null || !OAuth2Utils.parseParameterList(originalScope).equals(accessToken.getScope())) {
-			vars.put("scope", OAuth2Utils.formatParameterList(accessToken.getScope()));
+			vars.put(OAuth2Utils.SCOPE, OAuth2Utils.formatParameterList(accessToken.getScope()));
 		}
 		Map<String, Object> additionalInformation = accessToken.getAdditionalInformation();
 		for (String key : additionalInformation.keySet()) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java
index 8c9f2efdd..218520c06 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/CheckTokenEndpoint.java
@@ -37,11 +37,15 @@
 
 /**
  * Controller which decodes access tokens for clients who are not able to do so (or where opaque token values are used).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Luke Taylor
  * @author Joel D'sa
  */
 @FrameworkEndpoint
+@Deprecated
 public class CheckTokenEndpoint {
 
 	private ResourceServerTokenServices resourceServerTokenServices;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java
index 1e40e5ce2..8cf102925 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolver.java
@@ -35,10 +35,14 @@
 
 /**
  * Default implementation for a redirect resolver.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultRedirectResolver implements RedirectResolver {
 
 	private Collection<String> redirectGrantTypes = Arrays.asList("implicit", "authorization_code");
@@ -171,12 +175,10 @@ private boolean matchQueryParams(MultiValueMap<String, String> registeredRedirec
 	 * @return true if strings are equal, false otherwise
 	 */
 	private boolean isEqual(String str1, String str2) {
-		if (StringUtils.isEmpty(str1) && StringUtils.isEmpty(str2)) {
-			return true;
-		} else if (!StringUtils.isEmpty(str1)) {
-			return str1.equals(str2);
+		if (StringUtils.isEmpty(str1)) {
+			return StringUtils.isEmpty(str2);
 		} else {
-			return false;
+			return str1.equals(str2);
 		}
 	}
 
@@ -228,7 +230,6 @@ private String obtainMatchingRedirect(Set<String> redirectUris, String requested
 			}
 		}
 
-		throw new RedirectMismatchException("Invalid redirect: " + requestedRedirect
-				+ " does not match one of the registered values.");
+		throw new RedirectMismatchException("Invalid redirect uri does not match one of the registered values.");
 	}
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java
index 65592dafc..a77dced83 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/ExactMatchRedirectResolver.java
@@ -6,9 +6,13 @@
  * Strict implementation for a redirect resolver which requires
  * an exact match between the registered and requested redirect_uri.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public class ExactMatchRedirectResolver extends DefaultRedirectResolver {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java
index 17e953f2b..328813117 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpoint.java
@@ -30,13 +30,17 @@
  * Users of the Spring Security OAuth2 XSD namespace need not use this feature explicitly as the relevant handlers will
  * be registered by the parsers.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @Component
 @Retention(RetentionPolicy.RUNTIME)
 @Target(ElementType.TYPE)
+@Deprecated
 public @interface FrameworkEndpoint {
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java
index a3cebb978..ea82fe2e6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/FrameworkEndpointHandlerMapping.java
@@ -32,10 +32,14 @@
 
 /**
  * A handler mapping for framework endpoints (those annotated with &#64;FrameworkEndpoint).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class FrameworkEndpointHandlerMapping extends RequestMappingHandlerMapping {
 
 	private static final String REDIRECT = UrlBasedViewResolver.REDIRECT_URL_PREFIX;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java
index b4869f960..c80c4a321 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/RedirectResolver.java
@@ -5,9 +5,13 @@
 
 /**
  * Basic interface for determining the redirect URI for a user agent.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  */
+@Deprecated
 public interface RedirectResolver {
 
   /**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java
index 5f8f39e29..6c6cb7793 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpoint.java
@@ -63,11 +63,15 @@
  * id is extracted from the authentication token. The best way to arrange this (as per the OAuth2 spec) is to use HTTP
  * basic authentication for this endpoint with standard Spring Security support.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
 @FrameworkEndpoint
+@Deprecated
 public class TokenEndpoint extends AbstractEndpoint {
 
 	private OAuth2RequestValidator oAuth2RequestValidator = new DefaultOAuth2RequestValidator();
@@ -75,8 +79,10 @@ public class TokenEndpoint extends AbstractEndpoint {
 	private Set<HttpMethod> allowedRequestMethods = new HashSet<HttpMethod>(Arrays.asList(HttpMethod.POST));
 
 	@RequestMapping(value = "/oauth/token", method=RequestMethod.GET)
-	public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @RequestParam
-	Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
+	public ResponseEntity<OAuth2AccessToken> getAccessToken(
+			Principal principal, @RequestParam Map<String, String> parameters)
+			throws HttpRequestMethodNotSupportedException {
+
 		if (!allowedRequestMethods.contains(HttpMethod.GET)) {
 			throw new HttpRequestMethodNotSupportedException("GET");
 		}
@@ -84,8 +90,9 @@ public ResponseEntity<OAuth2AccessToken> getAccessToken(Principal principal, @Re
 	}
 	
 	@RequestMapping(value = "/oauth/token", method=RequestMethod.POST)
-	public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @RequestParam
-	Map<String, String> parameters) throws HttpRequestMethodNotSupportedException {
+	public ResponseEntity<OAuth2AccessToken> postAccessToken(
+			Principal principal, @RequestParam Map<String, String> parameters)
+			throws HttpRequestMethodNotSupportedException {
 
 		if (!(principal instanceof Authentication)) {
 			throw new InsufficientAuthenticationException(
@@ -97,34 +104,32 @@ public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @R
 
 		TokenRequest tokenRequest = getOAuth2RequestFactory().createTokenRequest(parameters, authenticatedClient);
 
-		if (clientId != null && !clientId.equals("")) {
-			// Only validate the client details if a client authenticated during this
-			// request.
-			if (!clientId.equals(tokenRequest.getClientId())) {
-				// double check to make sure that the client ID in the token request is the same as that in the
-				// authenticated client
-				throw new InvalidClientException("Given client ID does not match authenticated client");
-			}
+		// Only validate client details if a client is authenticated during this request.
+		// Double check to make sure that the client ID is the same in the token request and authenticated client.
+		if (StringUtils.hasText(clientId) && !clientId.equals(tokenRequest.getClientId())) {
+			throw new InvalidClientException("Given client ID does not match authenticated client");
 		}
+
 		if (authenticatedClient != null) {
 			oAuth2RequestValidator.validateScope(tokenRequest, authenticatedClient);
 		}
+
 		if (!StringUtils.hasText(tokenRequest.getGrantType())) {
 			throw new InvalidRequestException("Missing grant type");
 		}
+
 		if (tokenRequest.getGrantType().equals("implicit")) {
 			throw new InvalidGrantException("Implicit grant type not supported from token endpoint");
 		}
 
-		if (isAuthCodeRequest(parameters)) {
+		if (isAuthCodeRequest(parameters) && !tokenRequest.getScope().isEmpty()) {
 			// The scope was requested or determined during the authorization step
-			if (!tokenRequest.getScope().isEmpty()) {
-				logger.debug("Clearing scope of incoming token request");
-				tokenRequest.setScope(Collections.<String> emptySet());
+			logger.debug("Clearing scope of incoming token request");
+			tokenRequest.setScope(Collections.<String>emptySet());
+		} else if (isRefreshTokenRequest(parameters)) {
+			if (StringUtils.isEmpty(parameters.get("refresh_token"))) {
+				throw new InvalidRequestException("refresh_token parameter not provided");
 			}
-		}
-
-		if (isRefreshTokenRequest(parameters)) {
 			// A refresh token has its own default scopes, so we should ignore any added by the factory here.
 			tokenRequest.setScope(OAuth2Utils.parseParameterList(parameters.get(OAuth2Utils.SCOPE)));
 		}
@@ -135,7 +140,6 @@ public ResponseEntity<OAuth2AccessToken> postAccessToken(Principal principal, @R
 		}
 
 		return getResponse(token);
-
 	}
 
 	/**
@@ -196,11 +200,11 @@ private ResponseEntity<OAuth2AccessToken> getResponse(OAuth2AccessToken accessTo
 	}
 
 	private boolean isRefreshTokenRequest(Map<String, String> parameters) {
-		return "refresh_token".equals(parameters.get("grant_type")) && parameters.get("refresh_token") != null;
+		return "refresh_token".equals(parameters.get("grant_type"));
 	}
 
 	private boolean isAuthCodeRequest(Map<String, String> parameters) {
-		return "authorization_code".equals(parameters.get("grant_type")) && parameters.get("code") != null;
+		return "authorization_code".equals(parameters.get(OAuth2Utils.GRANT_TYPE)) && parameters.get("code") != null;
 	}
 
 	public void setOAuth2RequestValidator(OAuth2RequestValidator oAuth2RequestValidator) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
index 1b7723d59..0b86a1961 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointAuthenticationFilter.java
@@ -66,10 +66,14 @@
  * client authentication, and the authenticated user token extracted from the request and validated using the
  * authentication manager.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenEndpointAuthenticationFilter implements Filter {
 
 	private static final Log logger = LogFactory.getLog(TokenEndpointAuthenticationFilter.class);
@@ -124,7 +128,7 @@ public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
 			if (credentials != null) {
 
 				if (debug) {
-					logger.debug("Authentication credentials found for '" + credentials.getName() + "'");
+					logger.debug("Authentication credentials found");
 				}
 
 				Authentication authResult = authenticationManager.authenticate(credentials);
@@ -203,7 +207,7 @@ protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServ
 	 * @return an authentication for validation (or null if there is no further authentication)
 	 */
 	protected Authentication extractCredentials(HttpServletRequest request) {
-		String grantType = request.getParameter("grant_type");
+		String grantType = request.getParameter(OAuth2Utils.GRANT_TYPE);
 		if (grantType != null && grantType.equals("password")) {
 			UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
 					request.getParameter("username"), request.getParameter("password"));
@@ -214,7 +218,7 @@ protected Authentication extractCredentials(HttpServletRequest request) {
 	}
 
 	private Set<String> getScope(HttpServletRequest request) {
-		return OAuth2Utils.parseParameterList(request.getParameter("scope"));
+		return OAuth2Utils.parseParameterList(request.getParameter(OAuth2Utils.SCOPE));
 	}
 	
 	public void init(FilterConfig filterConfig) throws ServletException {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java
index ecd231cfd..f3dd2f500 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/TokenKeyEndpoint.java
@@ -26,12 +26,16 @@
 
 /**
  * OAuth2 token services that produces JWT encoded token values.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Luke Taylor
  * @author Joel D'sa
  */
 @FrameworkEndpoint
+@Deprecated
 public class TokenKeyEndpoint {
 
     protected final Log logger = LogFactory.getLog(getClass());
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java
index 836b66b16..f05a9b464 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelApprovalEndpoint.java
@@ -15,11 +15,15 @@
 
 /**
  * Controller for displaying the approval page for the authorization server.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @FrameworkEndpoint
 @SessionAttributes("authorizationRequest")
+@Deprecated
 public class WhitelabelApprovalEndpoint {
 
 	@RequestMapping("/oauth/confirm_access")
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java
index 83f626cd4..cdf911b87 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/endpoint/WhitelabelErrorEndpoint.java
@@ -14,9 +14,13 @@
 /**
  * Controller for displaying the error page for the authorization server.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  */
 @FrameworkEndpoint
+@Deprecated
 public class WhitelabelErrorEndpoint {
 
 	private static final String ERROR = "<html><body><h1>OAuth Error</h1><p>%errorSummary%</p></body></html>";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java
index 748a0af8a..26df70549 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/AbstractOAuth2SecurityExceptionHandler.java
@@ -28,10 +28,14 @@
 /**
  * Convenient base class containing utility methods and dependency setters for security error handling concerns specific
  * to OAuth2 resources.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public abstract class AbstractOAuth2SecurityExceptionHandler {
 
 	/** Logger available to subclasses */
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java
index 9fca8a568..8c1826a89 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultOAuth2ExceptionRenderer.java
@@ -42,10 +42,14 @@
  * Default implementation of {@link OAuth2ExceptionRenderer} that can render the exceptions using message converters
  * (just like regular Spring MVC endpoints). If the caller sends an appropriate Accept header he should get the right
  * result as long as an appropriate message converter is provided.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultOAuth2ExceptionRenderer implements OAuth2ExceptionRenderer {
 
 	private final Log logger = LogFactory.getLog(DefaultOAuth2ExceptionRenderer.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java
index a9327fb0f..af725fa8b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/DefaultWebResponseExceptionTranslator.java
@@ -32,10 +32,14 @@
 /**
  * Default translator that converts exceptions into {@link OAuth2Exception}s. The output matches the OAuth 2.0
  * specification in terms of error response format and HTTP status code.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultWebResponseExceptionTranslator implements WebResponseExceptionTranslator<OAuth2Exception> {
 
 	private ThrowableAnalyzer throwableAnalyzer = new DefaultThrowableAnalyzer();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java
index f6867f2e0..0d1682f4d 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AccessDeniedHandler.java
@@ -25,10 +25,14 @@
  * If authorization fails and the caller has asked for a specific content type response, this entry point can send one,
  * along with a standard 403 status. Add to the Spring Security configuration as an {@link AccessDeniedHandler} in
  * the usual way.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AccessDeniedHandler extends AbstractOAuth2SecurityExceptionHandler implements AccessDeniedHandler {
 
 	public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException authException)
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java
index ce3570d2f..63c760974 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2AuthenticationEntryPoint.java
@@ -29,10 +29,14 @@
  * If authentication fails and the caller has asked for a specific content type response, this entry point can send one,
  * along with a standard 401 status. Add to the Spring Security configuration as an {@link AuthenticationEntryPoint} in
  * the usual way.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class OAuth2AuthenticationEntryPoint extends AbstractOAuth2SecurityExceptionHandler implements
 		AuthenticationEntryPoint {
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java
index 72b5bcd95..7f1a967e1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/OAuth2ExceptionRenderer.java
@@ -19,10 +19,14 @@
 /**
  * Strategy for rendering a {@link OAuth2Exception} in cases where they cannot be rendered by the Spring dispatcher
  * servlet (i.e. usually in a filter chain).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface OAuth2ExceptionRenderer {
 	void handleHttpEntityResponse(HttpEntity<?> responseEntity, ServletWebRequest webRequest) throws Exception;
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java
index 7b7bc664d..05030335f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/error/WebResponseExceptionTranslator.java
@@ -19,9 +19,14 @@
 
 /**
  * Translates exceptions into HTTP Responses.
- * 
+ *
  * @param <T> The error model that will be used as the HTTP Response body.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public interface WebResponseExceptionTranslator<T> {
 	
 	ResponseEntity<T> translate(Exception e) throws Exception;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java
index a1f897fce..f554c7785 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionParser.java
@@ -31,10 +31,14 @@
  * Note: The implication is that all expressions that are parsed must return a boolean result. This expectation is
  * already true since Spring Security expects the result to be a boolean.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Rob Winch
  * 
  */
+@Deprecated
 public class OAuth2ExpressionParser implements ExpressionParser {
 
 	private final ExpressionParser delegate;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java
index b516a9b27..c893053a2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2ExpressionUtils.java
@@ -22,10 +22,14 @@
 import org.springframework.security.oauth2.provider.OAuth2Request;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Radek Ostrowski
  * 
  */
+@Deprecated
 public abstract class OAuth2ExpressionUtils {
 
 	public static boolean clientHasAnyRole(Authentication authentication, String... roles) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java
index cf9da9385..29035fa89 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2MethodSecurityExpressionHandler.java
@@ -16,11 +16,15 @@
  * By default the {@link OAuth2ExpressionParser} is used. If this is undesirable one can inject their own
  * {@link ExpressionParser} using {@link #setExpressionParser(ExpressionParser)}.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Rob Winch
  * @see OAuth2ExpressionParser
  */
+@Deprecated
 public class OAuth2MethodSecurityExpressionHandler extends DefaultMethodSecurityExpressionHandler {
 
 	public OAuth2MethodSecurityExpressionHandler() {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java
index 0c88491be..4ec9e28ff 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2SecurityExpressionMethods.java
@@ -24,12 +24,16 @@
 /**
  * A convenience object for security expressions in OAuth2 protected resources, providing public methods that act on the
  * current authentication.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Rob Winch
  * @author Radek Ostrowski
  * 
  */
+@Deprecated
 public class OAuth2SecurityExpressionMethods {
 
 	private final Authentication authentication;
@@ -76,7 +80,7 @@ public boolean throwOnError(boolean decision) {
 
 	/**
 	 * Check if the OAuth2 client (not the user) has the role specified. To check the user's roles see
-	 * {@link #clientHasRole(String)}.
+	 * {@link #clientHasAnyRole(String...)}.
 	 * 
 	 * @param role the role to check
 	 * @return true if the OAuth2 client has this role
@@ -87,7 +91,7 @@ public boolean clientHasRole(String role) {
 
 	/**
 	 * Check if the OAuth2 client (not the user) has one of the roles specified. To check the user's roles see
-	 * {@link #clientHasAnyRole(String...)}.
+	 * {@link OAuth2ExpressionUtils#clientHasAnyRole(Authentication, String...)}.
 	 * 
 	 * @param roles the roles to check
 	 * @return true if the OAuth2 client has one of these roles
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java
index cea72d5a3..40881dfcc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/expression/OAuth2WebSecurityExpressionHandler.java
@@ -28,12 +28,16 @@
  * By default the {@link OAuth2ExpressionParser} is used. If this is undesirable one can inject their own
  * {@link ExpressionParser} using {@link #setExpressionParser(ExpressionParser)}.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Rob Winch
  * 
  * @see OAuth2ExpressionParser
  */
+@Deprecated
 public class OAuth2WebSecurityExpressionHandler extends DefaultWebSecurityExpressionHandler {
 	public OAuth2WebSecurityExpressionHandler() {
 		setExpressionParser(new OAuth2ExpressionParser(getExpressionParser()));
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java
index 04ab21883..975ed02b8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenGranter.java
@@ -31,9 +31,13 @@
 import org.springframework.util.Assert;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ImplicitTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "implicit";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java
index 66094ee27..2da7b57fc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/ImplicitTokenRequest.java
@@ -17,12 +17,16 @@
 import org.springframework.security.oauth2.provider.TokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  * @since 2.0.2
  *
  */
 @SuppressWarnings("serial")
+@Deprecated
 public class ImplicitTokenRequest extends TokenRequest {
 
 	private OAuth2Request oauth2Request;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java
index 6156fac1a..d374d144a 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/implicit/InMemoryImplicitGrantService.java
@@ -7,11 +7,15 @@
 
 /**
  * In-memory implementation of the ImplicitGrantService.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  *
  */
 @SuppressWarnings("deprecation")
+@Deprecated
 public class InMemoryImplicitGrantService implements ImplicitGrantService {
 
 	protected final ConcurrentHashMap<TokenRequest, OAuth2Request> requestStore = new ConcurrentHashMap<TokenRequest, OAuth2Request>();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java
index 34a502ed7..d4b2cfedc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranter.java
@@ -25,6 +25,7 @@
 import org.springframework.security.authentication.BadCredentialsException;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
@@ -36,9 +37,13 @@
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ResourceOwnerPasswordTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "password";
@@ -78,8 +83,12 @@ protected OAuth2Authentication getOAuth2Authentication(ClientDetails client, Tok
 			// If the username/password are wrong the spec says we should send 400/invalid grant
 			throw new InvalidGrantException(e.getMessage());
 		}
+		catch (UsernameNotFoundException e) {
+			// If the user is not found, report a generic error message
+			throw new InvalidGrantException("username not found");
+		}
 		if (userAuth == null || !userAuth.isAuthenticated()) {
-			throw new InvalidGrantException("Could not authenticate user: " + username);
+			throw new InvalidGrantException("Could not authenticate user");
 		}
 		
 		OAuth2Request storedOAuth2Request = getRequestFactory().createOAuth2Request(client, tokenRequest);		
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java
index c5081ade7..242b09c32 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranter.java
@@ -16,7 +16,10 @@
 
 package org.springframework.security.oauth2.provider.refresh;
 
+import org.springframework.security.authentication.AccountStatusException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
 import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
@@ -25,9 +28,13 @@
 import org.springframework.security.oauth2.provider.token.AuthorizationServerTokenServices;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class RefreshTokenGranter extends AbstractTokenGranter {
 
 	private static final String GRANT_TYPE = "refresh_token";
@@ -44,7 +51,15 @@ protected RefreshTokenGranter(AuthorizationServerTokenServices tokenServices, Cl
 	@Override
 	protected OAuth2AccessToken getAccessToken(ClientDetails client, TokenRequest tokenRequest) {
 		String refreshToken = tokenRequest.getRequestParameters().get("refresh_token");
-		return getTokenServices().refreshAccessToken(refreshToken, tokenRequest);
+		try {
+			return getTokenServices().refreshAccessToken(refreshToken, tokenRequest);
+		}
+		catch (AccountStatusException ase) {
+			//covers expired, locked, disabled cases (mentioned in section 5.2, draft 31)
+			throw new InvalidGrantException(ase.getMessage());
+		} catch (UsernameNotFoundException e) {
+			// If the user is not found, report a generic error message
+			throw new InvalidGrantException("user not found");
+		}
 	}
-	
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java
index 8f81294ff..c039aadc0 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestFactory.java
@@ -32,11 +32,15 @@
 /**
  * Default implementation of {@link OAuth2RequestFactory} which initializes fields from the parameters map, validates
  * grant types and scopes, and fills in scopes with the default values from the client if they are missing.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Amanda Anganes
  * 
  */
+@Deprecated
 public class DefaultOAuth2RequestFactory implements OAuth2RequestFactory {
 
 	private final ClientDetailsService clientDetailsService;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java
index ea297e336..ce24ca862 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/request/DefaultOAuth2RequestValidator.java
@@ -10,10 +10,14 @@
 
 /**
  * Default implementation of {@link OAuth2RequestValidator}. 
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Amanda Anganes
  *
  */
+@Deprecated
 public class DefaultOAuth2RequestValidator implements OAuth2RequestValidator {
 
 	public void validateScope(AuthorizationRequest authorizationRequest, ClientDetails client) throws InvalidScopeException {
@@ -29,7 +33,7 @@ private void validateScope(Set<String> requestScopes, Set<String> clientScopes)
 		if (clientScopes != null && !clientScopes.isEmpty()) {
 			for (String scope : requestScopes) {
 				if (!clientScopes.contains(scope)) {
-					throw new InvalidScopeException("Invalid scope: " + scope, clientScopes);
+					throw new InvalidScopeException("Invalid scope", clientScopes);
 				}
 			}
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java
index bbe5b8a30..94a931c18 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AbstractTokenGranter.java
@@ -27,9 +27,13 @@
 import org.springframework.security.oauth2.provider.TokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public abstract class AbstractTokenGranter implements TokenGranter {
 	
 	protected final Log logger = LogFactory.getLog(getClass());
@@ -61,7 +65,7 @@ public OAuth2AccessToken grant(String grantType, TokenRequest tokenRequest) {
 		validateGrantType(grantType, client);
 
 		if (logger.isDebugEnabled()) {
-			logger.debug("Getting access token for: " + clientId);
+			logger.debug("Getting access token for clientId");
 		}
 
 		return getAccessToken(client, tokenRequest);
@@ -81,7 +85,7 @@ protected void validateGrantType(String grantType, ClientDetails clientDetails)
 		Collection<String> authorizedGrantTypes = clientDetails.getAuthorizedGrantTypes();
 		if (authorizedGrantTypes != null && !authorizedGrantTypes.isEmpty()
 				&& !authorizedGrantTypes.contains(grantType)) {
-			throw new InvalidClientException("Unauthorized grant type: " + grantType);
+			throw new InvalidClientException("Unauthorized grant type");
 		}
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java
index e981b6d1d..e3fc2a430 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AccessTokenConverter.java
@@ -19,10 +19,14 @@
 
 /**
  * Converter interface for token service implementations that store authentication data inside the token.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface AccessTokenConverter {
 
 	final String AUD = "aud";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java
index dcb80754e..4b9f515e2 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthenticationKeyGenerator.java
@@ -16,10 +16,14 @@
 
 /**
  * Strategy interface for extracting a unique key from an {@link OAuth2Authentication}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface AuthenticationKeyGenerator {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java
index 26e3013d6..7fd9bc359 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/AuthorizationServerTokenServices.java
@@ -22,9 +22,13 @@
 import org.springframework.security.oauth2.provider.TokenRequest;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Dave Syer
  */
+@Deprecated
 public interface AuthorizationServerTokenServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java
index 1e3de255d..f9ad8d15c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ConsumerTokenServices.java
@@ -14,9 +14,13 @@
 
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public interface ConsumerTokenServices {
 	
 	boolean revokeToken(String tokenValue);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java
index e7f5aa62d..dc97af8af 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAccessTokenConverter.java
@@ -31,10 +31,14 @@
 
 /**
  * Default implementation of {@link AccessTokenConverter}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Vedran Pavic
  */
+@Deprecated
 public class DefaultAccessTokenConverter implements AccessTokenConverter {
 
 	private UserAuthenticationConverter userTokenConverter = new DefaultUserAuthenticationConverter();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java
index 3b98fd347..ae79cf2cf 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultAuthenticationKeyGenerator.java
@@ -28,9 +28,13 @@
  * Basic key generator taking into account the client id, scope, resource ids and username (principal name) if they
  * exist.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class DefaultAuthenticationKeyGenerator implements AuthenticationKeyGenerator {
 
 	private static final String CLIENT_ID = "client_id";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java
index 16f7a4914..0132c8882 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultTokenServices.java
@@ -13,14 +13,18 @@
 
 package org.springframework.security.oauth2.provider.token;
 
+import java.nio.charset.Charset;
 import java.util.Date;
 import java.util.Set;
-import java.util.UUID;
+
+import org.apache.commons.codec.binary.Base64;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.crypto.keygen.BytesKeyGenerator;
+import org.springframework.security.crypto.keygen.KeyGenerators;
 import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
@@ -41,20 +45,28 @@
 import org.springframework.util.Assert;
 
 /**
- * Base implementation for token services using random UUID values for the access token and refresh token values. The
+ * Base implementation for token services using {@code SecureRandom} values for the access token and refresh token values. The
  * main extension point for customizations is the {@link TokenEnhancer} which will be called after the access and
  * refresh tokens have been generated but before they are stored.
  * <p>
  * Persistence is delegated to a {@code TokenStore} implementation and customization of the access token to a
  * {@link TokenEnhancer}.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class DefaultTokenServices implements AuthorizationServerTokenServices, ResourceServerTokenServices,
 		ConsumerTokenServices, InitializingBean {
 
+	private static final BytesKeyGenerator DEFAULT_TOKEN_GENERATOR = KeyGenerators.secureRandom(20);
+
+	private static final Charset US_ASCII = Charset.forName("US-ASCII");
+
 	private int refreshTokenValiditySeconds = 60 * 60 * 24 * 30; // default 30 days.
 
 	private int accessTokenValiditySeconds = 60 * 60 * 12; // default 12 hours.
@@ -134,27 +146,35 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
 			throws AuthenticationException {
 
 		if (!supportRefreshToken) {
-			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
+			throw new InvalidGrantException("Invalid refresh token");
 		}
 
 		OAuth2RefreshToken refreshToken = tokenStore.readRefreshToken(refreshTokenValue);
 		if (refreshToken == null) {
-			throw new InvalidGrantException("Invalid refresh token: " + refreshTokenValue);
+			throw new InvalidGrantException("Invalid refresh token");
 		}
 
 		OAuth2Authentication authentication = tokenStore.readAuthenticationForRefreshToken(refreshToken);
 		if (this.authenticationManager != null && !authentication.isClientOnly()) {
 			// The client has already been authenticated, but the user authentication might be old now, so give it a
 			// chance to re-authenticate.
-			Authentication user = new PreAuthenticatedAuthenticationToken(authentication.getUserAuthentication(), "", authentication.getAuthorities());
-			user = authenticationManager.authenticate(user);
+			Authentication userAuthentication = authentication.getUserAuthentication();
+			PreAuthenticatedAuthenticationToken preAuthenticatedToken = new PreAuthenticatedAuthenticationToken(
+					userAuthentication,
+					"",
+					authentication.getAuthorities()
+			);
+			if (userAuthentication.getDetails() != null) {
+				preAuthenticatedToken.setDetails(userAuthentication.getDetails());
+			}
+			Authentication user = authenticationManager.authenticate(preAuthenticatedToken);
 			Object details = authentication.getDetails();
 			authentication = new OAuth2Authentication(authentication.getOAuth2Request(), user);
 			authentication.setDetails(details);
 		}
 		String clientId = authentication.getOAuth2Request().getClientId();
 		if (clientId == null || !clientId.equals(tokenRequest.getClientId())) {
-			throw new InvalidGrantException("Wrong client for this refresh token: " + refreshTokenValue);
+			throw new InvalidGrantException("Wrong client for this refresh token");
 		}
 
 		// clear out any access tokens already associated with the refresh
@@ -163,7 +183,7 @@ public OAuth2AccessToken refreshAccessToken(String refreshTokenValue, TokenReque
 
 		if (isExpired(refreshToken)) {
 			tokenStore.removeRefreshToken(refreshToken);
-			throw new InvalidTokenException("Invalid refresh token (expired): " + refreshToken);
+			throw new InvalidTokenException("Invalid refresh token (expired)");
 		}
 
 		authentication = createRefreshedAuthentication(authentication, tokenRequest);
@@ -200,8 +220,7 @@ private OAuth2Authentication createRefreshedAuthentication(OAuth2Authentication
 		if (scope != null && !scope.isEmpty()) {
 			Set<String> originalScope = clientAuth.getScope();
 			if (originalScope == null || !originalScope.containsAll(scope)) {
-				throw new InvalidScopeException("Unable to narrow the scope of the client authentication to " + scope
-						+ ".", originalScope);
+				throw new InvalidScopeException("Unable to narrow the scope of the client authentication", originalScope);
 			}
 			else {
 				clientAuth = clientAuth.narrowScope(scope);
@@ -228,17 +247,17 @@ public OAuth2Authentication loadAuthentication(String accessTokenValue) throws A
 			InvalidTokenException {
 		OAuth2AccessToken accessToken = tokenStore.readAccessToken(accessTokenValue);
 		if (accessToken == null) {
-			throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
+			throw new InvalidTokenException("Invalid access token");
 		}
 		else if (accessToken.isExpired()) {
 			tokenStore.removeAccessToken(accessToken);
-			throw new InvalidTokenException("Access token expired: " + accessTokenValue);
+			throw new InvalidTokenException("Access token expired");
 		}
 
 		OAuth2Authentication result = tokenStore.readAuthentication(accessToken);
 		if (result == null) {
 			// in case of race condition
-			throw new InvalidTokenException("Invalid access token: " + accessTokenValue);
+			throw new InvalidTokenException("Invalid access token");
 		}
 		if (clientDetailsService != null) {
 			String clientId = result.getOAuth2Request().getClientId();
@@ -246,7 +265,7 @@ else if (accessToken.isExpired()) {
 				clientDetailsService.loadClientByClientId(clientId);
 			}
 			catch (ClientRegistrationException e) {
-				throw new InvalidTokenException("Client not valid: " + clientId, e);
+				throw new InvalidTokenException("Client not valid", e);
 			}
 		}
 		return result;
@@ -255,11 +274,11 @@ else if (accessToken.isExpired()) {
 	public String getClientId(String tokenValue) {
 		OAuth2Authentication authentication = tokenStore.readAuthentication(tokenValue);
 		if (authentication == null) {
-			throw new InvalidTokenException("Invalid access token: " + tokenValue);
+			throw new InvalidTokenException("Invalid access token");
 		}
 		OAuth2Request clientAuth = authentication.getOAuth2Request();
 		if (clientAuth == null) {
-			throw new InvalidTokenException("Invalid access token (no client id): " + tokenValue);
+			throw new InvalidTokenException("Invalid access token (no client id)");
 		}
 		return clientAuth.getClientId();
 	}
@@ -281,16 +300,17 @@ private OAuth2RefreshToken createRefreshToken(OAuth2Authentication authenticatio
 			return null;
 		}
 		int validitySeconds = getRefreshTokenValiditySeconds(authentication.getOAuth2Request());
-		String value = UUID.randomUUID().toString();
+		String tokenValue = new String(Base64.encodeBase64URLSafe(DEFAULT_TOKEN_GENERATOR.generateKey()), US_ASCII);
 		if (validitySeconds > 0) {
-			return new DefaultExpiringOAuth2RefreshToken(value, new Date(System.currentTimeMillis()
+			return new DefaultExpiringOAuth2RefreshToken(tokenValue, new Date(System.currentTimeMillis()
 					+ (validitySeconds * 1000L)));
 		}
-		return new DefaultOAuth2RefreshToken(value);
+		return new DefaultOAuth2RefreshToken(tokenValue);
 	}
 
 	private OAuth2AccessToken createAccessToken(OAuth2Authentication authentication, OAuth2RefreshToken refreshToken) {
-		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(UUID.randomUUID().toString());
+		String tokenValue = new String(Base64.encodeBase64URLSafe(DEFAULT_TOKEN_GENERATOR.generateKey()),  US_ASCII);
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken(tokenValue);
 		int validitySeconds = getAccessTokenValiditySeconds(authentication.getOAuth2Request());
 		if (validitySeconds > 0) {
 			token.setExpiration(new Date(System.currentTimeMillis() + (validitySeconds * 1000L)));
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java
index c8891c48c..331114567 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverter.java
@@ -28,16 +28,22 @@
 /**
  * Default implementation of {@link UserAuthenticationConverter}. Converts to and from an Authentication using only its
  * name and authorities.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class DefaultUserAuthenticationConverter implements UserAuthenticationConverter {
 
 	private Collection<? extends GrantedAuthority> defaultAuthorities;
 
 	private UserDetailsService userDetailsService;
 
+	private String userClaimName = USERNAME;
+
 	/**
 	 * Optional {@link UserDetailsService} to use when extracting an {@link Authentication} from the incoming map.
 	 * 
@@ -47,6 +53,15 @@ public void setUserDetailsService(UserDetailsService userDetailsService) {
 		this.userDetailsService = userDetailsService;
 	}
 
+	/**
+	 * Set the name of the user claim to use when extracting an {@link Authentication} from the incoming map
+	 * or when converting an {@link Authentication} to a map.
+	 * @param claimName the claim name to use (default {@link UserAuthenticationConverter#USERNAME})
+	 */
+	public void setUserClaimName(String claimName) {
+		this.userClaimName = claimName;
+	}
+
 	/**
 	 * Default value for authorities if an Authentication is being created and the input has no data for authorities.
 	 * Note that unless this property is set, the default Authentication created by {@link #extractAuthentication(Map)}
@@ -61,7 +76,7 @@ public void setDefaultAuthorities(String[] defaultAuthorities) {
 
 	public Map<String, ?> convertUserAuthentication(Authentication authentication) {
 		Map<String, Object> response = new LinkedHashMap<String, Object>();
-		response.put(USERNAME, authentication.getName());
+		response.put(userClaimName, authentication.getName());
 		if (authentication.getAuthorities() != null && !authentication.getAuthorities().isEmpty()) {
 			response.put(AUTHORITIES, AuthorityUtils.authorityListToSet(authentication.getAuthorities()));
 		}
@@ -69,11 +84,11 @@ public void setDefaultAuthorities(String[] defaultAuthorities) {
 	}
 
 	public Authentication extractAuthentication(Map<String, ?> map) {
-		if (map.containsKey(USERNAME)) {
-			Object principal = map.get(USERNAME);
+		if (map.containsKey(userClaimName)) {
+			Object principal = map.get(userClaimName);
 			Collection<? extends GrantedAuthority> authorities = getAuthorities(map);
 			if (userDetailsService != null) {
-				UserDetails user = userDetailsService.loadUserByUsername((String) map.get(USERNAME));
+				UserDetails user = userDetailsService.loadUserByUsername((String) map.get(userClaimName));
 				authorities = user.getAuthorities();
 				principal = user;
 			}
@@ -82,7 +97,7 @@ public Authentication extractAuthentication(Map<String, ?> map) {
 		return null;
 	}
 
-	private Collection<? extends GrantedAuthority> getAuthorities(Map<String, ?> map) {
+	protected Collection<? extends GrantedAuthority> getAuthorities(Map<String, ?> map) {
 		if (!map.containsKey(AUTHORITIES)) {
 			return defaultAuthorities;
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java
index 7ba183ad1..db5095892 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/RemoteTokenServices.java
@@ -24,6 +24,7 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 import org.springframework.web.client.DefaultResponseErrorHandler;
@@ -39,10 +40,15 @@
  *
  * If the endpoint returns a 400 response, this indicates that the token is invalid.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * @author Luke Taylor
+ * @author Mathieu Ouellet
  *
  */
+@Deprecated
 public class RemoteTokenServices implements ResourceServerTokenServices {
 
 	protected final Log logger = LogFactory.getLog(getClass());
@@ -57,6 +63,8 @@ public class RemoteTokenServices implements ResourceServerTokenServices {
 
     private String tokenName = "token";
 
+	private Map<String, String> additionalParameters;
+
 	private AccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
 
 	public RemoteTokenServices() {
@@ -96,15 +104,30 @@ public void setTokenName(String tokenName) {
         this.tokenName = tokenName;
     }
 
-    @Override
-	public OAuth2Authentication loadAuthentication(String accessToken) throws AuthenticationException, InvalidTokenException {
+	public void setAdditionalParameters(Map<String, String> additionalParameters) {
+		this.additionalParameters = additionalParameters;
+	}
+
+	@Override
+	public OAuth2Authentication loadAuthentication(String accessToken)
+			throws AuthenticationException, InvalidTokenException {
 
 		MultiValueMap<String, String> formData = new LinkedMultiValueMap<String, String>();
+		if (additionalParameters != null) {
+			formData.setAll(additionalParameters);
+		}
 		formData.add(tokenName, accessToken);
 		HttpHeaders headers = new HttpHeaders();
 		headers.set("Authorization", getAuthorizationHeader(clientId, clientSecret));
 		Map<String, Object> map = postForMap(checkTokenEndpointUrl, formData, headers);
 
+		if (CollectionUtils.isEmpty(map)) {
+			if (logger.isDebugEnabled()) {
+				logger.debug("check_token returned empty");
+			}
+			throw new InvalidTokenException(accessToken);
+		}
+
 		if (map.containsKey("error")) {
 			if (logger.isDebugEnabled()) {
 				logger.debug("check_token returned error: " + map.get("error"));
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java
index 23795bc43..6af3f7f21 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/ResourceServerTokenServices.java
@@ -5,6 +5,12 @@
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 
+/**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
+ */
+@Deprecated
 public interface ResourceServerTokenServices {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java
index fd248d3ca..e33122fd6 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancer.java
@@ -18,10 +18,14 @@
 /**
  * Strategy for enhancing an access token before it is stored by an {@link AuthorizationServerTokenServices}
  * implementation.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface TokenEnhancer {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java
index f34cb76d5..e9fe8b5e1 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenEnhancerChain.java
@@ -20,10 +20,14 @@
 
 /**
  * A composite token enhancer that loops over its delegate enhancers.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class TokenEnhancerChain implements TokenEnhancer {
 
 	private List<TokenEnhancer> delegates = Collections.emptyList();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java
index 47e5d7c50..8cf2072a8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/TokenStore.java
@@ -8,7 +8,12 @@
 
 /**
  * Persistence interface for OAuth2 tokens.
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  */
+@Deprecated
 public interface TokenStore {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java
index 737bfa500..1403d5bf7 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/UserAuthenticationConverter.java
@@ -19,10 +19,14 @@
 
 /**
  * Utility interface for converting a user authentication to and from a Map.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public interface UserAuthenticationConverter {
 
 	final String AUTHORITIES = AccessTokenConverter.AUTHORITIES;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java
index 3a8fab70c..9d60b24de 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/DelegatingJwtClaimsSetVerifier.java
@@ -27,10 +27,14 @@
  * A {@link JwtClaimsSetVerifier} that delegates claims verification
  * to it's internal <code>List</code> of {@link JwtClaimsSetVerifier}'s.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see JwtClaimsSetVerifier
  */
+@Deprecated
 public class DelegatingJwtClaimsSetVerifier implements JwtClaimsSetVerifier {
 	private final List<JwtClaimsSetVerifier> jwtClaimsSetVerifiers;
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java
index b5ab22ee4..7f30f4d36 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/InMemoryTokenStore.java
@@ -20,11 +20,15 @@
 
 /**
  * Implementation of token services that stores tokens in memory.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ryan Heaton
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class InMemoryTokenStore implements TokenStore {
 
 	private static final int DEFAULT_FLUSH_INTERVAL = 1000;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java
index 7203283d1..4a206382e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/IssuerClaimVerifier.java
@@ -26,10 +26,14 @@
  * A {@link JwtClaimsSetVerifier} that verifies the Issuer (iss) claim contained in the
  * JWT Claims Set against the <code>issuer</code> supplied to the constructor.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see JwtClaimsSetVerifier
  */
+@Deprecated
 public class IssuerClaimVerifier implements JwtClaimsSetVerifier {
 	private static final String ISS_CLAIM = "iss";
 	private final URL issuer;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java
index 63bf761bc..46305c2ad 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStore.java
@@ -31,10 +31,14 @@
 /**
  * Implementation of token services that stores tokens in a database.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Ken Dombeck
  * @author Luke Taylor
  * @author Dave Syer
  */
+@Deprecated
 public class JdbcTokenStore implements TokenStore {
 
 	private static final Log LOG = LogFactory.getLog(JdbcTokenStore.class);
@@ -125,12 +129,14 @@ public OAuth2AccessToken mapRow(ResultSet rs, int rowNum) throws SQLException {
 			LOG.error("Could not extract access token for authentication " + authentication, e);
 		}
 
-		if (accessToken != null
-				&& !key.equals(authenticationKeyGenerator.extractKey(readAuthentication(accessToken.getValue())))) {
-			removeAccessToken(accessToken.getValue());
-			// Keep the store consistent (maybe the same user is represented by this authentication but the details have
-			// changed)
-			storeAccessToken(accessToken, authentication);
+		if (accessToken != null) {
+			OAuth2Authentication oldAuthentication = readAuthentication(accessToken.getValue());
+			if (oldAuthentication == null || !key.equals(authenticationKeyGenerator.extractKey(oldAuthentication))) {
+				removeAccessToken(accessToken.getValue());
+				// Keep the store consistent (maybe the same user is represented by this authentication but the details have
+				// changed)
+				storeAccessToken(accessToken, authentication);
+			}
 		}
 		return accessToken;
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java
index 4a77932c3..6ffc4acf8 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.java
@@ -43,12 +43,16 @@
  * information (in both directions). Also acts as a {@link TokenEnhancer} when tokens are
  * granted.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @see TokenEnhancer
  * @see AccessTokenConverter
  *
  * @author Dave Syer
  * @author Luke Taylor
  */
+@Deprecated
 public class JwtAccessTokenConverter implements TokenEnhancer, AccessTokenConverter, InitializingBean {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java
index e686220cd..61d030ba9 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtClaimsSetVerifier.java
@@ -24,10 +24,14 @@
  * contained in a JWT Claims Set, for example, expiration time (exp),
  * not before (nbf), issuer (iss), audience (aud), subject (sub), etc.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  * @since 2.2
  * @see JwtAccessTokenConverter
  */
+@Deprecated
 public interface JwtClaimsSetVerifier {
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java
index 4f8ddd9c9..9e9c4b93e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/JwtTokenStore.java
@@ -33,10 +33,14 @@
  * nevertheless a useful tool since it translates access tokens to and from authentications. Use this wherever a
  * {@link TokenStore} is needed, but remember to use the same {@link JwtAccessTokenConverter} instance (or one with the same
  * verifier) as was used when the tokens were minted.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class JwtTokenStore implements TokenStore {
 
 	private JwtAccessTokenConverter jwtTokenEnhancer;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java
index 854e7aedf..2ca4aa271 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/KeyStoreKeyFactory.java
@@ -29,10 +29,14 @@
 /**
  * Factory for RSA key pairs from a JKS keystore file. User provides a {@link Resource} location of a keystore file and
  * the password to unlock it, and the factory grabs the keypairs from the store by name (and optionally password).
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  *
  */
+@Deprecated
 public class KeyStoreKeyFactory {
 	
 	private static final Log logger = LogFactory.getLog(KeyStoreKeyFactory.class);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java
index 5b259ee79..360099d17 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/EllipticCurveJwkDefinition.java
@@ -32,6 +32,7 @@ final class EllipticCurveJwkDefinition extends JwkDefinition {
 	 * Creates an instance of an Elliptic Curve JSON Web Key (JWK).
 	 *
 	 * @param keyId        the Key ID
+	 * @param x5t          the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
 	 * @param publicKeyUse the intended use of the Public Key
 	 * @param algorithm    the algorithm intended to be used
 	 * @param x            the x value to be used
@@ -39,12 +40,13 @@ final class EllipticCurveJwkDefinition extends JwkDefinition {
 	 * @param curve        the curve to be used
 	 */
 	EllipticCurveJwkDefinition(String keyId,
+							   String x5t,
 							   PublicKeyUse publicKeyUse,
 							   CryptoAlgorithm algorithm,
 							   String x,
 							   String y,
 							   String curve) {
-		super(keyId, KeyType.EC, publicKeyUse, algorithm);
+		super(keyId, x5t, KeyType.EC, publicKeyUse, algorithm);
 		this.x = x;
 		this.y = y;
 		this.curve = curve;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java
index 931397668..15c3f1c2c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkAttributes.java
@@ -28,6 +28,11 @@ final class JwkAttributes {
 	 */
 	static final String KEY_ID = "kid";
 
+	/**
+	 * The &quot;x5t&quot; (X.509 Certificate SHA-1 Thumbprint) parameter used in a JWT header and in a JWK.
+	 */
+	static final String X5T = "x5t";
+
 	/**
 	 * The &quot;kty&quot; (key type) parameter identifies the cryptographic algorithm family
 	 * used by a JWK, for example, &quot;RSA&quot; or &quot;EC&quot;.
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java
index eb19ba2e3..f8392fa10 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinition.java
@@ -25,6 +25,7 @@
  */
 abstract class JwkDefinition {
 	private final String keyId;
+	private final String x5t;
 	private final KeyType keyType;
 	private final PublicKeyUse publicKeyUse;
 	private final CryptoAlgorithm algorithm;
@@ -33,15 +34,18 @@ abstract class JwkDefinition {
 	 * Creates an instance with the common attributes of a JWK.
 	 *
 	 * @param keyId the Key ID
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
 	 * @param keyType the Key Type
 	 * @param publicKeyUse the intended use of the Public Key
 	 * @param algorithm the algorithm intended to be used
 	 */
 	protected JwkDefinition(String keyId,
+							String x5t,
 							KeyType keyType,
 							PublicKeyUse publicKeyUse,
 							CryptoAlgorithm algorithm) {
 		this.keyId = keyId;
+		this.x5t = x5t;
 		this.keyType = keyType;
 		this.publicKeyUse = publicKeyUse;
 		this.algorithm = algorithm;
@@ -54,6 +58,13 @@ String getKeyId() {
 		return this.keyId;
 	}
 
+	/**
+	 * @return the  X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
+	 */
+	String getX5t() {
+		return this.x5t;
+	}
+
 	/**
 	 * @return the Key Type (&quot;kty&quot;)
 	 */
@@ -89,6 +100,12 @@ public boolean equals(Object obj) {
 		if (!this.getKeyId().equals(that.getKeyId())) {
 			return false;
 		}
+		if (this.getX5t() == null) {
+			if (that.getX5t() != null)
+				return false;
+		}
+		else if (!this.getX5t().equals(that.getX5t()))
+			return false;
 
 		return this.getKeyType().equals(that.getKeyType());
 	}
@@ -97,6 +114,7 @@ public boolean equals(Object obj) {
 	public int hashCode() {
 		int result = this.getKeyId().hashCode();
 		result = 31 * result + this.getKeyType().hashCode();
+		result = 31 * result + ((this.getX5t() == null) ? 0 : this.getX5t().hashCode());
 		return result;
 	}
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java
index 7c2a2ff67..8340106e3 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSource.java
@@ -30,6 +30,7 @@
 import java.security.spec.RSAPublicKeySpec;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
@@ -47,6 +48,7 @@
  *
  * @author Joe Grandja
  * @author Michael Duergner
+ * @author Bjoern Eickvonder
  */
 class JwkDefinitionSource {
 	private final List<URL> jwkSetUrls;
@@ -79,20 +81,21 @@ class JwkDefinitionSource {
 	}
 
 	/**
-	 * Returns the JWK definition matching the provided keyId (&quot;kid&quot;).
+	 * Returns the JWK definition matching the provided keyId (&quot;kid&quot;) or provided thumbprint (&quot;x5t&quot;).
 	 * If the JWK definition is not available in the internal cache then {@link #loadJwkDefinitions(URL)}
 	 * will be called (to re-load the cache) and then followed-up with a second attempt to locate the JWK definition.
 	 *
-	 * @param keyId the Key ID (&quot;kid&quot;)
+	 * @param keyId the Key ID (&quot;kid&quot;), if not given x5t will be checked
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;), will only be checked if keyId is not given
 	 * @return the matching {@link JwkDefinition} or null if not found
 	 */
-	JwkDefinitionHolder getDefinitionLoadIfNecessary(String keyId) {
-		JwkDefinitionHolder result = this.getDefinition(keyId);
+	JwkDefinitionHolder getDefinitionLoadIfNecessary(String keyId, String x5t) {
+		JwkDefinitionHolder result = this.getDefinition(keyId, x5t);
 		if (result != null) {
 			return result;
 		}
 		synchronized (this.jwkDefinitions) {
-			result = this.getDefinition(keyId);
+			result = this.getDefinition(keyId, x5t);
 			if (result != null) {
 				return result;
 			}
@@ -102,18 +105,31 @@ JwkDefinitionHolder getDefinitionLoadIfNecessary(String keyId) {
 			}
 			this.jwkDefinitions.clear();
 			this.jwkDefinitions.putAll(newJwkDefinitions);
-			return this.getDefinition(keyId);
+			return this.getDefinition(keyId, x5t);
 		}
 	}
 
 	/**
 	 * Returns the JWK definition matching the provided keyId (&quot;kid&quot;).
 	 *
-	 * @param keyId the Key ID (&quot;kid&quot;)
+	 * @param keyId the Key ID (&quot;kid&quot;), if not given x5t will be checked
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;), will only be checked if keyId is not given
 	 * @return the matching {@link JwkDefinition} or null if not found
 	 */
-	private JwkDefinitionHolder getDefinition(String keyId) {
-		return this.jwkDefinitions.get(keyId);
+	private JwkDefinitionHolder getDefinition(String keyId, String x5t) {
+		JwkDefinitionHolder result = null;
+		if (keyId != null) {
+			result = this.jwkDefinitions.get(keyId);
+		} else if (x5t != null) {
+			Iterator<JwkDefinitionHolder> iter = this.jwkDefinitions.values().iterator();
+			while (result == null && iter.hasNext()) {
+				JwkDefinitionHolder entry = iter.next();
+				if (x5t.equals(entry.getJwkDefinition().getX5t())) {
+					result = entry;
+				}
+			}
+		}
+		return result;
 	}
 
 	/**
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java
index 1e15ae2c8..36d56615c 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkException.java
@@ -20,8 +20,12 @@
 /**
  * General exception for JSON Web Key (JWK) related errors.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  */
+@Deprecated
 public class JwkException extends OAuth2Exception {
 	private static final String SERVER_ERROR_ERROR_CODE = "server_error";
 	private String errorCode = SERVER_ERROR_ERROR_CODE;
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java
index d23683cf6..930884c12 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverter.java
@@ -95,13 +95,13 @@ public Set<JwkDefinition> convert(InputStream jwkSetSource) {
 					}
 				}
 
-				// gh-1470 - skip unsupported public key use (enc) without discarding the entire set
+				// gh-1871 - only accept public key use (sig)
 				JwkDefinition.PublicKeyUse publicKeyUse =
 						JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
-				if (JwkDefinition.PublicKeyUse.ENC.equals(publicKeyUse)) {
+				if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
 					continue;
 				}
-			
+
 				JwkDefinition jwkDefinition = null;
 				JwkDefinition.KeyType keyType =
 						JwkDefinition.KeyType.fromValue(attributes.get(KEY_TYPE));
@@ -142,13 +142,13 @@ private JwkDefinition createRsaJwkDefinition(Map<String, String> attributes) {
 		if (!StringUtils.hasText(keyId)) {
 			throw new JwkException(KEY_ID + " is a required attribute for a JWK.");
 		}
+		String x5t = attributes.get(X5T);
 
 		// use
 		JwkDefinition.PublicKeyUse publicKeyUse =
 				JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
 		if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
-			throw new JwkException((publicKeyUse != null ? publicKeyUse.value() : "unknown") +
-					" (" + PUBLIC_KEY_USE + ") is currently not supported.");
+			return null;
 		}
 
 		// alg
@@ -174,7 +174,7 @@ private JwkDefinition createRsaJwkDefinition(Map<String, String> attributes) {
 		}
 
 		RsaJwkDefinition jwkDefinition = new RsaJwkDefinition(
-				keyId, publicKeyUse, algorithm, modulus, exponent);
+				keyId, x5t, publicKeyUse, algorithm, modulus, exponent);
 
 		return jwkDefinition;
 	}
@@ -192,13 +192,13 @@ private JwkDefinition createEllipticCurveJwkDefinition(Map<String, String> attri
 		if (!StringUtils.hasText(keyId)) {
 			throw new JwkException(KEY_ID + " is a required attribute for an EC JWK.");
 		}
+		String x5t = attributes.get(X5T);
 
 		// use
 		JwkDefinition.PublicKeyUse publicKeyUse =
 				JwkDefinition.PublicKeyUse.fromValue(attributes.get(PUBLIC_KEY_USE));
 		if (!JwkDefinition.PublicKeyUse.SIG.equals(publicKeyUse)) {
-			throw new JwkException((publicKeyUse != null ? publicKeyUse.value() : "unknown") +
-					" (" + PUBLIC_KEY_USE + ") is currently not supported.");
+			return null;
 		}
 
 		// alg
@@ -230,7 +230,7 @@ private JwkDefinition createEllipticCurveJwkDefinition(Map<String, String> attri
 		}
 
 		EllipticCurveJwkDefinition jwkDefinition = new EllipticCurveJwkDefinition(
-				keyId, publicKeyUse, algorithm, x, y, curve);
+				keyId, x5t, publicKeyUse, algorithm, x, y, curve);
 
 		return jwkDefinition;
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java
index 92a8e0f9c..fab93d130 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStore.java
@@ -86,8 +86,12 @@
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7519">JSON Web Token (JWT)</a>
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Joe Grandja
  */
+@Deprecated
 public final class JwkTokenStore implements TokenStore {
 	private final TokenStore delegate;
 
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java
index 3f2a6ebc3..58f166cfc 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverter.java
@@ -29,6 +29,7 @@
 
 import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.ALGORITHM;
 import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.KEY_ID;
+import static org.springframework.security.oauth2.provider.token.store.jwk.JwkAttributes.X5T;
 
 /**
  * A specialized extension of {@link JwtAccessTokenConverter} that is responsible for verifying
@@ -42,8 +43,8 @@
  * <br>
  * <br>
  * <ol>
- *     <li>Extract the <b>&quot;kid&quot;</b> parameter from the JWT header.</li>
- *     <li>Find the matching {@link JwkDefinition} from the {@link JwkDefinitionSource} with the corresponding <b>&quot;kid&quot;</b> attribute.</li>
+ *     <li>Extract the <b>&quot;kid&quot;</b> and <b>&quot;x5t&quot;</b> parameters from the JWT header.</li>
+ *     <li>Find the matching {@link JwkDefinition} from the {@link JwkDefinitionSource} with the corresponding <b>&quot;kid&quot;</b> or <b>&quot;x5t&quot;</b> attribute.</li>
  *     <li>Obtain the {@link SignatureVerifier} associated with the {@link JwkDefinition} via the {@link JwkDefinitionSource} and verify the signature.</li>
  * </ol>
  * <br>
@@ -67,6 +68,7 @@
  * @see <a target="_blank" href="https://tools.ietf.org/html/rfc7515">JSON Web Signature (JWS)</a>
  *
  * @author Joe Grandja
+ * @author bjoern Eickvonder
  */
 class JwkVerifyingJwtAccessTokenConverter extends JwtAccessTokenConverter {
 	private final JwkDefinitionSource jwkDefinitionSource;
@@ -95,14 +97,15 @@ class JwkVerifyingJwtAccessTokenConverter extends JwtAccessTokenConverter {
 	protected Map<String, Object> decode(String token) {
 		Map<String, String> headers = this.jwtHeaderConverter.convert(token);
 
-		// Validate "kid" header
+		// Validate "kid" or "x5t" header
 		String keyIdHeader = headers.get(KEY_ID);
-		if (keyIdHeader == null) {
-			throw new InvalidTokenException("Invalid JWT/JWS: " + KEY_ID + " is a required JOSE Header");
+		String x5tHeader = headers.get(X5T);
+		if (keyIdHeader == null && x5tHeader == null) {
+			throw new InvalidTokenException("Invalid JWT/JWS: " + KEY_ID + " or " + X5T + " is a required JOSE Header");
 		}
-		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = this.jwkDefinitionSource.getDefinitionLoadIfNecessary(keyIdHeader);
+		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = this.jwkDefinitionSource.getDefinitionLoadIfNecessary(keyIdHeader, x5tHeader);
 		if (jwkDefinitionHolder == null) {
-			throw new InvalidTokenException("Invalid JOSE Header " + KEY_ID + " (" + keyIdHeader + ")");
+			throw new InvalidTokenException("Invalid JOSE Header " + KEY_ID + " (" + keyIdHeader + "), " + X5T + " (" + x5tHeader + ")");
 		}
 
 		JwkDefinition jwkDefinition = jwkDefinitionHolder.getJwkDefinition();
@@ -113,13 +116,18 @@ protected Map<String, Object> decode(String token) {
 		}
 		if (jwkDefinition.getAlgorithm() != null && !algorithmHeader.equals(jwkDefinition.getAlgorithm().headerParamValue())) {
 			throw new InvalidTokenException("Invalid JOSE Header " + ALGORITHM + " (" + algorithmHeader + ")" +
-					" does not match algorithm associated to JWK with " + KEY_ID + " (" + keyIdHeader + ")");
+					" does not match algorithm associated to JWK with " + KEY_ID + " (" + keyIdHeader + "), " + X5T + " (" + x5tHeader + ")");
 		}
 
 		// Verify signature
 		SignatureVerifier verifier = jwkDefinitionHolder.getSignatureVerifier();
-		Jwt jwt = JwtHelper.decode(token);
-		jwt.verifySignature(verifier);
+		Jwt jwt;
+		try {
+			jwt = JwtHelper.decode(token);
+			jwt.verifySignature(verifier);
+		} catch (Exception ex) {
+			throw new InvalidTokenException("Failed to decode/verify JWT/JWS", ex);
+		}
 
 		Map<String, Object> claims = this.jsonParser.parseMap(jwt.getClaims());
 		if (claims.containsKey(EXP) && claims.get(EXP) instanceof Integer) {
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java
index 141cadb97..5eada32c4 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinition.java
@@ -31,18 +31,19 @@ final class RsaJwkDefinition extends JwkDefinition {
 	 * Creates an instance of a RSA JSON Web Key (JWK).
 	 *
 	 * @param keyId the Key ID
+	 * @param x5t the X.509 Certificate SHA-1 Thumbprint (&quot;x5t&quot;)
 	 * @param publicKeyUse the intended use of the Public Key
 	 * @param algorithm the algorithm intended to be used
 	 * @param modulus the modulus value for the Public Key
 	 * @param exponent the exponent value for the Public Key
 	 */
 	RsaJwkDefinition(String keyId,
+					 String x5t,
 					 PublicKeyUse publicKeyUse,
 					 CryptoAlgorithm algorithm,
 					 String modulus,
 					 String exponent) {
-
-		super(keyId, KeyType.RSA, publicKeyUse, algorithm);
+		super(keyId, x5t, KeyType.RSA, publicKeyUse, algorithm);
 		this.modulus = modulus;
 		this.exponent = exponent;
 	}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java
index 4a37506f7..4a1075d8b 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/BaseRedisTokenStoreSerializationStrategy.java
@@ -3,8 +3,12 @@
 /**
  * Handles null/empty byte arrays on deserialize and null objects on serialize.
  *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  */
+@Deprecated
 public abstract class BaseRedisTokenStoreSerializationStrategy implements RedisTokenStoreSerializationStrategy {
 
 	private static final byte[] EMPTY_ARRAY = new byte[0];
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java
index aae1d7b5e..373eb652e 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/JdkSerializationStrategy.java
@@ -1,26 +1,70 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package org.springframework.security.oauth2.provider.token.store.redis;
 
-import org.springframework.data.redis.serializer.JdkSerializationRedisSerializer;
+import org.springframework.core.serializer.support.SerializationFailedException;
+
+import java.io.Serializable;
+
+import org.springframework.security.oauth2.common.util.SerializationUtils;
 
 /**
- * Serializes objects using {@link JdkSerializationRedisSerializer}
+ * Serializes and deserializes allowed objects using {@link SerializationUtils}.
  *
- * @author efenderbosch
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
  *
+ * @author efenderbosch
+ * @author Artem Smotrakov
  */
+@Deprecated
 public class JdkSerializationStrategy extends StandardStringSerializationStrategy {
 
-	private static final JdkSerializationRedisSerializer OBJECT_SERIALIZER = new JdkSerializationRedisSerializer();
+    private static final byte[] EMPTY_ARRAY = new byte[0];
+
+    @Override
+    @SuppressWarnings("unchecked")
+    protected <T> T deserializeInternal(byte[] bytes, Class<T> clazz) {
+        if (bytes == null || bytes.length == 0) {
+            return null;
+        }
+        try {
+            return (T) SerializationUtils.deserialize(bytes);
+        } catch (Exception e) {
+            throw new SerializationFailedException("Failed to deserialize payload", e);
+        }
+    }
 
-	@Override
-	@SuppressWarnings("unchecked")
-	protected <T> T deserializeInternal(byte[] bytes, Class<T> clazz) {
-		return (T) OBJECT_SERIALIZER.deserialize(bytes);
-	}
+    @Override
+    protected byte[] serializeInternal(Object object) {
+        if (object == null) {
+            return EMPTY_ARRAY;
+        }
+        if (!(object instanceof Serializable)) {
+            throw new IllegalArgumentException(this.getClass().getSimpleName()
+                + " requires a Serializable payload but received an object of type ["
+                + object.getClass().getName() + "]");
+        }
 
-	@Override
-	protected byte[] serializeInternal(Object object) {
-		return OBJECT_SERIALIZER.serialize(object);
-	}
+        try {
+            return SerializationUtils.serialize(object);
+        } catch (Exception e) {
+            throw new SerializationFailedException("Failed to serialize object", e);
+        }
+    }
 
 }
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java
index 9241570f7..519ffbea5 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStore.java
@@ -22,8 +22,12 @@
 import java.util.List;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  */
+@Deprecated
 public class RedisTokenStore implements TokenStore {
 
 	private static final String ACCESS = "access:";
@@ -203,19 +207,19 @@ public void storeAccessToken(OAuth2AccessToken token, OAuth2Authentication authe
 			}
 			OAuth2RefreshToken refreshToken = token.getRefreshToken();
 			if (refreshToken != null && refreshToken.getValue() != null) {
-				byte[] refresh = serialize(token.getRefreshToken().getValue());
-				byte[] auth = serialize(token.getValue());
-				byte[] refreshToAccessKey = serializeKey(REFRESH_TO_ACCESS + token.getRefreshToken().getValue());
+				byte[] refresh = serialize(refreshToken.getValue());
+				byte[] access = serialize(token.getValue());
+				byte[] refreshToAccessKey = serializeKey(REFRESH_TO_ACCESS + refreshToken.getValue());
 				byte[] accessToRefreshKey = serializeKey(ACCESS_TO_REFRESH + token.getValue());
 				if (springDataRedis_2_0) {
 					try {
-						this.redisConnectionSet_2_0.invoke(conn, refreshToAccessKey, auth);
+						this.redisConnectionSet_2_0.invoke(conn, refreshToAccessKey, access);
 						this.redisConnectionSet_2_0.invoke(conn, accessToRefreshKey, refresh);
 					} catch (Exception ex) {
 						throw new RuntimeException(ex);
 					}
 				} else {
-					conn.set(refreshToAccessKey, auth);
+					conn.set(refreshToAccessKey, access);
 					conn.set(accessToRefreshKey, refresh);
 				}
 				if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
@@ -357,15 +361,22 @@ public void removeRefreshToken(String tokenValue) {
 		byte[] refreshKey = serializeKey(REFRESH + tokenValue);
 		byte[] refreshAuthKey = serializeKey(REFRESH_AUTH + tokenValue);
 		byte[] refresh2AccessKey = serializeKey(REFRESH_TO_ACCESS + tokenValue);
-		byte[] access2RefreshKey = serializeKey(ACCESS_TO_REFRESH + tokenValue);
 		RedisConnection conn = getConnection();
 		try {
 			conn.openPipeline();
 			conn.del(refreshKey);
 			conn.del(refreshAuthKey);
+			conn.get(refresh2AccessKey);
 			conn.del(refresh2AccessKey);
-			conn.del(access2RefreshKey);
-			conn.closePipeline();
+			List<Object> results = conn.closePipeline();
+
+			byte[] accessTokenBytes = (byte[]) results.get(2);
+			if(accessTokenBytes != null) {
+				String accessTokenValue = deserializeString(accessTokenBytes);
+				byte[] access2RefreshKey = serializeKey(ACCESS_TO_REFRESH + accessTokenValue);
+				conn.del(access2RefreshKey);
+			}
+
 		} finally {
 			conn.close();
 		}
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java
index 3d48f56f6..cf48c2373 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreSerializationStrategy.java
@@ -1,8 +1,12 @@
 package org.springframework.security.oauth2.provider.token.store.redis;
 
 /**
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  */
+@Deprecated
 public interface RedisTokenStoreSerializationStrategy {
 
 	<T> T deserialize(byte[] bytes, Class<T> clazz);
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java
index 72b8faf18..a50545963 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/token/store/redis/StandardStringSerializationStrategy.java
@@ -4,10 +4,14 @@
 
 /**
  * Serializes Strings using {@link StringRedisSerializer}
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author efenderbosch
  *
  */
+@Deprecated
 public abstract class StandardStringSerializationStrategy extends BaseRedisTokenStoreSerializationStrategy {
 
 	private static final StringRedisSerializer STRING_SERIALIZER = new StringRedisSerializer();
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java
index b843161ca..88f6ccd8f 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ClientScopeVoter.java
@@ -18,10 +18,14 @@
  * This voter checks scope in request is consistent with that held by the client. If there is no user in the request
  * (client_credentials grant) it checks against authorities of client instead of scopes by default. Activate by adding
  * <code>CLIENT_HAS_SCOPE</code> to security attributes.
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ClientScopeVoter implements AccessDecisionVoter<Object> {
 
 	private String clientHasScope = "CLIENT_HAS_SCOPE";
diff --git a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java
index c1ec0c847..f98ccf436 100644
--- a/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java
+++ b/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/vote/ScopeVoter.java
@@ -52,10 +52,14 @@
  * <code>scope=https://my.company.com/scopes/read/</code> (<code>scopePrefix="scope="</code>) for Google-like URI scope
  * names.
  * </p>
- * 
+ *
+ * <p>
+ * @deprecated See the <a href="https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide">OAuth 2.0 Migration Guide</a> for Spring Security 5.
+ *
  * @author Dave Syer
  * 
  */
+@Deprecated
 public class ScopeVoter implements AccessDecisionVoter<Object> {
 
 	private String scopePrefix = "SCOPE_";
diff --git a/spring-security-oauth2/src/test/java/org/company/oauth2/CustomAuthentication.java b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomAuthentication.java
new file mode 100644
index 000000000..d974c5a8f
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomAuthentication.java
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.company.oauth2;
+
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+
+public class CustomAuthentication extends AbstractAuthenticationToken  {
+
+    private static final long serialVersionUID = 1L;
+
+    private String principal;
+
+    public CustomAuthentication(String name, boolean authenticated) {
+        super(null);
+        setAuthenticated(authenticated);
+        this.principal = name;
+    }
+
+    public Object getCredentials() {
+        return null;
+    }
+
+    public Object getPrincipal() {
+        return this.principal;
+    }
+}
diff --git a/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2AccessToken.java b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2AccessToken.java
new file mode 100644
index 000000000..06e6f678f
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2AccessToken.java
@@ -0,0 +1,26 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.company.oauth2;
+
+import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+
+public class CustomOAuth2AccessToken extends DefaultOAuth2AccessToken {
+
+    public CustomOAuth2AccessToken(String value) {
+        super(value);
+    }
+}
diff --git a/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2Authentication.java b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2Authentication.java
new file mode 100644
index 000000000..95f6cb897
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/company/oauth2/CustomOAuth2Authentication.java
@@ -0,0 +1,30 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.company.oauth2;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+
+public class CustomOAuth2Authentication extends OAuth2Authentication {
+
+    public CustomOAuth2Authentication(
+            OAuth2Request storedRequest,
+            Authentication userAuthentication) {
+        super(storedRequest, userAuthentication);
+    }
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java
new file mode 100644
index 000000000..9cfbfc2c6
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/DefaultOAuth2ClientContextTests.java
@@ -0,0 +1,21 @@
+package org.springframework.security.oauth2.client;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+
+public class DefaultOAuth2ClientContextTests {
+
+    @Test
+    public void resetsState() {
+        DefaultOAuth2ClientContext clientContext = new DefaultOAuth2ClientContext();
+        clientContext.setPreservedState("state1", "some-state-1");
+        clientContext.setPreservedState("state2", "some-state-2");
+        clientContext.setPreservedState("state3", "some-state-3");
+        assertNull(clientContext.removePreservedState("state1"));
+        assertNull(clientContext.removePreservedState("state2"));
+        assertEquals("some-state-3", clientContext.removePreservedState("state3"));
+    }
+
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java
index 4d0d57792..1c419fde9 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/OAuth2RestTemplateTests.java
@@ -7,6 +7,7 @@
 import static org.junit.Assert.fail;
 
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.net.URI;
 import java.util.Collections;
 import java.util.Date;
@@ -27,10 +28,12 @@
 import org.springframework.security.oauth2.client.resource.OAuth2ProtectedResourceDetails;
 import org.springframework.security.oauth2.client.resource.UserRedirectRequiredException;
 import org.springframework.security.oauth2.client.token.AccessTokenProvider;
+import org.springframework.security.oauth2.client.token.AccessTokenProviderChain;
 import org.springframework.security.oauth2.client.token.AccessTokenRequest;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2RefreshToken;
+import org.springframework.util.ReflectionUtils;
 import org.springframework.web.client.RequestCallback;
 import org.springframework.web.client.ResponseExtractor;
 import org.springframework.web.util.UriTemplate;
@@ -200,6 +203,86 @@ public void testNewTokenAcquiredIfExpired() throws Exception {
 		assertTrue(!token.equals(newToken));
 	}
 
+	// gh-1478
+	@Test
+	public void testNewTokenAcquiredWithDefaultClockSkew() {
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
+		token.setExpiration(new Date(System.currentTimeMillis() + 29000));	// Default clock skew is 30 secs
+		restTemplate.getOAuth2ClientContext().setAccessToken(token);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		OAuth2AccessToken newToken = restTemplate.getAccessToken();
+		assertNotNull(newToken);
+		assertTrue(!token.equals(newToken));
+	}
+
+	// gh-1478
+	@Test
+	public void testNewTokenAcquiredIfLessThanConfiguredClockSkew() {
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
+		token.setExpiration(new Date(System.currentTimeMillis() + 5000));
+		restTemplate.setClockSkew(6);
+		restTemplate.getOAuth2ClientContext().setAccessToken(token);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		OAuth2AccessToken newToken = restTemplate.getAccessToken();
+		assertNotNull(newToken);
+		assertTrue(!token.equals(newToken));
+	}
+
+	// gh-1478
+	@Test
+	public void testNewTokenNotAcquiredIfGreaterThanConfiguredClockSkew() {
+		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
+		token.setExpiration(new Date(System.currentTimeMillis() + 5000));
+		restTemplate.setClockSkew(4);
+		restTemplate.getOAuth2ClientContext().setAccessToken(token);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		OAuth2AccessToken newToken = restTemplate.getAccessToken();
+		assertNotNull(newToken);
+		assertTrue(token.equals(newToken));
+	}
+
+	// gh-1478
+	@Test(expected = IllegalArgumentException.class)
+	public void testNegativeClockSkew() {
+		restTemplate.setClockSkew(-1);
+	}
+
+	// gh-1909
+	@Test
+	public void testClockSkewPropagationIntoAccessTokenProviderChain() {
+		AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(Collections.<AccessTokenProvider>emptyList());
+		restTemplate.setAccessTokenProvider(accessTokenProvider);
+		restTemplate.setClockSkew(5);
+		
+		Field field = ReflectionUtils.findField(accessTokenProvider.getClass(), "clockSkew");
+		field.setAccessible(true);
+
+		assertEquals(5, ReflectionUtils.getField(field, accessTokenProvider));
+	}
+
+	// gh-1909
+	@Test
+	public void testApplyClockSkewOnProvidedAccessTokenProviderChain() {
+		AccessTokenProvider accessTokenProvider = new AccessTokenProviderChain(Collections.<AccessTokenProvider>emptyList());
+		restTemplate.setClockSkew(5);
+		restTemplate.setAccessTokenProvider(accessTokenProvider);
+		
+		Field field = ReflectionUtils.findField(accessTokenProvider.getClass(), "clockSkew");
+		field.setAccessible(true);
+
+		assertEquals(5, ReflectionUtils.getField(field, accessTokenProvider));
+	}
+
+	// gh-1909
+	@Test
+	public void testClockSkewPropagationSkippedForNonAccessTokenProviderChainInstances() {
+		restTemplate.setClockSkew(5);
+		restTemplate.setAccessTokenProvider(null);
+		restTemplate.setClockSkew(5);
+		restTemplate.setAccessTokenProvider(new StubAccessTokenProvider());
+		restTemplate.setClockSkew(5);
+	}
+
 	@Test
 	public void testTokenIsResetIfInvalid() throws Exception {
 		DefaultOAuth2AccessToken token = new DefaultOAuth2AccessToken("TEST");
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java
index 5b9e08035..8848ecf0b 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/AccessTokenProviderChainTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2011 the original author or authors.
+ * Copyright 2006-2021 the original author or authors.
  * 
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -145,7 +145,7 @@ public void testSunnyDayWithExpiredTokenAndTokenServices() throws Exception {
 	}
 
 	@Test
-	public void testSunnyDayWIthExpiredTokenAndValidRefreshToken() throws Exception {
+	public void testSunnyDayWithExpiredTokenAndValidRefreshToken() throws Exception {
 		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
 		accessToken.setExpiration(new Date(System.currentTimeMillis() - 1000));
 		accessToken.setRefreshToken(new DefaultOAuth2RefreshToken("EXP"));
@@ -154,10 +154,37 @@ public void testSunnyDayWIthExpiredTokenAndValidRefreshToken() throws Exception
 		SecurityContextHolder.getContext().setAuthentication(user);
 		OAuth2AccessToken token = chain.obtainAccessToken(resource, request);
 		assertNotNull(token);
+		assertEquals(refreshedToken, token);
+	}
+
+	@Test
+	public void testSunnyDayWithTokenWithinClockSkewWindowAndValidRefreshToken() throws Exception {
+		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
+		accessToken.setExpiration(new Date(System.currentTimeMillis() + 1000));
+		accessToken.setRefreshToken(new DefaultOAuth2RefreshToken("EXP"));
+		AccessTokenRequest request = new DefaultAccessTokenRequest();
+		request.setExistingToken(accessToken);
+		SecurityContextHolder.getContext().setAuthentication(user);
+		OAuth2AccessToken token = chain.obtainAccessToken(resource, request);
+		assertNotNull(token);
+		assertEquals(refreshedToken, token);
+	}
+
+	@Test
+	public void testSunnyDayWithTokenOutsideClockSkewWindowAndValidRefreshToken() throws Exception {
+		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
+		accessToken.setExpiration(new Date(System.currentTimeMillis() + 31000));
+		accessToken.setRefreshToken(new DefaultOAuth2RefreshToken("EXP"));
+		AccessTokenRequest request = new DefaultAccessTokenRequest();
+		request.setExistingToken(accessToken);
+		SecurityContextHolder.getContext().setAuthentication(user);
+		OAuth2AccessToken token = chain.obtainAccessToken(resource, request);
+		assertNotNull(token);
+		assertEquals(accessToken, token);
 	}
 
 	@Test(expected = InvalidTokenException.class)
-	public void testSunnyDayWIthExpiredTokenAndExpiredRefreshToken() throws Exception {
+	public void testSunnyDayWithExpiredTokenAndExpiredRefreshToken() throws Exception {
 		AccessTokenProviderChain chain = new AccessTokenProviderChain(Arrays.asList(new StubAccessTokenProvider()));
 		accessToken.setExpiration(new Date(System.currentTimeMillis() - 1000));
 		DefaultOAuth2RefreshToken refreshToken = new DefaultExpiringOAuth2RefreshToken("EXP",
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java
index b3548aee5..2195f326a 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/JdbcClientTokenServicesTests.java
@@ -1,10 +1,10 @@
 package org.springframework.security.oauth2.client.token;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.List;
 
+import org.company.oauth2.CustomOAuth2AccessToken;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -15,10 +15,15 @@
 import org.springframework.security.oauth2.client.token.grant.code.AuthorizationCodeResourceDetails;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
+
+import static org.junit.Assert.*;
 
 /**
  * @author Dave Syer
- * 
+ * @author Artem Smotrakov
  */
 public class JdbcClientTokenServicesTests {
 
@@ -79,4 +84,58 @@ public void testSaveAndRemoveToken() throws Exception {
 		assertNull(result);
 	}
 
+	@Test
+	public void testSaveAndRetrieveCustomToken() {
+		OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+		Authentication authentication = new UsernamePasswordAuthenticationToken("marissa", "koala");
+		AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
+		resource.setClientId("client");
+		resource.setScope(Arrays.asList("foo", "bar"));
+		tokenStore.saveAccessToken(resource, authentication, accessToken);
+		OAuth2AccessToken result = tokenStore.getAccessToken(resource, authentication);
+		assertNotNull(result);
+		assertEquals(accessToken, result);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void testSaveAndRetrieveNotAllowedCustomToken() {
+		OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+		Authentication authentication = new UsernamePasswordAuthenticationToken("marissa", "koala");
+		AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
+		resource.setClientId("client");
+		resource.setScope(Arrays.asList("foo", "bar"));
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			tokenStore.saveAccessToken(resource, authentication, accessToken);
+			tokenStore.getAccessToken(resource, authentication);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	@Test
+	public void testSaveAndRetrieveCustomTokenWithCustomSerializationStrategy() {
+		List<String> allowedClasses = new ArrayList<String>();
+		allowedClasses.add("java.util.");
+		allowedClasses.add("org.springframework.security.");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2AccessToken");
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(allowedClasses);
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+			Authentication authentication = new UsernamePasswordAuthenticationToken("marissa", "koala");
+			AuthorizationCodeResourceDetails resource = new AuthorizationCodeResourceDetails();
+			resource.setClientId("client");
+			resource.setScope(Arrays.asList("foo", "bar"));
+			tokenStore.saveAccessToken(resource, authentication, accessToken);
+			OAuth2AccessToken result = tokenStore.getAccessToken(resource, authentication);
+			assertNotNull(result);
+			assertEquals(accessToken, result);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java
index 3a0430d3d..c5a0c66af 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/OAuth2AccessTokenSupportTests.java
@@ -16,8 +16,6 @@
 
 package org.springframework.security.oauth2.client.token;
 
-import static org.junit.Assert.assertEquals;
-
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -26,9 +24,10 @@
 import java.net.URI;
 import java.util.Arrays;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Before;
 import org.junit.Test;
+
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -45,6 +44,8 @@
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
 
+import static org.junit.Assert.assertEquals;
+
 /**
  * @author Dave Syer
  * 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java
index c4593439d..61a645551 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/client/token/grant/code/AuthorizationCodeAccessTokenProviderWithConversionTests.java
@@ -12,9 +12,6 @@
  */
 package org.springframework.security.oauth2.client.token.grant.code;
 
-import static org.hamcrest.CoreMatchers.instanceOf;
-import static org.junit.Assert.assertEquals;
-
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@@ -23,13 +20,14 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.hamcrest.Description;
 import org.hamcrest.Matcher;
 import org.hamcrest.TypeSafeMatcher;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
+
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -44,6 +42,9 @@
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.junit.Assert.assertEquals;
+
 /**
  * @author Dave Syer
  * 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java
index 93a277c4f..175d1150d 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/BaseOAuth2AccessTokenJacksonTest.java
@@ -55,6 +55,8 @@ abstract class BaseOAuth2AccessTokenJacksonTest {
 
 	protected static final String ACCESS_TOKEN_ADDITIONAL_INFO = "{\"access_token\":\"token-value\",\"token_type\":\"bearer\",\"one\":\"two\",\"three\":4,\"five\":{\"six\":7}}";
 
+	protected static final String ACCESS_TOKEN_ZERO_EXPIRES = "{\"access_token\":\"token-value\",\"token_type\":\"bearer\",\"expires_in\":0}";
+
 	@Rule
 	public ExpectedException thrown = ExpectedException.none();
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java
index 15168df0b..c51fcc367 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/JsonSerializationTests.java
@@ -16,16 +16,17 @@
 
 package org.springframework.security.oauth2.common;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
 import java.util.Date;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Test;
+
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
 /**
  * @author Dave Syer
  * 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1DeserializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1DeserializerTests.java
deleted file mode 100644
index ff855f5d3..000000000
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1DeserializerTests.java
+++ /dev/null
@@ -1,125 +0,0 @@
-/*
- * Copyright 2011 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
- * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations under the License.
- */
-package org.springframework.security.oauth2.common;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-
-import java.io.IOException;
-import java.util.Date;
-import java.util.HashSet;
-
-import org.codehaus.jackson.JsonGenerationException;
-import org.codehaus.jackson.map.JsonMappingException;
-import org.codehaus.jackson.map.ObjectMapper;
-import org.junit.Before;
-import org.junit.Test;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-
-/**
- * Tests deserialization of an {@link OAuth2AccessToken} using jackson.
- *
- * @author Rob Winch
- */
-@PrepareForTest(OAuth2AccessTokenJackson1Deserializer.class)
-public class OAuth2AccessTokenJackson1DeserializerTests extends BaseOAuth2AccessTokenJacksonTest {
-
-    protected ObjectMapper mapper;
-
-    @Before
-    public void createObjectMapper() {
-        mapper = new ObjectMapper();
-    }
-
-	@Test
-	public void readValueNoRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_NOREFRESH, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(null);
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_NOSCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithSingleScopes() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().remove(accessToken.getScope().iterator().next());
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_SINGLESCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithEmptyStringScope() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(new HashSet<String>());
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_EMPTYSCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken, actual);
-	}
-
-	@Test
-	public void readValueWithBrokenExpiresIn() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(new HashSet<String>());
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_BROKENEXPIRES, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken, actual);
-	}
-
-	@Test
-	public void readValueWithMultiScopes() throws Exception {
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_MULTISCOPE, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithMac() throws Exception {
-		accessToken.setTokenType("mac");
-		String encodedToken = ACCESS_TOKEN_MULTISCOPE.replace("bearer", accessToken.getTokenType());
-		OAuth2AccessToken actual = mapper.readValue(encodedToken, OAuth2AccessToken.class);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	@Test
-	public void readValueWithAdditionalInformation() throws Exception {
-		OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_ADDITIONAL_INFO, OAuth2AccessToken.class);
-		accessToken.setAdditionalInformation(additionalInformation);
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		accessToken.setExpiration(null);
-		assertTokenEquals(accessToken,actual);
-	}
-
-	private static void assertTokenEquals(OAuth2AccessToken expected, OAuth2AccessToken actual) {
-		assertEquals(expected.getTokenType(), actual.getTokenType());
-		assertEquals(expected.getValue(), actual.getValue());
-
-		OAuth2RefreshToken expectedRefreshToken = expected.getRefreshToken();
-		if (expectedRefreshToken == null) {
-			assertNull(actual.getRefreshToken());
-		}
-		else {
-			assertEquals(expectedRefreshToken.getValue(), actual.getRefreshToken().getValue());
-		}
-		assertEquals(expected.getScope(), actual.getScope());
-		Date expectedExpiration = expected.getExpiration();
-		if (expectedExpiration == null) {
-			assertNull(actual.getExpiration());
-		}
-		else {
-			assertEquals(expectedExpiration.getTime(), actual.getExpiration().getTime());
-		}
-		assertEquals(expected.getAdditionalInformation(), actual.getAdditionalInformation());
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1SerializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1SerializerTests.java
deleted file mode 100644
index 609c2fa3c..000000000
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson1SerializerTests.java
+++ /dev/null
@@ -1,118 +0,0 @@
-package org.springframework.security.oauth2.common;
-
-import static org.junit.Assert.assertEquals;
-
-import java.io.IOException;
-
-import org.codehaus.jackson.JsonGenerationException;
-import org.codehaus.jackson.map.JsonMappingException;
-import org.codehaus.jackson.map.ObjectMapper;
-import org.junit.Before;
-import org.junit.Test;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-
-/**
- * Tests serialization of an {@link OAuth2AccessToken} using jackson.
- * 
- * @author Rob Winch
- */
-@PrepareForTest(OAuth2AccessTokenJackson1Serializer.class)
-public class OAuth2AccessTokenJackson1SerializerTests extends BaseOAuth2AccessTokenJacksonTest {
-
-    protected ObjectMapper mapper;
-
-    @Before
-    public void createObjectMapper() {
-        mapper = new ObjectMapper();
-    }
-
-	@Test
-	public void writeValueAsStringNoRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_NOREFRESH, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithRefresh() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setScope(null);
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_NOSCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithEmptyScope() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().clear();
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_NOSCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithSingleScopes() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().remove(accessToken.getScope().iterator().next());
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_SINGLESCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithNullScope() throws JsonGenerationException, JsonMappingException, IOException {
-		thrown.expect(JsonMappingException.class);
-		thrown.expectMessage("Scopes cannot be null or empty. Got [null]");
-
-		accessToken.getScope().clear();
-		try {
-			accessToken.getScope().add(null);
-		}
-		catch (NullPointerException e) {
-			// short circuit NPE from Java 7 (which is correct but only relevant for this test)
-			throw new JsonMappingException("Scopes cannot be null or empty. Got [null]");
-		}
-		mapper.writeValueAsString(accessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithEmptyStringScope() throws JsonGenerationException, JsonMappingException,
-			IOException {
-		thrown.expect(JsonMappingException.class);
-		thrown.expectMessage("Scopes cannot be null or empty. Got []");
-
-		accessToken.getScope().clear();
-		accessToken.getScope().add("");
-		mapper.writeValueAsString(accessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithQuoteInScope() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.getScope().add("\"");
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(
-				"{\"access_token\":\"token-value\",\"token_type\":\"bearer\",\"refresh_token\":\"refresh-value\",\"expires_in\":10,\"scope\":\"\\\" read write\"}",
-				encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithMultiScopes() throws JsonGenerationException, JsonMappingException, IOException {
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(ACCESS_TOKEN_MULTISCOPE, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueAsStringWithMac() throws Exception {
-		accessToken.setTokenType("mac");
-		String expectedEncodedAccessToken = ACCESS_TOKEN_MULTISCOPE.replace("bearer", accessToken.getTokenType());
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(expectedEncodedAccessToken, encodedAccessToken);
-	}
-
-	@Test
-	public void writeValueWithAdditionalInformation() throws JsonGenerationException, JsonMappingException, IOException {
-		accessToken.setRefreshToken(null);
-		accessToken.setScope(null);
-		accessToken.setExpiration(null);
-		accessToken.setAdditionalInformation(additionalInformation);
-		String encodedAccessToken = mapper.writeValueAsString(accessToken);
-		assertEquals(BaseOAuth2AccessTokenJacksonTest.ACCESS_TOKEN_ADDITIONAL_INFO, encodedAccessToken);
-	}
-
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java
index fbd43158a..b91503d47 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/OAuth2AccessTokenJackson2DeserializerTests.java
@@ -25,6 +25,7 @@
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertFalse;
 
 /**
  * Tests deserialization of an {@link org.springframework.security.oauth2.common.OAuth2AccessToken} using jackson.
@@ -107,6 +108,12 @@ public void readValueWithAdditionalInformation() throws Exception {
 		assertTokenEquals(accessToken,actual);
 	}
 
+    @Test
+    public void readValueWithZeroExpiresAsNotExpired() throws Exception {
+        OAuth2AccessToken actual = mapper.readValue(ACCESS_TOKEN_ZERO_EXPIRES, OAuth2AccessToken.class);
+        assertFalse("Token with expires_in:0 must be treated as not expired.", actual.isExpired());
+    }
+
 	private static void assertTokenEquals(OAuth2AccessToken expected, OAuth2AccessToken actual) {
 		assertEquals(expected.getTokenType(), actual.getTokenType());
 		assertEquals(expected.getValue(), actual.getValue());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java
index 573e38fc7..5fe77127e 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionDeserializerTests.java
@@ -12,12 +12,23 @@
  */
 package org.springframework.security.oauth2.common.exception;
 
-import static org.junit.Assert.assertEquals;
-
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.BeforeClass;
 import org.junit.Test;
-import org.springframework.security.oauth2.common.exceptions.*;
+
+import org.springframework.security.oauth2.common.exceptions.InsufficientScopeException;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
+import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
+import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
+import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
+import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
+
+import static org.junit.Assert.assertEquals;
 
 /**
  *
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java
index 0e88364ea..59ed4f755 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exception/OAuth2ExceptionSerializerTests.java
@@ -12,13 +12,23 @@
  */
 package org.springframework.security.oauth2.common.exception;
 
-import static org.junit.Assert.assertEquals;
-
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.After;
 import org.junit.BeforeClass;
 import org.junit.Test;
-import org.springframework.security.oauth2.common.exceptions.*;
+
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
+import org.springframework.security.oauth2.common.exceptions.InvalidScopeException;
+import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.common.exceptions.RedirectMismatchException;
+import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
+import org.springframework.security.oauth2.common.exceptions.UnsupportedGrantTypeException;
+import org.springframework.security.oauth2.common.exceptions.UserDeniedAuthorizationException;
+
+import static org.junit.Assert.assertEquals;
 
 /**
  *
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionTests.java
deleted file mode 100644
index 434b11337..000000000
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/exceptions/OAuth2ExceptionTests.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Copyright 2002-2019 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      https://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.oauth2.common.exceptions;
-
-import org.junit.Test;
-
-import static org.junit.Assert.fail;
-
-/**
- * @author Joe Grandja
- */
-public class OAuth2ExceptionTests {
-
-	// gh-889 gh-997
-	@Test
-	public void constructorWhenDescriptionIsInvalidThenThrowException() {
-		assertConstructorException("\"");
-		assertConstructorException("\\");
-	}
-
-	private void assertConstructorException(String errorDescription) {
-		try {
-			new OAuth2Exception(errorDescription);
-			fail();
-		} catch (Exception ex) { }
-	}
-}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/CustomSerializationStrategyTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/CustomSerializationStrategyTests.java
new file mode 100644
index 000000000..cbe70acc6
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/CustomSerializationStrategyTests.java
@@ -0,0 +1,103 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+
+import org.company.oauth2.CustomAuthentication;
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.company.oauth2.CustomOAuth2Authentication;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.powermock.core.classloader.annotations.PrepareForTest;
+import org.powermock.modules.junit4.PowerMockRunner;
+import org.springframework.core.io.support.SpringFactoriesLoader;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
+import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
+
+import java.io.Serializable;
+import java.util.*;
+
+import static org.junit.Assert.*;
+import static org.powermock.api.mockito.PowerMockito.spy;
+import static org.powermock.api.mockito.PowerMockito.when;
+
+@RunWith(PowerMockRunner.class)
+@PrepareForTest({ SpringFactoriesLoader.class })
+public class CustomSerializationStrategyTests {
+
+    @Test
+    public void loadCustomSerializationStrategy() {
+        spy(SpringFactoriesLoader.class);
+        when(SpringFactoriesLoader
+                .loadFactories(SerializationStrategy.class, SerializationUtils.class.getClassLoader()))
+                .thenReturn(Arrays.<SerializationStrategy>asList(new CustomSerializationStrategy()));
+
+        deserialize(new DefaultOAuth2AccessToken("access-token-" + UUID.randomUUID()));
+
+        deserialize(new OAuth2Authentication(
+                new OAuth2Request(Collections.<String, String>emptyMap(), "clientId", Collections.<GrantedAuthority>emptyList(),
+                        false, Collections.<String>emptySet(),
+                        new HashSet<String>(Arrays.asList("resourceId-1", "resourceId-2")), "redirectUri",
+                        Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap()),
+                new UsernamePasswordAuthenticationToken("test", "N/A")));
+
+        deserialize(new DefaultExpiringOAuth2RefreshToken(
+                "access-token-" + UUID.randomUUID(), new Date()));
+
+        deserialize("xyz");
+        deserialize(new HashMap<String, String>());
+
+        deserialize(new CustomOAuth2AccessToken("xyz"));
+
+        deserialize(
+                new CustomOAuth2Authentication(
+                        RequestTokenFactory.createOAuth2Request("id", false),
+                        new CustomAuthentication("test", false)));
+    }
+
+    private void deserialize(Object object) {
+        byte[] bytes = SerializationUtils.serialize(object);
+        assertNotNull(bytes);
+        assertTrue(bytes.length > 0);
+
+        Object clone = SerializationUtils.deserialize(bytes);
+        assertNotNull(clone);
+        assertEquals(object, clone);
+    }
+
+    private static class CustomSerializationStrategy extends WhitelistedSerializationStrategy {
+
+        private static final List<String> ALLOWED_CLASSES = new ArrayList<String>();
+        static {
+            ALLOWED_CLASSES.add("java.lang.");
+            ALLOWED_CLASSES.add("java.util.");
+            ALLOWED_CLASSES.add("org.springframework.security.");
+            ALLOWED_CLASSES.add("org.company.oauth2.");
+        }
+
+        CustomSerializationStrategy() {
+            super(ALLOWED_CLASSES);
+        }
+
+    }
+
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/RandomValueStringGeneratorTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/RandomValueStringGeneratorTests.java
new file mode 100644
index 000000000..7f4d8bab5
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/RandomValueStringGeneratorTests.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright 2012-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.common.util;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import java.security.SecureRandom;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+/**
+ * Tests for {@link RandomValueStringGenerator}
+ *
+ * @author Josh Kerr
+ */
+public class RandomValueStringGeneratorTests {
+
+    private RandomValueStringGenerator generator;
+
+    @Before
+    public void setup() {
+        generator = new RandomValueStringGenerator();
+    }
+
+    @Test
+    public void generate() {
+        String value = generator.generate();
+        assertNotNull(value);
+        assertEquals("Authorization code is not correct size", 6, value.length());
+    }
+
+    @Test
+    public void generate_LargeLengthOnConstructor() {
+        generator = new RandomValueStringGenerator(1024);
+        String value = generator.generate();
+        assertNotNull(value);
+        assertEquals("Authorization code is not correct size", 1024, value.length());
+    }
+
+    @Test
+    public void getAuthorizationCodeString() {
+        byte[] bytes = new byte[10];
+        new SecureRandom().nextBytes(bytes);
+        String value = generator.getAuthorizationCodeString(bytes);
+        assertNotNull(value);
+        assertEquals("Authorization code is not correct size", 10, value.length());
+    }
+
+    @Test
+    public void setLength() {
+        generator.setLength(12);
+        String value = generator.generate();
+        assertEquals("Authorization code is not correct size", 12, value.length());
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void setLength_NonPositiveNumber() {
+        generator.setLength(-1);
+        generator.generate();
+    }
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/SerializationUtilsTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/SerializationUtilsTests.java
new file mode 100644
index 000000000..fd73714f4
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/common/util/SerializationUtilsTests.java
@@ -0,0 +1,96 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.common.util;
+
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.junit.Test;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
+import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+
+import java.io.Serializable;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.UUID;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author Artem Smotrakov
+ */
+public class SerializationUtilsTests {
+
+    @Test
+    public void deserializeAllowedClasses() {
+        deserializeAllowedClasses(new DefaultOAuth2AccessToken("access-token-" + UUID.randomUUID()));
+
+        deserializeAllowedClasses(new OAuth2Authentication(
+                new OAuth2Request(Collections.<String, String>emptyMap(), "clientId", Collections.<GrantedAuthority>emptyList(),
+                        false, Collections.<String>emptySet(),
+                        new HashSet<String>(Arrays.asList("resourceId-1", "resourceId-2")), "redirectUri",
+                        Collections.<String>emptySet(), Collections.<String, Serializable>emptyMap()),
+                new UsernamePasswordAuthenticationToken("test", "N/A")));
+
+        deserializeAllowedClasses(new DefaultExpiringOAuth2RefreshToken(
+                "access-token-" + UUID.randomUUID(), new Date()));
+
+        deserializeAllowedClasses("xyz");
+        deserializeAllowedClasses(new HashMap<String, String>());
+    }
+
+    private void deserializeAllowedClasses(Object object) {
+        byte[] bytes = SerializationUtils.serialize(object);
+        assertNotNull(bytes);
+        assertTrue(bytes.length > 0);
+
+        Object clone = SerializationUtils.deserialize(bytes);
+        assertNotNull(clone);
+        assertEquals(object, clone);
+    }
+
+    @Test
+    public void deserializeCustomClasses() {
+        OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+        byte[] bytes = SerializationUtils.serialize(accessToken);
+        OAuth2AccessToken clone = SerializationUtils.deserialize(bytes);
+        assertNotNull(clone);
+        assertEquals(accessToken, clone);
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void deserializeNotAllowedCustomClasses() {
+        OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("FOO");
+        WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+        SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+        try {
+            SerializationUtils.setSerializationStrategy(newStrategy);
+            byte[] bytes = SerializationUtils.serialize(accessToken);
+            OAuth2AccessToken clone = SerializationUtils.deserialize(bytes);
+            assertNotNull(clone);
+            assertEquals(accessToken, clone);
+        } finally {
+            SerializationUtils.setSerializationStrategy(oldStrategy);
+        }
+    }
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java
index 1e63ddd3c..a5544dce6 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/annotation/AuthorizationServerConfigurationTests.java
@@ -27,9 +27,18 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
 import org.springframework.mock.web.MockServletContext;
+import org.springframework.security.authentication.AnonymousAuthenticationProvider;
+import org.springframework.security.authentication.AuthenticationEventPublisher;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.DefaultAuthenticationEventPublisher;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.TestingAuthenticationProvider;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
+import org.springframework.security.config.authentication.AuthenticationManagerBeanDefinitionParser;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -64,10 +73,13 @@
 import org.springframework.security.oauth2.provider.token.store.JdbcTokenStore;
 import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
 import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.test.util.ReflectionTestUtils;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 import org.springframework.web.servlet.handler.HandlerInterceptorAdapter;
 
+import javax.servlet.Filter;
 import javax.sql.DataSource;
 import java.util.Arrays;
 import java.util.List;
@@ -112,7 +124,10 @@ public static List<Object[]> parameters() {
 				new Object[] { null, new Class<?>[] { AuthorizationServerCustomGranter.class } },
 				new Object[] { null, new Class<?>[] { AuthorizationServerSslEnabled.class } },
 				new Object[] { null, new Class<?>[] { AuthorizationServerCustomRedirectResolver.class } },
-				new Object[] { null, new Class<?>[] { AuthorizationServerDefaultRedirectResolver.class } }
+				new Object[] { null, new Class<?>[] { AuthorizationServerDefaultRedirectResolver.class } },
+				new Object[] { null, new Class<?>[] { AuthorizationServerCustomAuthenticationProvidersOnTokenEndpoint.class } },
+				new Object[] { null, new Class<?>[] { AuthorizationServerDefaultAuthenticationProviderOnTokenEndpoint.class } },
+				new Object[] { null, new Class<?>[] { AuthorizationServerCustomAuthenticationEventPublisher.class } }
 		// @formatter:on
 		);
 	}
@@ -736,4 +751,129 @@ public void configure(AuthorizationServerSecurityConfigurer security) throws Exc
 			security.sslOnly();
 		}
 	}
+
+	@Configuration
+	@EnableWebMvcSecurity
+	@EnableAuthorizationServer
+	protected static class AuthorizationServerCustomAuthenticationProvidersOnTokenEndpoint extends
+			AuthorizationServerConfigurerAdapter implements Runnable {
+
+		@Autowired
+		private ApplicationContext context; 
+
+		@Override
+		public void configure(AuthorizationServerSecurityConfigurer security)
+				throws Exception {
+			security.addAuthenticationProvider(new AuthenticationManagerBeanDefinitionParser.NullAuthenticationProvider());
+			security.addAuthenticationProvider(new TestingAuthenticationProvider());
+		}
+
+		@Override
+		public void run() { 
+			FilterChainProxy springSecurityFilterChain = context.getBean(FilterChainProxy.class);
+			List<Filter> filters = springSecurityFilterChain.getFilters("/oauth/token");
+			BasicAuthenticationFilter basicAuthenticationFilter = null;
+			for (Filter filter : filters) {
+				if (filter instanceof BasicAuthenticationFilter) {
+					basicAuthenticationFilter = (BasicAuthenticationFilter) filter;
+					break;
+				}
+			}
+
+			ProviderManager authenticationManager = (ProviderManager) ReflectionTestUtils.getField(basicAuthenticationFilter, "authenticationManager");
+			boolean nullAuthenticationProviderFound = false;
+			boolean testingAuthenticationProviderFound = false;
+			boolean anonymousAuthenticationProviderFound = false;
+			for (AuthenticationProvider provider : authenticationManager.getProviders()) {
+				if (provider instanceof AuthenticationManagerBeanDefinitionParser.NullAuthenticationProvider) {
+					nullAuthenticationProviderFound = true;
+				} else if (provider instanceof TestingAuthenticationProvider) {
+					testingAuthenticationProviderFound = true;
+				} else if (provider instanceof AnonymousAuthenticationProvider) {
+					anonymousAuthenticationProviderFound = true;
+				}
+			}
+
+			assertEquals(3, authenticationManager.getProviders().size());
+			assertTrue(testingAuthenticationProviderFound);
+			assertTrue(anonymousAuthenticationProviderFound);
+			assertTrue(nullAuthenticationProviderFound);
+		}
+	}	
+
+	@Configuration
+	@EnableWebMvcSecurity
+	@EnableAuthorizationServer
+	protected static class AuthorizationServerDefaultAuthenticationProviderOnTokenEndpoint extends
+			AuthorizationServerConfigurerAdapter implements Runnable {
+
+		@Autowired
+		private ApplicationContext context; 
+
+		@Override
+		public void run() { 
+			FilterChainProxy springSecurityFilterChain = context.getBean(FilterChainProxy.class);
+			List<Filter> filters = springSecurityFilterChain.getFilters("/oauth/token");
+			BasicAuthenticationFilter basicAuthenticationFilter = null;
+			for (Filter filter : filters) {
+				if (filter instanceof BasicAuthenticationFilter) {
+					basicAuthenticationFilter = (BasicAuthenticationFilter) filter;
+					break;
+				}
+			}
+
+			ProviderManager authenticationManager = (ProviderManager) ReflectionTestUtils.getField(basicAuthenticationFilter, "authenticationManager");
+			boolean anonymousAuthenticationProviderFound = false;
+			boolean daoAuthenticationProviderFound = false;
+
+			for (AuthenticationProvider provider : authenticationManager.getProviders()) {
+				if (provider instanceof DaoAuthenticationProvider) {
+					daoAuthenticationProviderFound = true;
+				} else if (provider instanceof AnonymousAuthenticationProvider) {
+					anonymousAuthenticationProviderFound = true;
+				}
+			}
+
+			assertEquals(2, authenticationManager.getProviders().size());
+			assertTrue(anonymousAuthenticationProviderFound);
+			assertTrue(daoAuthenticationProviderFound);
+		}
+	}
+
+	@Configuration
+	@EnableWebMvcSecurity
+	@EnableAuthorizationServer
+	protected static class AuthorizationServerCustomAuthenticationEventPublisher extends
+			AuthorizationServerConfigurerAdapter implements Runnable {
+
+		@Autowired
+		private ApplicationContext context;
+		private AuthenticationEventPublisher defaultAuthenticationEventPublisher = new DefaultAuthenticationEventPublisher();
+
+		@Override
+		public void configure(AuthorizationServerSecurityConfigurer security)
+				throws Exception {
+			security.authenticationEventPublisher(defaultAuthenticationEventPublisher);
+		}
+
+		@Override
+		public void run() {
+			FilterChainProxy springSecurityFilterChain = context.getBean(FilterChainProxy.class);
+			List<Filter> filters = springSecurityFilterChain.getFilters("/oauth/token");
+			BasicAuthenticationFilter basicAuthenticationFilter = null;
+			for (Filter filter : filters) {
+				if (filter instanceof BasicAuthenticationFilter) {
+					basicAuthenticationFilter = (BasicAuthenticationFilter) filter;
+					break;
+				}
+			}
+			
+			AuthenticationManager authenticationManager = (AuthenticationManager) ReflectionTestUtils.
+					getField(basicAuthenticationFilter, "authenticationManager");
+			AuthenticationEventPublisher authenticationEventPublisher = (AuthenticationEventPublisher) ReflectionTestUtils.
+					getField(authenticationManager, "eventPublisher");
+			
+			assertTrue(authenticationEventPublisher == defaultAuthenticationEventPublisher);
+		}
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java
index 6008f8d83..f8acdc140 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/config/xml/AuthorizationServerClientCredentialsPasswordValidXmlTests.java
@@ -43,7 +43,6 @@
 @WebAppConfiguration
 public class AuthorizationServerClientCredentialsPasswordValidXmlTests {
 	private static final String CLIENT_ID = "acme";
-	private static final String CLIENT_SECRET = "secret";
 	private static final String USER_ID = "acme";
 	private static final String USER_SECRET = "password";
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java
index 41f31daae..5f9ea7a82 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/AuthorizationRequestTests.java
@@ -30,7 +30,7 @@
 import org.junit.Before;
 import org.junit.Test;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
-import org.springframework.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
 import org.springframework.util.StringUtils;
 
 /**
@@ -161,8 +161,8 @@ public void testRedirectUriDefaultsToMap() {
 	@Test
 	public void testSerialization() {
 		AuthorizationRequest authorizationRequest = createFromParameters(parameters);
-		AuthorizationRequest other = (AuthorizationRequest) SerializationUtils.deserialize(SerializationUtils
-				.serialize(authorizationRequest));
+		AuthorizationRequest other = SerializationUtils.deserialize(
+				SerializationUtils.serialize(authorizationRequest));
 		assertEquals(authorizationRequest, other);
 	}
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java
index 068d68ac3..e2c0aadbd 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/OAuth2AuthenticationTests.java
@@ -1,14 +1,11 @@
 package org.springframework.security.oauth2.provider;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import static org.junit.Assert.assertTrue;
-
 import java.util.Arrays;
 import java.util.Collections;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Test;
+
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
@@ -16,6 +13,10 @@
 import org.springframework.test.annotation.Rollback;
 import org.springframework.util.SerializationUtils;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+
 public class OAuth2AuthenticationTests {
 
 	private OAuth2Request request = RequestTokenFactory.createOAuth2Request(null, "id", null, false,
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java
index 6e215a8cf..9ab738793 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/client/BaseClientDetailsTests.java
@@ -16,18 +16,18 @@
 
 package org.springframework.security.oauth2.provider.client;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertFalse;
-import static org.junit.Assert.assertTrue;
-
 import java.util.Collections;
 import java.util.TreeSet;
 
-import org.codehaus.jackson.map.ObjectMapper;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import org.junit.Test;
-import org.springframework.security.oauth2.provider.client.BaseClientDetails;
+
 import org.springframework.util.StringUtils;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 /**
  * @author Dave Syer
  * 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java
index b58b58d96..76a5e34c8 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/JdbcAuthorizationCodeServicesTests.java
@@ -1,9 +1,24 @@
 package org.springframework.security.oauth2.provider.code;
 
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.company.oauth2.CustomAuthentication;
+import org.company.oauth2.CustomOAuth2Authentication;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Test;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
 
 public class JdbcAuthorizationCodeServicesTests extends AuthorizationCodeServicesBaseTests {
 	private JdbcAuthorizationCodeServices authorizationCodeServices;
@@ -26,4 +41,59 @@ public void tearDown() throws Exception {
 	AuthorizationCodeServices getAuthorizationCodeServices() {
 		return authorizationCodeServices;
 	}
+
+	@Test
+	public void testCustomImplementation() {
+		OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request("id", false);
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(storedOAuth2Request,
+				new CustomAuthentication("test2", false));
+		String code = getAuthorizationCodeServices().createAuthorizationCode(expectedAuthentication);
+		assertNotNull(code);
+		OAuth2Authentication actualAuthentication = getAuthorizationCodeServices().consumeAuthorizationCode(code);
+		assertEquals(expectedAuthentication, actualAuthentication);
+	}
+
+	@Test(expected = IllegalArgumentException.class)
+	public void testNotAllowedCustomImplementation() {
+		OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request("id", false);
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(storedOAuth2Request,
+				new CustomAuthentication("test2", false));
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			String code = getAuthorizationCodeServices().createAuthorizationCode(expectedAuthentication);
+			assertNotNull(code);
+			getAuthorizationCodeServices().consumeAuthorizationCode(code);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	@Test
+	public void testCustomImplementationWithCustomStrategy() {
+		OAuth2Request storedOAuth2Request = RequestTokenFactory.createOAuth2Request("id", false);
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(storedOAuth2Request,
+				new CustomAuthentication("test3", false));
+
+		AuthorizationCodeServices jdbcAuthorizationCodeServices = getAuthorizationCodeServices();
+		List<String> allowedClasses = new ArrayList<String>();
+		allowedClasses.add("java.util.");
+		allowedClasses.add("org.springframework.security.");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2AccessToken");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2Authentication");
+		allowedClasses.add("org.company.oauth2.CustomAuthentication");
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(allowedClasses);
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			String code = jdbcAuthorizationCodeServices.createAuthorizationCode(expectedAuthentication);
+			assertNotNull(code);
+
+			OAuth2Authentication actualAuthentication = getAuthorizationCodeServices().consumeAuthorizationCode(code);
+			assertEquals(expectedAuthentication, actualAuthentication);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServicesTests.java
new file mode 100644
index 000000000..815fc260f
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/code/RedisAuthorizationCodeServicesTests.java
@@ -0,0 +1,106 @@
+/*
+ * Copyright 2002-2020 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.oauth2.provider.code;
+
+import static org.hamcrest.CoreMatchers.allOf;
+import static org.hamcrest.CoreMatchers.containsString;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNotSame;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.fail;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
+
+import org.springframework.util.ClassUtils;
+import redis.clients.jedis.JedisShardInfo;
+
+/**
+ * @author Stefan Rempfer
+ */
+public class RedisAuthorizationCodeServicesTests {
+
+	private RedisAuthorizationCodeServices authorizationCodeServices;
+
+	private OAuth2Authentication authentication;
+
+	/**
+	 * Initialize test data and Class-Under-Test.
+	 */
+	@Before
+	public void setup() {
+		boolean springDataRedis_2_0 = ClassUtils.isPresent(
+				"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
+				this.getClass().getClassLoader());
+
+		JedisConnectionFactory connectionFactory;
+		if (springDataRedis_2_0) {
+			connectionFactory = new JedisConnectionFactory();
+		} else {
+			JedisShardInfo shardInfo = new JedisShardInfo("localhost");
+			connectionFactory = new JedisConnectionFactory(shardInfo);
+		}
+
+		authorizationCodeServices = new RedisAuthorizationCodeServices(connectionFactory);
+
+		authentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("myClientId", false),
+				new TestingAuthenticationToken("myUser4Test", false));
+	}
+
+	/**
+	 * Verifies that a authorization code could be generated and stored.
+	 */
+	@Test
+	public void verifyCreateAuthorizationCode() {
+		String authorizationCode1 = authorizationCodeServices.createAuthorizationCode(authentication);
+		assertNotNull("Authorization code must not be null!", authorizationCode1);
+
+		String authorizationCode2 = authorizationCodeServices.createAuthorizationCode(authentication);
+		assertNotNull("Authorization code must not be null!", authorizationCode2);
+
+		assertNotEquals("Authorization code must be different!", authorizationCode1, authorizationCode2);
+	}
+
+	/**
+	 * Verifies that a authorization code could be retrieved and removed.
+	 */
+	@Test
+	public void verifyCreateAndConsumeAuthorizationCode() {
+
+		String authorizationCode = authorizationCodeServices.createAuthorizationCode(authentication);
+		assertNotNull("Authorization code must not be null!", authorizationCode);
+
+		OAuth2Authentication authentication = authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
+		assertNotSame("Authentication object must not be the same!", this.authentication, authentication);
+		assertEquals("Authentication object must equals to original one!", this.authentication, authentication);
+
+		try {
+			authorizationCodeServices.consumeAuthorizationCode(authorizationCode);
+			fail("There must be an exception that the authorization code is invalid!");
+		}
+		catch (InvalidGrantException e) {
+			assertThat("Wrong error message!", e.getMessage(),
+					allOf(containsString("Invalid authorization code")));
+		}
+	}
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java
index 2c86289f6..026301b80 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/DefaultRedirectResolverTests.java
@@ -204,7 +204,7 @@ public void testRedirectNotMatchingReturnsGenericErrorMessage() throws Exception
 			resolver.resolveRedirect(requestedRedirect, client);
 			fail();
 		} catch (RedirectMismatchException ex) {
-			assertEquals("Invalid redirect: https://anywhere.com/myendpoint does not match one of the registered values.", ex.getMessage());
+			assertEquals("Invalid redirect uri does not match one of the registered values.", ex.getMessage());
 		}
 	}
 
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java
index 27f4c9dc7..5b5099b63 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/endpoint/TokenEndpointTests.java
@@ -45,6 +45,7 @@
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.InvalidRequestException;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;
@@ -217,4 +218,41 @@ public void testGetAccessTokenReturnsHeaderContentTypeJson() throws Exception {
 		assertEquals(HttpStatus.OK, response.getStatusCode());
 		assertEquals("application/json;charset=UTF-8", response.getHeaders().get("Content-Type").iterator().next());
 	}
+
+	@Test(expected = InvalidRequestException.class)
+	public void testRefreshTokenGrantTypeWithoutRefreshTokenParameter() throws Exception {
+		when(clientDetailsService.loadClientByClientId(clientId)).thenReturn(clientDetails);
+
+		HashMap<String, String> parameters = new HashMap<String, String>();
+		parameters.put("client_id", clientId);
+		parameters.put("scope", "read");
+		parameters.put("grant_type", "refresh_token");
+
+		when(authorizationRequestFactory.createTokenRequest(any(Map.class), eq(clientDetails))).thenReturn(
+				createFromParameters(parameters));
+
+		endpoint.postAccessToken(clientAuthentication, parameters);
+	}
+
+	@Test
+	public void testGetAccessTokenWithRefreshToken() throws Exception {
+		when(clientDetailsService.loadClientByClientId(clientId)).thenReturn(clientDetails);
+
+		HashMap<String, String> parameters = new HashMap<String, String>();
+		parameters.put("client_id", clientId);
+		parameters.put("scope", "read");
+		parameters.put("grant_type", "refresh_token");
+		parameters.put("refresh_token", "kJAHDFG");
+
+		OAuth2AccessToken expectedToken = new DefaultOAuth2AccessToken("FOO");
+
+		when(tokenGranter.grant(eq("refresh_token"), any(TokenRequest.class))).thenReturn(expectedToken);
+
+		when(authorizationRequestFactory.createTokenRequest(any(Map.class), eq(clientDetails))).thenReturn(
+				createFromParameters(parameters));
+
+		ResponseEntity<OAuth2AccessToken> response = endpoint.postAccessToken(clientAuthentication, parameters);
+
+		assertEquals(expectedToken, response.getBody());
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java
index 0e7cfcdee..123801f15 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/password/ResourceOwnerPasswordTokenGranterTests.java
@@ -30,6 +30,7 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
 import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
@@ -167,4 +168,14 @@ public void testUnauthenticated() {
 		granter.grant("password", tokenRequest);
 	}
 
+	@Test(expected = InvalidGrantException.class)
+	public void testUsernameNotFound() {
+		ResourceOwnerPasswordTokenGranter granter = new ResourceOwnerPasswordTokenGranter(new AuthenticationManager() {
+			@Override
+			public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
+				throw new UsernameNotFoundException("test");
+			}
+		}, providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("password", tokenRequest);
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranterTests.java
new file mode 100644
index 000000000..77433140c
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/refresh/RefreshTokenGranterTests.java
@@ -0,0 +1,124 @@
+package org.springframework.security.oauth2.provider.refresh;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.LockedException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.exceptions.InvalidClientException;
+import org.springframework.security.oauth2.common.exceptions.InvalidGrantException;
+import org.springframework.security.oauth2.common.exceptions.OAuth2Exception;
+import org.springframework.security.oauth2.provider.ClientDetails;
+import org.springframework.security.oauth2.provider.ClientDetailsService;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.TokenRequest;
+import org.springframework.security.oauth2.provider.client.BaseClientDetails;
+import org.springframework.security.oauth2.provider.request.DefaultOAuth2RequestFactory;
+import org.springframework.security.oauth2.provider.token.DefaultTokenServices;
+import org.springframework.security.oauth2.provider.token.TokenStore;
+import org.springframework.security.oauth2.provider.token.store.InMemoryTokenStore;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.junit.Assert.assertTrue;
+
+public class RefreshTokenGranterTests {
+
+	private Authentication validUser = new UsernamePasswordAuthenticationToken("foo", "bar",
+			Collections.singletonList(new SimpleGrantedAuthority("ROLE_USER")));
+
+	private AuthenticationManager authenticationManager = new AuthenticationManager() {
+		public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+			return validUser;
+		}
+	};
+
+	private BaseClientDetails client = new BaseClientDetails("foo", "resource", "scope", "refresh_token", "ROLE_USER");
+
+	private TokenStore tokenStore = new InMemoryTokenStore();
+	private DefaultTokenServices providerTokenServices = new DefaultTokenServices();
+
+	private ClientDetailsService clientDetailsService = new ClientDetailsService() {
+		public ClientDetails loadClientByClientId(String clientId) throws OAuth2Exception {
+			return client;
+		}
+	};
+
+	private OAuth2RequestFactory requestFactory = new DefaultOAuth2RequestFactory(clientDetailsService);
+
+	private OAuth2AccessToken accessToken;
+
+	private TokenRequest validRefreshTokenRequest;
+
+	@Before
+	public void setUp() {
+		String clientId = "client";
+		BaseClientDetails clientDetails = new BaseClientDetails();
+		clientDetails.setClientId(clientId);
+
+		providerTokenServices.setTokenStore(tokenStore);
+		providerTokenServices.setSupportRefreshToken(true);
+		providerTokenServices.setAuthenticationManager(authenticationManager);
+		// Create access token to refresh
+		accessToken = providerTokenServices.createAccessToken(new OAuth2Authentication(requestFactory.createOAuth2Request(client, requestFactory.createTokenRequest(Collections.<String, String>emptyMap(), clientDetails)), validUser));
+		validRefreshTokenRequest = createRefreshTokenRequest(accessToken.getRefreshToken().getValue());
+	}
+
+	private TokenRequest createRefreshTokenRequest(String refreshToken) {
+		Map<String, String> parameters = new HashMap<String, String>();
+		parameters.put("grant_type", "refresh_token");
+		parameters.put("refresh_token", refreshToken);
+		return requestFactory.createTokenRequest(parameters, client);
+	}
+
+	@Test
+	public void testSunnyDay() {
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		OAuth2AccessToken token = granter.grant("refresh_token", validRefreshTokenRequest);
+		OAuth2Authentication authentication = providerTokenServices.loadAuthentication(token.getValue());
+		assertTrue(authentication.isAuthenticated());
+	}
+
+	@Test(expected = InvalidGrantException.class)
+	public void testBadCredentials() {
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("refresh_token", createRefreshTokenRequest(accessToken.getRefreshToken().getValue() + "invalid_token"));
+	}
+
+	@Test(expected = InvalidClientException.class)
+	public void testGrantTypeNotSupported() {
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		client.setAuthorizedGrantTypes(Collections.singleton("client_credentials"));
+		granter.grant("refresh_token", validRefreshTokenRequest);
+	}
+
+	@Test(expected = InvalidGrantException.class)
+	public void testAccountLocked() {
+		providerTokenServices.setAuthenticationManager(new AuthenticationManager() {
+			public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+				throw new LockedException("test");
+			}
+		});
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("refresh_token", validRefreshTokenRequest);
+	}
+
+	@Test(expected = InvalidGrantException.class)
+	public void testUsernameNotFound() {
+		providerTokenServices.setAuthenticationManager(new AuthenticationManager() {
+			public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+				throw new UsernameNotFoundException("test");
+			}
+		});
+		RefreshTokenGranter granter = new RefreshTokenGranter(providerTokenServices, clientDetailsService, requestFactory);
+		granter.grant("refresh_token", validRefreshTokenRequest);
+	}
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java
index 7eda9601b..f371f4cd7 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultTokenServicesTests.java
@@ -1,11 +1,32 @@
 package org.springframework.security.oauth2.provider.token;
 
+import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.ArgumentCaptor;
 import org.mockito.Mockito;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
+import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
+import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.OAuth2RefreshToken;
 import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.TokenRequest;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+
+import java.util.Arrays;
 
 public class DefaultTokenServicesTests {
 
@@ -29,5 +50,94 @@ public void testAccidentalNullAuthentication() {
 				.thenReturn(null);
 		services.loadAuthentication("FOO");
 	}
+	
+	@Test
+	public void testRefreshAccessTokenWithReauthentication() {
+		UserDetails user = createMockUser("joeuser", "PROCESSOR");
+		UserDetailsService userDetailsService = Mockito.mock(UserDetailsService.class);
+
+		Mockito
+				.when(tokenStore.readRefreshToken(Mockito.anyString()))
+				.thenReturn(new DefaultOAuth2RefreshToken("FOO"));
+
+		Mockito
+				.when(tokenStore.readAuthenticationForRefreshToken(Mockito.any(OAuth2RefreshToken.class)))
+				.thenReturn(createMockOAuth2Authentication("myclient", user, "some more details"));
+
+		Mockito
+				.when(userDetailsService.loadUserByUsername(Mockito.anyString()))
+				.thenReturn(user);
+
+		services.setSupportRefreshToken(true);
+		services.setAuthenticationManager(createAuthenticationManager(userDetailsService));
+		
+		OAuth2AccessToken refreshedAccessToken = services.refreshAccessToken("FOO", createMockTokenRequest("myclient"));
+
+		ArgumentCaptor<OAuth2Authentication> refreshedAuthenticationCaptor = ArgumentCaptor.forClass(OAuth2Authentication.class);
+		
+		Mockito.verify(tokenStore).storeAccessToken(Mockito.eq(refreshedAccessToken), refreshedAuthenticationCaptor.capture());
+		
+		OAuth2Authentication refreshedAuthentication = refreshedAuthenticationCaptor.getValue();
+		Authentication authentication = refreshedAuthentication.getUserAuthentication();
+		Assert.assertEquals(user, authentication.getPrincipal());
+		Assert.assertEquals("some more details", authentication.getDetails());
+	}
+
+	@Test
+	public void testRefreshAccessTokenWithoutReauthentication() {
+
+		UserDetails user = createMockUser("joeuser", "PROCESSOR");
+
+		Mockito
+				.when(tokenStore.readRefreshToken(Mockito.anyString()))
+				.thenReturn(new DefaultOAuth2RefreshToken("FOO"));
+
+		Mockito
+				.when(tokenStore.readAuthenticationForRefreshToken(Mockito.any(OAuth2RefreshToken.class)))
+				.thenReturn(createMockOAuth2Authentication("myclient", user, "some more details"));
+
+		services.setSupportRefreshToken(true);
+		services.setAuthenticationManager(null);
+
+		OAuth2AccessToken refreshedAccessToken = services.refreshAccessToken("FOO", createMockTokenRequest("myclient"));
 
+		ArgumentCaptor<OAuth2Authentication> refreshedAuthenticationCaptor = ArgumentCaptor.forClass(OAuth2Authentication.class);
+
+		Mockito.verify(tokenStore).storeAccessToken(Mockito.eq(refreshedAccessToken), refreshedAuthenticationCaptor.capture());
+
+		OAuth2Authentication refreshedAuthentication = refreshedAuthenticationCaptor.getValue();
+		Authentication authentication = refreshedAuthentication.getUserAuthentication();
+		Assert.assertEquals(user, authentication.getPrincipal());
+		Assert.assertEquals("some more details", authentication.getDetails());
+	}
+	
+	private AuthenticationManager createAuthenticationManager(UserDetailsService userDetailsService) {
+		PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
+		provider.setPreAuthenticatedUserDetailsService(
+				new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(userDetailsService)
+		);
+		return new ProviderManager(Arrays.<AuthenticationProvider> asList(provider));
+	}
+
+	private TokenRequest createMockTokenRequest(String clientId) {
+		return new TokenRequest(null, clientId, null, null);
+	}
+
+	private OAuth2Request createMockOAuth2Request(String clientId) {
+		return new OAuth2Request(null, clientId, null, true, null, null, null, null, null);
+	}
+	
+	private OAuth2Authentication createMockOAuth2Authentication(String clientId, UserDetails user, String extraDetails) {
+		return new OAuth2Authentication(createMockOAuth2Request(clientId), createMockUserAuthentication(user, extraDetails));
+	}
+
+	private UsernamePasswordAuthenticationToken createMockUserAuthentication(UserDetails user, Object extraDetails) {
+		UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, "", user.getAuthorities());
+		token.setDetails(extraDetails);
+		return token;
+	}
+	
+	private UserDetails createMockUser(String username, String ... roles) {
+		return new User(username, "", AuthorityUtils.createAuthorityList(roles));
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java
index 647324ddc..237d7e563 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/DefaultUserAuthenticationConverterTests.java
@@ -8,6 +8,7 @@
 
 import org.junit.Test;
 import org.mockito.Mockito;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.userdetails.User;
@@ -59,4 +60,50 @@ public void shouldExtractAuthenticationWhenUserDetailsProvided() throws Exceptio
 
 		assertEquals("ROLE_SPAM", authentication.getAuthorities().iterator().next().toString());
 	}
+
+	@Test
+	public void shouldExtractWithDefaultUsernameClaimWhenNotSet() throws Exception {
+		Map<String, Object> map = new HashMap<String, Object>();
+		map.put(UserAuthenticationConverter.USERNAME, "test_user");
+
+		Authentication authentication = converter.extractAuthentication(map);
+
+		assertEquals("test_user", authentication.getPrincipal());
+	}
+
+	@Test
+	public void shouldConvertUserWithDefaultUsernameClaimWhenNotSet() throws Exception {
+		Authentication authentication = new UsernamePasswordAuthenticationToken("test_user", "");
+
+		Map<String, ?> map = converter.convertUserAuthentication(authentication);
+
+		assertEquals("test_user", map.get(UserAuthenticationConverter.USERNAME));
+	}
+
+	@Test
+	public void shouldExtractWithCustomUsernameClaimWhenSet() throws Exception {
+		String customUserClaim = "custom_user_name";
+		DefaultUserAuthenticationConverter converter = new DefaultUserAuthenticationConverter();
+		converter.setUserClaimName(customUserClaim);
+
+		Map<String, Object> map = new HashMap<String, Object>();
+		map.put(customUserClaim, "test_user");
+
+		Authentication authentication = converter.extractAuthentication(map);
+
+		assertEquals("test_user", authentication.getPrincipal());
+	}
+
+	@Test
+	public void shouldConvertUserWithCustomUsernameClaimWhenSet() throws Exception {
+		String customUserClaim = "custom_user_name";
+		DefaultUserAuthenticationConverter converter = new DefaultUserAuthenticationConverter();
+		converter.setUserClaimName(customUserClaim);
+
+		Authentication authentication = new UsernamePasswordAuthenticationToken("test_user", "");
+
+		Map<String, ?> map = converter.convertUserAuthentication(authentication);
+
+		assertEquals("test_user", map.get(customUserClaim));
+	}
 }
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java
index 0a88a279e..4eaaecb8c 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/RemoteTokenServicesTest.java
@@ -17,6 +17,7 @@
 
 import org.junit.Before;
 import org.junit.Test;
+import org.mockito.ArgumentCaptor;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpMethod;
 import org.springframework.http.HttpStatus;
@@ -26,8 +27,10 @@
 import org.springframework.web.client.RestTemplate;
 
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyString;
@@ -51,6 +54,27 @@ public void setUp() {
 		this.remoteTokenServices.setCheckTokenEndpointUrl(DEFAULT_CHECK_TOKEN_ENDPOINT_URI);
 	}
 
+	// gh-974
+	@Test
+	public void loadAuthenticationWhenAdditionalQueryParametersProvidedThenReturnAuthentication() {
+		Map additionalParameters = new HashMap();
+		additionalParameters.put("apiKey", "some-api-key");
+		this.remoteTokenServices.setAdditionalParameters(additionalParameters);
+
+		Map responseAttrs = new HashMap();
+		responseAttrs.put("active", true);		// "active" is the only required attribute as per RFC 7662 (https://tools.ietf.org/search/rfc7662#section-2.2)
+		ResponseEntity<Map> response = new ResponseEntity<Map>(responseAttrs, HttpStatus.OK);
+		RestTemplate restTemplate = mock(RestTemplate.class);
+		ArgumentCaptor<HttpEntity> requestEntityCaptor = ArgumentCaptor.forClass(HttpEntity.class);
+		when(restTemplate.exchange(anyString(), any(HttpMethod.class), requestEntityCaptor.capture(), any(Class.class))).thenReturn(response);
+		this.remoteTokenServices.setRestTemplate(restTemplate);
+
+		OAuth2Authentication authentication = this.remoteTokenServices.loadAuthentication("access-token-1234");
+		assertNotNull(authentication);
+		Map formParameters = (Map) requestEntityCaptor.getValue().getBody();
+		assertEquals("some-api-key", ((List) formParameters.get("apiKey")).get(0));
+	}
+
 	// gh-838
 	@Test
 	public void loadAuthenticationWhenIntrospectionResponseContainsActiveTrueBooleanThenReturnAuthentication() throws Exception {
@@ -78,6 +102,16 @@ public void loadAuthenticationWhenIntrospectionResponseContainsActiveTrueStringT
 		assertNotNull(authentication);
 	}
 
+	@Test(expected = InvalidTokenException.class)
+	public void loadAuthenticationWhenIntrospectionResponseNullThenThrowInvalidTokenException() throws Exception {
+		ResponseEntity<Map> response = new ResponseEntity<Map>(HttpStatus.REQUEST_TIMEOUT);
+		RestTemplate restTemplate = mock(RestTemplate.class);
+		when(restTemplate.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(Class.class))).thenReturn(response);
+		this.remoteTokenServices.setRestTemplate(restTemplate);
+
+		this.remoteTokenServices.loadAuthentication("access-token-1234");
+	}
+
 	// gh-838
 	@Test(expected = InvalidTokenException.class)
 	public void loadAuthenticationWhenIntrospectionResponseContainsActiveFalseThenThrowInvalidTokenException() throws Exception {
@@ -95,6 +129,7 @@ public void loadAuthenticationWhenIntrospectionResponseContainsActiveFalseThenTh
 	@Test
 	public void loadAuthenticationWhenIntrospectionResponseMissingActiveAttributeThenReturnAuthentication() throws Exception {
 		Map responseAttrs = new HashMap();
+		responseAttrs.put("attr1", "value1");
 		ResponseEntity<Map> response = new ResponseEntity<Map>(responseAttrs, HttpStatus.OK);
 		RestTemplate restTemplate = mock(RestTemplate.class);
 		when(restTemplate.exchange(anyString(), any(HttpMethod.class), any(HttpEntity.class), any(Class.class))).thenReturn(response);
@@ -103,4 +138,4 @@ public void loadAuthenticationWhenIntrospectionResponseMissingActiveAttributeThe
 		OAuth2Authentication authentication = this.remoteTokenServices.loadAuthentication("access-token-1234");
 		assertNotNull(authentication);
 	}
-}
\ No newline at end of file
+}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java
index ffd13fb83..f02c50687 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/JdbcTokenStoreTests.java
@@ -1,9 +1,13 @@
 package org.springframework.security.oauth2.provider.token.store;
 
-import static org.junit.Assert.assertEquals;
-
+import java.util.ArrayList;
 import java.util.Collection;
 
+import java.util.List;
+
+import org.company.oauth2.CustomAuthentication;
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.company.oauth2.CustomOAuth2Authentication;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -11,12 +15,18 @@
 import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.DefaultSerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 import org.springframework.security.oauth2.provider.RequestTokenFactory;
 
+import static org.junit.Assert.*;
+
 /**
  * @author Dave Syer
- *
+ * @author Artem Smotrakov
  */
 public class JdbcTokenStoreTests extends TokenStoreBaseTests {
 
@@ -46,6 +56,106 @@ public void testFindAccessTokensByUserName() {
 		assertEquals(1, actualOAuth2AccessTokens.size());
 	}
 
+	@Test
+	public void testCustomToken() {
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(
+				RequestTokenFactory.createOAuth2Request("id", false),
+				new TestAuthentication("test2", false));
+		OAuth2AccessToken expectedOAuth2AccessToken = new CustomOAuth2AccessToken("customToken");
+		getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
+
+		Collection<OAuth2AccessToken> actualOAuth2AccessTokens = getTokenStore().findTokensByUserName("test2");
+		assertFalse(actualOAuth2AccessTokens.isEmpty());
+		for (OAuth2AccessToken token : actualOAuth2AccessTokens) {
+			if (expectedOAuth2AccessToken.equals(token)) {
+				return;
+			}
+		}
+		fail("No token found!");
+	}
+
+	@Test
+	public void testAllowedCustomTokenWithCustomStrategy() {
+		OAuth2Authentication expectedAuthentication = new CustomOAuth2Authentication(
+				RequestTokenFactory.createOAuth2Request("id", false),
+				new TestAuthentication("test3", false));
+		OAuth2AccessToken expectedOAuth2AccessToken = new CustomOAuth2AccessToken("customToken");
+		JdbcTokenStore tokenStore = getTokenStore();
+		List<String> allowedClasses = new ArrayList<String>();
+		allowedClasses.add("java.util.");
+		allowedClasses.add("org.springframework.security.");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2AccessToken");
+		allowedClasses.add("org.company.oauth2.CustomOAuth2Authentication");
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(allowedClasses);
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			tokenStore.storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
+
+			Collection<OAuth2AccessToken> actualOAuth2AccessTokens = getTokenStore().findTokensByUserName("test3");
+			assertEquals(1, actualOAuth2AccessTokens.size());
+
+			OAuth2AccessToken actualToken = actualOAuth2AccessTokens.iterator().next();
+			assertEquals(expectedOAuth2AccessToken, actualToken);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	@Test
+	public void testNotAllowedCustomTokenWithCustomStrategy() {
+		OAuth2Authentication authentication = new CustomOAuth2Authentication(
+				RequestTokenFactory.createOAuth2Request("id", false),
+				new CustomAuthentication("test4", false));
+		OAuth2AccessToken accessToken = new CustomOAuth2AccessToken("customToken");
+		JdbcTokenStore tokenStore = getTokenStore();
+		WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			tokenStore.storeAccessToken(accessToken, authentication);
+			Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByUserName("test4");
+			assertTrue(tokens.isEmpty());
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+	}
+
+	// gh-1907
+	@Test
+	public void testGetAccessTokenWithInvalidStoredAuthentication() {
+		OAuth2Authentication expectedAuthentication = new OAuth2Authentication(RequestTokenFactory.createOAuth2Request("id", false), new TestAuthentication("test2", false));
+		OAuth2AccessToken expectedOAuth2AccessToken = new DefaultOAuth2AccessToken("testToken");
+
+		// We will set a custom serialization strategy, that will write an invalid OAuth2Authentication object to the database.
+		// This way we can verify that JdbcTokenStore.getAccessToken() correctly handles this case and still returns a valid
+		// authentication if the serialized representation of Authentication objects has changed.
+		DefaultSerializationStrategy newStrategy = new DefaultSerializationStrategy(){
+			@Override
+			public byte[] serialize(Object state) {
+				if (state instanceof OAuth2Authentication) {
+					return new byte[0];
+				} else {
+					return super.serialize(state);
+				}
+			}
+		};
+		SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+
+		try {
+			SerializationUtils.setSerializationStrategy(newStrategy);
+			getTokenStore().storeAccessToken(expectedOAuth2AccessToken, expectedAuthentication);
+		} finally {
+			SerializationUtils.setSerializationStrategy(oldStrategy);
+		}
+
+		OAuth2AccessToken actualOAuth2AccessToken = getTokenStore().getAccessToken(expectedAuthentication);
+		OAuth2Authentication actualAuthentication = getTokenStore().readAuthentication(expectedOAuth2AccessToken);
+
+		assertEquals(expectedOAuth2AccessToken, actualOAuth2AccessToken);
+		assertEquals(expectedAuthentication, actualAuthentication);
+	}
+
 	@After
 	public void tearDown() throws Exception {
 		db.shutdown();
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITests.java
similarity index 71%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITests.java
index e08ace32b..43a9c70b3 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceITests.java
@@ -25,11 +25,12 @@
 import java.util.Arrays;
 
 import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
 
 /**
  * @author Rob Winch
  */
-public class JwkDefinitionSourceITest {
+public class JwkDefinitionSourceITests {
 
 	private MockWebServer server;
 
@@ -80,9 +81,9 @@ public void getDefinitionLoadIfNecessaryWhenMultipleUrlsThenBothUrlsAreLoaded()
 		String keyId1 = "key-id-1";
 		String keyId2 = "key-id-2";
 		String keyId3 = "key-id-3";
-		JwkDefinition jwkDef1 = this.source.getDefinitionLoadIfNecessary(keyId1).getJwkDefinition();
-		JwkDefinition jwkDef2 = this.source.getDefinitionLoadIfNecessary(keyId2).getJwkDefinition();
-		JwkDefinition jwkDef3 = this.source.getDefinitionLoadIfNecessary(keyId3).getJwkDefinition();
+		JwkDefinition jwkDef1 = this.source.getDefinitionLoadIfNecessary(keyId1, null).getJwkDefinition();
+		JwkDefinition jwkDef2 = this.source.getDefinitionLoadIfNecessary(keyId2, null).getJwkDefinition();
+		JwkDefinition jwkDef3 = this.source.getDefinitionLoadIfNecessary(keyId3, null).getJwkDefinition();
 
 		assertEquals(jwkDef1.getKeyId(), keyId1);
 		assertEquals(jwkDef1.getAlgorithm(), JwkDefinition.CryptoAlgorithm.RS256);
@@ -100,6 +101,36 @@ public void getDefinitionLoadIfNecessaryWhenMultipleUrlsThenBothUrlsAreLoaded()
 		assertEquals(jwkDef3.getKeyType(), JwkDefinition.KeyType.EC);
 	}
 
+	@Test
+	public void getDefinitionLoadIfNecessaryWithX5T() {
+		this.server.enqueue(new MockResponse().setHeader(HttpHeaders.ACCEPT, MediaType.APPLICATION_JSON_VALUE).setBody("{\n" +
+				"    \"keys\": [\n" +
+				"        {\n" +
+				"            \"kid\": \"key-id-1\",\n" +
+				"            \"x5t\": \"x5t-1\",\n" +
+				"            \"kty\": \"RSA\",\n" +
+				"            \"alg\": \"RS256\",\n" +
+				"            \"use\": \"sig\",\n" +
+				"            \"n\": \"rne3dowbQHcFCzg2ejWb6az5QNxWFiv6kRpd34VDzYNMhWeewfeEL5Pf5clE8Xh1KlllrDYSxtnzUQm-t9p92yEBASfV96ydTYG-ITfxfJzKtJUN-iIS5K9WGYXnDNS4eYZ_ygW-zBU_9NwFMXdwSTzRqHeJmLJrfbmmjoIuuWyfh2Ko52KzyidceR5SJxGeW0ckeyWka1lDf4cr7fv-s093Y_sd2wrNvg0-9IAkXotbxWWXcfMgXFyw0qHFT_5LrKmiwkY3HCaiV5NgEFJmC6fBIG2EOZG4rqjBoYV6LZwrfTMHknaeel9MOZesW6SR2bswtuuWN3DGq2zg0KamLw\",\n" +
+				"            \"e\": \"AQAB\"\n" +
+				"        }\n" +
+				"    ]\n" +
+				"}\n"));
+		this.source = new JwkDefinitionSource(Arrays.asList(serverUrl("/jwk1")));
+
+		String keyId1 = "key-id-1";
+		String x5t1 = "x5t-1";
+		JwkDefinition jwkDef1 = this.source.getDefinitionLoadIfNecessary(keyId1, x5t1).getJwkDefinition();
+		assertEquals(keyId1, jwkDef1.getKeyId());
+		assertEquals(x5t1, jwkDef1.getX5t());
+		assertEquals(JwkDefinition.CryptoAlgorithm.RS256, jwkDef1.getAlgorithm());
+		assertEquals(JwkDefinition.PublicKeyUse.SIG, jwkDef1.getPublicKeyUse());
+		assertEquals(JwkDefinition.KeyType.RSA, jwkDef1.getKeyType());
+
+		assertSame(jwkDef1, this.source.getDefinitionLoadIfNecessary(keyId1, null).getJwkDefinition());
+		assertSame(jwkDef1, this.source.getDefinitionLoadIfNecessary(null, x5t1).getJwkDefinition());
+	}
+
 	private String serverUrl(String path) {
 		return this.server.url(http://github.com/path).toString();
 	}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTests.java
similarity index 91%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTests.java
index e0556619c..409a0ed0c 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionSourceTests.java
@@ -39,7 +39,7 @@
  */
 @RunWith(PowerMockRunner.class)
 @PrepareForTest(JwkDefinitionSource.class)
-public class JwkDefinitionSourceTest {
+public class JwkDefinitionSourceTests {
 	private static final String DEFAULT_JWK_SET_URL = "https://identity.server1.io/token_keys";
 
 	@Test(expected = IllegalArgumentException.class)
@@ -57,16 +57,16 @@ public void getDefinitionLoadIfNecessaryWhenKeyIdNotFoundThenLoadJwkDefinitions(
 		JwkDefinitionSource jwkDefinitionSource = spy(new JwkDefinitionSource(DEFAULT_JWK_SET_URL));
 		mockStatic(JwkDefinitionSource.class);
 		when(JwkDefinitionSource.loadJwkDefinitions(any(URL.class))).thenReturn(Collections.<String, JwkDefinitionSource.JwkDefinitionHolder>emptyMap());
-		jwkDefinitionSource.getDefinitionLoadIfNecessary("invalid-key-id");
+		jwkDefinitionSource.getDefinitionLoadIfNecessary("invalid-key-id", null);
 		verifyStatic();
 	}
 
 	// gh-1010
 	@Test
 	public void getVerifierWhenModulusMostSignificantBitIs1ThenVerifierStillVerifyContentSignature() throws Exception {
-		String jwkSetUrl = JwkDefinitionSourceTest.class.getResource("jwk-set.json").toString();
+		String jwkSetUrl = JwkDefinitionSourceTests.class.getResource("jwk-set.json").toString();
 		JwkDefinitionSource jwkDefinitionSource = new JwkDefinitionSource(jwkSetUrl);
-		SignatureVerifier verifier = jwkDefinitionSource.getDefinitionLoadIfNecessary("_Ci3-VfV_N0YAG22NQOgOUpFBDDcDe_rJxpu5JK702o").getSignatureVerifier();
+		SignatureVerifier verifier = jwkDefinitionSource.getDefinitionLoadIfNecessary("_Ci3-VfV_N0YAG22NQOgOUpFBDDcDe_rJxpu5JK702o", null).getSignatureVerifier();
 		String token = this.readToken("token.jwt");
 		int secondPeriodIndex = token.indexOf('.', token.indexOf('.') + 1);
 		String contentString = token.substring(0, secondPeriodIndex);
@@ -80,7 +80,7 @@ private String readToken(String resource) throws IOException {
 		StringBuilder sb = new StringBuilder();
 		InputStream in = null;
 		try {
-			in = JwkDefinitionSourceTest.class.getResourceAsStream(resource);
+			in = JwkDefinitionSourceTests.class.getResourceAsStream(resource);
 			int ch;
 			while ((ch = in.read()) != -1) {
 				sb.append((char) ch);
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTests.java
similarity index 90%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTests.java
index 66660b65f..b571f4ab5 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkDefinitionTests.java
@@ -22,18 +22,20 @@
 /**
  * @author Joe Grandja
  */
-public class JwkDefinitionTest {
+public class JwkDefinitionTests {
 
 	@Test
 	public void constructorWhenArgumentsPassedThenAttributesAreCorrectlySet() throws Exception {
 		String keyId = "key-id-1";
+		String x5t = "x5t-1";
 		JwkDefinition.KeyType keyType = JwkDefinition.KeyType.RSA;
 		JwkDefinition.PublicKeyUse publicKeyUse = JwkDefinition.PublicKeyUse.SIG;
 		JwkDefinition.CryptoAlgorithm algorithm = JwkDefinition.CryptoAlgorithm.RS512;
 
-		JwkDefinition jwkDefinition = new JwkDefinition(keyId, keyType, publicKeyUse, algorithm) { };
+		JwkDefinition jwkDefinition = new JwkDefinition(keyId, x5t, keyType, publicKeyUse, algorithm) { };
 
 		assertEquals(keyId, jwkDefinition.getKeyId());
+		assertEquals(x5t, jwkDefinition.getX5t());
 		assertEquals(keyType, jwkDefinition.getKeyType());
 		assertEquals(publicKeyUse, jwkDefinition.getPublicKeyUse());
 		assertEquals(algorithm, jwkDefinition.getAlgorithm());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTests.java
similarity index 96%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTests.java
index 6591efa25..61c9df70f 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkSetConverterTests.java
@@ -36,7 +36,7 @@
  * @author Joe Grandja
  * @author Vedran Pavic
  */
-public class JwkSetConverterTest {
+public class JwkSetConverterTests {
 	private final JwkSetConverter converter = new JwkSetConverter();
 	private final ObjectMapper objectMapper = new ObjectMapper();
 
@@ -122,25 +122,25 @@ public void convertWhenJwkSetStreamHasRSAJwkElementWithMissingKeyIdAttributeThen
 		this.thrown.expect(JwkException.class);
 		this.thrown.expectMessage("kid is a required attribute for a JWK.");
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, null);
+		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, null, JwkDefinition.PublicKeyUse.SIG);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		this.converter.convert(this.asInputStream(jwkSetObject));
 	}
 
 	@Test
-	public void convertWhenJwkSetStreamHasRSAJwkElementWithMissingPublicKeyUseAttributeThenThrowJwkException() throws Exception {
-		this.thrown.expect(JwkException.class);
-		this.thrown.expectMessage("unknown (use) is currently not supported.");
+	public void convertWhenJwkSetStreamHasRSAJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1");
+		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1", JwkDefinition.PublicKeyUse.ENC);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
-		this.converter.convert(this.asInputStream(jwkSetObject));
+		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
+		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
 	}
 
+	// gh-1871
 	@Test
-	public void convertWhenJwkSetStreamHasRSAJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
+	public void convertWhenJwkSetStreamHasRSAJwkElementWithoutPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1", JwkDefinition.PublicKeyUse.ENC);
+		Map<String, Object> jwkObject = this.createJwkObject(JwkDefinition.KeyType.RSA, "key-id-1");
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
 		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
@@ -173,25 +173,25 @@ public void convertWhenJwkSetStreamHasECJwkElementWithMissingKeyIdAttributeThenT
 		this.thrown.expect(JwkException.class);
 		this.thrown.expectMessage("kid is a required attribute for an EC JWK.");
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject(null, null, null);
+		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject(null, JwkDefinition.PublicKeyUse.SIG, null);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		this.converter.convert(this.asInputStream(jwkSetObject));
 	}
 
 	@Test
-	public void convertWhenJwkSetStreamHasECJwkElementWithMissingPublicKeyUseAttributeThenThrowJwkException() throws Exception {
-		this.thrown.expect(JwkException.class);
-		this.thrown.expectMessage("unknown (use) is currently not supported.");
+	public void convertWhenJwkSetStreamHasECJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", null, null);
+		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", JwkDefinition.PublicKeyUse.ENC, null);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
-		this.converter.convert(this.asInputStream(jwkSetObject));
+		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
+		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
 	}
 
+	// gh-1871
 	@Test
-	public void convertWhenJwkSetStreamHasECJwkElementWithENCPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
+	public void convertWhenJwkSetStreamHasECJwkElementWithoutPublicKeyUseAttributeThenReturnEmptyJwkSet() throws Exception {
 		Map<String, Object> jwkSetObject = new HashMap<String, Object>();
-		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", JwkDefinition.PublicKeyUse.ENC, null);
+		Map<String, Object> jwkObject = this.createEllipticCurveJwkObject("key-id-1", null, null);
 		jwkSetObject.put(JwkAttributes.KEYS, new Map[] {jwkObject});
 		Set<JwkDefinition> jwkSet = this.converter.convert(this.asInputStream(jwkSetObject));
 		assertTrue("JWK Set NOT empty", jwkSet.isEmpty());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITests.java
similarity index 99%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITests.java
index 370fb7a28..4e4dffa8d 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreITests.java
@@ -38,7 +38,7 @@
 /**
  * @author Joe Grandja
  */
-public class JwkTokenStoreITest {
+public class JwkTokenStoreITests {
 	private MockWebServer server;
 
 	@Before
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTests.java
similarity index 99%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTests.java
index 1817582fd..f835e110f 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkTokenStoreTests.java
@@ -48,7 +48,7 @@
  */
 @RunWith(PowerMockRunner.class)
 @PrepareForTest(JwkTokenStore.class)
-public class JwkTokenStoreTest {
+public class JwkTokenStoreTests {
 	private JwkTokenStore jwkTokenStore = new JwkTokenStore("https://identity.server1.io/token_keys");
 
 	@Rule
@@ -129,7 +129,7 @@ public void readAccessTokenWhenJwtClaimsSetVerifierIsSetThenVerifyIsCalled() thr
 		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(mock(SignatureVerifier.class));
 
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary(anyString())).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary(anyString(), anyString())).thenReturn(jwkDefinitionHolder);
 
 		JwkVerifyingJwtAccessTokenConverter jwtVerifyingAccessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTests.java
similarity index 62%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTests.java
index c67c54c3e..c534216fe 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwkVerifyingJwtAccessTokenConverterTests.java
@@ -24,6 +24,8 @@
 import java.util.Map;
 
 import static org.junit.Assert.assertNotNull;
+import static org.mockito.Matchers.any;
+import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.springframework.security.jwt.codec.Codecs.b64UrlEncode;
@@ -34,7 +36,7 @@
 /**
  * @author Joe Grandja
  */
-public class JwkVerifyingJwtAccessTokenConverterTest {
+public class JwkVerifyingJwtAccessTokenConverterTests {
 
 	@Rule
 	public ExpectedException thrown = ExpectedException.none();
@@ -51,41 +53,41 @@ public void encodeWhenCalledThenThrowJwkException() throws Exception {
 	@Test
 	public void decodeWhenKeyIdHeaderMissingThenThrowJwkException() throws Exception {
 		this.thrown.expect(InvalidTokenException.class);
-		this.thrown.expectMessage("Invalid JWT/JWS: kid is a required JOSE Header");
+		this.thrown.expectMessage("Invalid JWT/JWS: kid or x5t is a required JOSE Header");
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(mock(JwkDefinitionSource.class));
-		String jwt = createJwt(createJwtHeader(null, JwkDefinition.CryptoAlgorithm.RS256));
+		String jwt = createJwt(createJwtHeader(null, null, JwkDefinition.CryptoAlgorithm.RS256));
 		accessTokenConverter.decode(jwt);
 	}
 
 	@Test
 	public void decodeWhenKeyIdHeaderInvalidThenThrowJwkException() throws Exception {
 		this.thrown.expect(InvalidTokenException.class);
-		this.thrown.expectMessage("Invalid JOSE Header kid (invalid-key-id)");
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		this.thrown.expectMessage("Invalid JOSE Header kid (invalid-key-id), x5t (null)");
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("invalid-key-id", JwkDefinition.CryptoAlgorithm.RS256));
+		String jwt = createJwt(createJwtHeader("invalid-key-id", null, JwkDefinition.CryptoAlgorithm.RS256));
 		accessTokenConverter.decode(jwt);
 	}
 
 	// gh-1129
 	@Test
 	public void decodeWhenJwkAlgorithmNullAndJwtAlgorithmPresentThenDecodeStillSucceeds() throws Exception {
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null);
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, null);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		SignatureVerifier signatureVerifier = mock(SignatureVerifier.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(signatureVerifier);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("key-id-1", JwkDefinition.CryptoAlgorithm.RS256));
+		String jwt = createJwt(createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256));
 		String jws = jwt + "." + utf8Decode(b64UrlEncode("junkSignature".getBytes()));
 		Map<String, Object> decodedJwt = accessTokenConverter.decode(jws);
 		assertNotNull(decodedJwt);
@@ -95,14 +97,14 @@ public void decodeWhenJwkAlgorithmNullAndJwtAlgorithmPresentThenDecodeStillSucce
 	public void decodeWhenAlgorithmHeaderMissingThenThrowJwkException() throws Exception {
 		this.thrown.expect(InvalidTokenException.class);
 		this.thrown.expectMessage("Invalid JWT/JWS: alg is a required JOSE Header");
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("key-id-1", null));
+		String jwt = createJwt(createJwtHeader("key-id-1", null, null));
 		accessTokenConverter.decode(jwt);
 	}
 
@@ -111,29 +113,67 @@ public void decodeWhenAlgorithmHeaderDoesNotMatchJwkAlgorithmThenThrowJwkExcepti
 		this.thrown.expect(InvalidTokenException.class);
 		this.thrown.expectMessage("Invalid JOSE Header alg (RS512) " +
 				"does not match algorithm associated to JWK with kid (key-id-1)");
-		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
 		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
 		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
-		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
 		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
 				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
-		String jwt = createJwt(createJwtHeader("key-id-1", JwkDefinition.CryptoAlgorithm.RS512));
+		String jwt = createJwt(createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS512));
 		accessTokenConverter.decode(jwt);
 	}
 
-	private JwkDefinition createRSAJwkDefinition(String keyId, JwkDefinition.CryptoAlgorithm algorithm) {
-		return createRSAJwkDefinition(JwkDefinition.KeyType.RSA, keyId,
+	@Test
+	public void decodeWhenKidHeaderMissingButX5tHeaderPresentThenDecodeStillSucceeds() throws Exception {
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", "x5t-1", null);
+		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
+		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
+		SignatureVerifier signatureVerifier = mock(SignatureVerifier.class);
+		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary(null, "x5t-1")).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(signatureVerifier);
+		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
+				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
+		String jwt = createJwt(createJwtHeader(null, "x5t-1", JwkDefinition.CryptoAlgorithm.RS256));
+		String jws = jwt + "." + utf8Decode(b64UrlEncode("junkSignature".getBytes()));
+		Map<String, Object> decodedJwt = accessTokenConverter.decode(jws);
+		assertNotNull(decodedJwt);
+	}
+
+	// gh-1522, gh-1852
+	@Test
+	public void decodeWhenVerifySignatureFailsThenThrowInvalidTokenException() throws Exception {
+		this.thrown.expect(InvalidTokenException.class);
+		this.thrown.expectMessage("Failed to decode/verify JWT/JWS");
+		JwkDefinition jwkDefinition = this.createRSAJwkDefinition("key-id-1", null, null);
+		JwkDefinitionSource jwkDefinitionSource = mock(JwkDefinitionSource.class);
+		JwkDefinitionSource.JwkDefinitionHolder jwkDefinitionHolder = mock(JwkDefinitionSource.JwkDefinitionHolder.class);
+		SignatureVerifier signatureVerifier = mock(SignatureVerifier.class);
+		when(jwkDefinitionHolder.getJwkDefinition()).thenReturn(jwkDefinition);
+		when(jwkDefinitionSource.getDefinitionLoadIfNecessary("key-id-1", null)).thenReturn(jwkDefinitionHolder);
+		when(jwkDefinitionHolder.getSignatureVerifier()).thenReturn(signatureVerifier);
+		doThrow(RuntimeException.class).when(signatureVerifier).verify(any(byte[].class), any(byte[].class));
+		JwkVerifyingJwtAccessTokenConverter accessTokenConverter =
+				new JwkVerifyingJwtAccessTokenConverter(jwkDefinitionSource);
+		String jwt = createJwt(createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256));
+		String jws = jwt + "." + utf8Decode(b64UrlEncode("junkSignature".getBytes()));
+		accessTokenConverter.decode(jws);
+	}
+
+	private JwkDefinition createRSAJwkDefinition(String keyId, String x5t, JwkDefinition.CryptoAlgorithm algorithm) {
+		return createRSAJwkDefinition(JwkDefinition.KeyType.RSA, keyId, x5t,
 				JwkDefinition.PublicKeyUse.SIG, algorithm, "AMh-pGAj9vX2gwFDyrXot1f2YfHgh8h0Qx6w9IqLL", "AQAB");
 	}
 
 	private JwkDefinition createRSAJwkDefinition(JwkDefinition.KeyType keyType,
 												String keyId,
+												String x5t,
 												JwkDefinition.PublicKeyUse publicKeyUse,
 												JwkDefinition.CryptoAlgorithm algorithm,
 												String modulus,
 												String exponent) {
 
-		return new RsaJwkDefinition(keyId, publicKeyUse, algorithm, modulus, exponent);
+		return new RsaJwkDefinition(keyId, x5t, publicKeyUse, algorithm, modulus, exponent);
 	}
 }
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTests.java
similarity index 98%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTests.java
index f15422876..5d44d2cc9 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtHeaderConverterTests.java
@@ -32,7 +32,7 @@
  * @author Joe Grandja
  * @author Vedran Pavic
  */
-public class JwtHeaderConverterTest {
+public class JwtHeaderConverterTests {
 	private final JwtHeaderConverter converter = new JwtHeaderConverter();
 
 	@Rule
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java
index 4b8b97c30..b8c30e1de 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/JwtTestUtil.java
@@ -44,14 +44,17 @@ static String createJwt(byte[] jwtHeader, byte[] jwtPayload) throws Exception {
 	}
 
 	static byte[] createDefaultJwtHeader() throws Exception {
-		return createJwtHeader("key-id-1", JwkDefinition.CryptoAlgorithm.RS256);
+		return createJwtHeader("key-id-1", null, JwkDefinition.CryptoAlgorithm.RS256);
 	}
 
-	static byte[] createJwtHeader(String keyId, JwkDefinition.CryptoAlgorithm algorithm) throws Exception {
+	static byte[] createJwtHeader(String keyId, String x5t, JwkDefinition.CryptoAlgorithm algorithm) throws Exception {
 		Map<String, Object> jwtHeader = new HashMap<String, Object>();
 		if (keyId != null) {
 			jwtHeader.put(JwkAttributes.KEY_ID, keyId);
 		}
+		if (x5t != null) {
+			jwtHeader.put(JwkAttributes.X5T, x5t);
+		}
 		if (algorithm != null) {
 			jwtHeader.put(JwkAttributes.ALGORITHM, algorithm.headerParamValue());
 		}
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTest.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTests.java
similarity index 90%
rename from spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTest.java
rename to spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTests.java
index 96712e452..b62eb5658 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTest.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/jwk/RsaJwkDefinitionTests.java
@@ -22,20 +22,22 @@
 /**
  * @author Joe Grandja
  */
-public class RsaJwkDefinitionTest {
+public class RsaJwkDefinitionTests {
 
 	@Test
 	public void constructorWhenArgumentsPassedThenAttributesAreCorrectlySet() throws Exception {
 		String keyId = "key-id-1";
+		String x5t = "x5t-1";
 		JwkDefinition.PublicKeyUse publicKeyUse = JwkDefinition.PublicKeyUse.ENC;
 		JwkDefinition.CryptoAlgorithm algorithm = JwkDefinition.CryptoAlgorithm.RS384;
 		String modulus = "AMh-pGAj9vX2gwFDyrXot1f2YfHgh8h0Qx6w9IqLL";
 		String exponent = "AQAB";
 
 		RsaJwkDefinition rsaJwkDefinition = new RsaJwkDefinition(
-				keyId, publicKeyUse, algorithm, modulus, exponent);
+				keyId, x5t, publicKeyUse, algorithm, modulus, exponent);
 
 		assertEquals(keyId, rsaJwkDefinition.getKeyId());
+		assertEquals(x5t, rsaJwkDefinition.getX5t());
 		assertEquals(JwkDefinition.KeyType.RSA, rsaJwkDefinition.getKeyType());
 		assertEquals(publicKeyUse, rsaJwkDefinition.getPublicKeyUse());
 		assertEquals(algorithm, rsaJwkDefinition.getAlgorithm());
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreCustomTokenTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreCustomTokenTests.java
new file mode 100644
index 000000000..946955c26
--- /dev/null
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreCustomTokenTests.java
@@ -0,0 +1,141 @@
+/*
+ * Copyright 2012-2019 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.oauth2.provider.token.store.redis;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.UUID;
+
+import org.company.oauth2.CustomOAuth2AccessToken;
+import org.company.oauth2.CustomOAuth2Authentication;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.core.serializer.support.SerializationFailedException;
+import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
+import org.springframework.security.authentication.TestingAuthenticationToken;
+import org.springframework.security.oauth2.common.OAuth2AccessToken;
+import org.springframework.security.oauth2.common.util.SerializationStrategy;
+import org.springframework.security.oauth2.common.util.SerializationUtils;
+import org.springframework.security.oauth2.common.util.WhitelistedSerializationStrategy;
+import org.springframework.security.oauth2.provider.OAuth2Authentication;
+import org.springframework.security.oauth2.provider.OAuth2Request;
+import org.springframework.security.oauth2.provider.RequestTokenFactory;
+import org.springframework.util.ClassUtils;
+import redis.clients.jedis.JedisShardInfo;
+
+import static org.junit.Assert.*;
+
+/**
+ * @author Artem Smotrakov
+ */
+public class RedisTokenStoreCustomTokenTests {
+
+    private static final String CLIENT_ID = "customClient";
+
+    private static final List<String> ALLOWED_CLASSES = new ArrayList<String>();
+
+    static {
+        ALLOWED_CLASSES.add("java.util.");
+        ALLOWED_CLASSES.add("org.springframework.security.");
+        ALLOWED_CLASSES.add("org.company.oauth2.CustomOAuth2AccessToken");
+        ALLOWED_CLASSES.add("org.company.oauth2.CustomOAuth2Authentication");
+    }
+
+    private RedisTokenStore tokenStore;
+
+    @Before
+    public void setup() {
+        boolean springDataRedis_2_0 = ClassUtils.isPresent(
+                "org.springframework.data.redis.connection.RedisStandaloneConfiguration",
+                this.getClass().getClassLoader());
+
+        JedisConnectionFactory connectionFactory;
+        if (springDataRedis_2_0) {
+            connectionFactory = new JedisConnectionFactory();
+        } else {
+            JedisShardInfo shardInfo = new JedisShardInfo("localhost");
+            connectionFactory = new JedisConnectionFactory(shardInfo);
+        }
+
+        tokenStore = new RedisTokenStore(connectionFactory);
+    }
+
+    @Test
+    public void testCustomToken() {
+        OAuth2Request request = RequestTokenFactory.createOAuth2Request(CLIENT_ID, false);
+        TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+        String token = "access-token-" + UUID.randomUUID();
+        OAuth2AccessToken oauth2AccessToken = new CustomOAuth2AccessToken(token);
+        OAuth2Authentication oauth2Authentication = new OAuth2Authentication(request, authentication);
+
+        tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+        Collection<OAuth2AccessToken> tokens = tokenStore.findTokensByClientId(request.getClientId());
+        assertNotNull(tokens);
+        assertFalse(tokens.isEmpty());
+        for (OAuth2AccessToken oAuth2AccessToken : tokens) {
+            if (token.equals(oAuth2AccessToken.getValue())) {
+                return;
+            }
+        }
+        fail("No token found!");
+    }
+
+    @Test(expected = SerializationFailedException.class)
+    public void testNotAllowedCustomToken() {
+        OAuth2Request request = RequestTokenFactory.createOAuth2Request(CLIENT_ID, false);
+        TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+        String token = "access-token-" + UUID.randomUUID();
+        OAuth2AccessToken oauth2AccessToken = new CustomOAuth2AccessToken(token);
+        OAuth2Authentication oauth2Authentication = new OAuth2Authentication(request, authentication);
+
+        WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy();
+        SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+        try {
+            SerializationUtils.setSerializationStrategy(newStrategy);
+            tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+            tokenStore.findTokensByClientId(request.getClientId());
+        } finally {
+            SerializationUtils.setSerializationStrategy(oldStrategy);
+        }
+    }
+
+    @Test
+    public void testCustomTokenWithCustomSerializationStrategy() {
+        OAuth2Request request = RequestTokenFactory.createOAuth2Request(CLIENT_ID, false);
+        TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+        OAuth2AccessToken oauth2AccessToken = new CustomOAuth2AccessToken("access-token-" + UUID.randomUUID());
+        OAuth2Authentication oauth2Authentication = new CustomOAuth2Authentication(request, authentication);
+
+        WhitelistedSerializationStrategy newStrategy = new WhitelistedSerializationStrategy(ALLOWED_CLASSES);
+        SerializationStrategy oldStrategy = SerializationUtils.getSerializationStrategy();
+        try {
+            SerializationUtils.setSerializationStrategy(newStrategy);
+            tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+
+            OAuth2AccessToken token = tokenStore.getAccessToken(oauth2Authentication);
+            assertNotNull(token);
+            assertEquals(oauth2AccessToken, token);
+        } finally {
+            SerializationUtils.setSerializationStrategy(oldStrategy);
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java
index 738f0f1c2..4baa81884 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreMockTests.java
@@ -67,6 +67,13 @@ public void storeRefreshTokenRemoveRefreshTokenVerifyKeysRemoved() {
 		ArgumentCaptor<byte[]> keyArgs = ArgumentCaptor.forClass(byte[].class);
 		verify(connection, times(2)).set(keyArgs.capture(), any(byte[].class));
 
+		List<Object> result = new ArrayList<Object>();
+		result.add(Long.valueOf(1));
+		result.add(Long.valueOf(1));
+		result.add(new byte[] {42});
+		result.add(Long.valueOf(1));
+		when(connection.closePipeline()).thenReturn(result);
+
 		tokenStore.removeRefreshToken(oauth2RefreshToken);
 
 		for (byte[] key : keyArgs.getAllValues()) {
diff --git a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java
index 996e15c21..ded1f1529 100644
--- a/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java
+++ b/spring-security-oauth2/src/test/java/org/springframework/security/oauth2/provider/token/store/redis/RedisTokenStoreTests.java
@@ -2,6 +2,8 @@
 
 import org.junit.Before;
 import org.junit.Test;
+
+import org.springframework.data.redis.connection.RedisConnection;
 import org.springframework.data.redis.connection.jedis.JedisConnectionFactory;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
@@ -28,6 +30,8 @@
  */
 public class RedisTokenStoreTests extends TokenStoreBaseTests {
 
+	private JedisConnectionFactory connectionFactory;
+	private RedisTokenStoreSerializationStrategy serializationStrategy = new JdkSerializationStrategy();
 	private RedisTokenStore tokenStore;
 
 	@Override
@@ -41,7 +45,6 @@ public void setup() throws Exception {
 				"org.springframework.data.redis.connection.RedisStandaloneConfiguration",
 				this.getClass().getClassLoader());
 
-		JedisConnectionFactory connectionFactory;
 		if (springDataRedis_2_0) {
 			connectionFactory = new JedisConnectionFactory();
 		} else {
@@ -49,7 +52,9 @@ public void setup() throws Exception {
 			connectionFactory = new JedisConnectionFactory(shardInfo);
 		}
 
+		serializationStrategy = new JdkSerializationStrategy();
 		tokenStore = new RedisTokenStore(connectionFactory);
+		tokenStore.setSerializationStrategy(serializationStrategy);
 	}
 
 	@Test
@@ -109,4 +114,46 @@ public void storeAccessTokenWithoutRefreshTokenRemoveAccessTokenVerifyTokenRemov
 		assertTrue(oauth2AccessTokens.isEmpty());
 	}
 
+	// gh-1836
+	@Test
+	public void storeAccessTokenWithRefreshTokenRemoveRefreshTokenAndAccessTokenVerifyTokenRemoved() {
+		OAuth2Request request = RequestTokenFactory.createOAuth2Request("clientId", false);
+		TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "password");
+
+		DefaultOAuth2AccessToken oauth2AccessToken = new DefaultOAuth2AccessToken(
+				"access-token-" + UUID.randomUUID());
+		DefaultOAuth2RefreshToken oauth2RefreshToken = new DefaultOAuth2RefreshToken(
+				"refresh-token-" + UUID.randomUUID());
+		oauth2AccessToken.setRefreshToken(oauth2RefreshToken);
+
+		OAuth2Authentication oauth2Authentication = new OAuth2Authentication(request, authentication);
+
+		tokenStore.storeAccessToken(oauth2AccessToken, oauth2Authentication);
+		String accessTokenValue = getValue("refresh_to_access:" + oauth2RefreshToken.getValue());
+		assertEquals(accessTokenValue, oauth2AccessToken.getValue());
+		String refreshTokenValue = getValue("access_to_refresh:" + oauth2AccessToken.getValue());
+		assertEquals(refreshTokenValue, oauth2RefreshToken.getValue());
+
+		tokenStore.removeRefreshToken(oauth2RefreshToken);
+		accessTokenValue = getValue("refresh_to_access:" + oauth2RefreshToken.getValue());
+		assertNull("Key refresh_to_access was not deleted!", accessTokenValue);
+		refreshTokenValue = getValue("access_to_refresh:" + oauth2AccessToken.getValue());
+		assertNull("Key access_to_refresh was not deleted!", refreshTokenValue);
+
+		tokenStore.removeAccessToken(oauth2AccessToken);
+
+		Collection<OAuth2AccessToken> oauth2AccessTokens = tokenStore.findTokensByClientId(request.getClientId());
+		assertTrue(oauth2AccessTokens.isEmpty());
+	}
+
+	private String getValue(String key) {
+		RedisConnection conn = connectionFactory.getConnection();
+		try {
+			byte[] value = conn.get(key.getBytes());
+			return serializationStrategy.deserializeString(value);
+		}
+		finally {
+			conn.close();
+		}
+	}
 }
\ No newline at end of file
diff --git a/tests/annotation/approval/pom.xml b/tests/annotation/approval/pom.xml
index c336fa806..fc2fd2aeb 100644
--- a/tests/annotation/approval/pom.xml
+++ b/tests/annotation/approval/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/client/pom.xml b/tests/annotation/client/pom.xml
index 732ce4d2d..442e2943d 100644
--- a/tests/annotation/client/pom.xml
+++ b/tests/annotation/client/pom.xml
@@ -11,7 +11,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<properties>
diff --git a/tests/annotation/common/pom.xml b/tests/annotation/common/pom.xml
index 9346b8508..dbd87fe58 100644
--- a/tests/annotation/common/pom.xml
+++ b/tests/annotation/common/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/custom-authentication/pom.xml b/tests/annotation/custom-authentication/pom.xml
index ded96d35d..488c5b58f 100644
--- a/tests/annotation/custom-authentication/pom.xml
+++ b/tests/annotation/custom-authentication/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/custom-grant/pom.xml b/tests/annotation/custom-grant/pom.xml
index faf3e8def..a6a81a4f5 100644
--- a/tests/annotation/custom-grant/pom.xml
+++ b/tests/annotation/custom-grant/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/form/pom.xml b/tests/annotation/form/pom.xml
index 454ae497b..8ecfad322 100644
--- a/tests/annotation/form/pom.xml
+++ b/tests/annotation/form/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jaxb/pom.xml b/tests/annotation/jaxb/pom.xml
index 506901b32..ef1ae880e 100644
--- a/tests/annotation/jaxb/pom.xml
+++ b/tests/annotation/jaxb/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jdbc/pom.xml b/tests/annotation/jdbc/pom.xml
index be1481b1a..2ee75f7b7 100644
--- a/tests/annotation/jdbc/pom.xml
+++ b/tests/annotation/jdbc/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jpa/pom.xml b/tests/annotation/jpa/pom.xml
index e0e777234..8473dfb66 100644
--- a/tests/annotation/jpa/pom.xml
+++ b/tests/annotation/jpa/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/jwt/pom.xml b/tests/annotation/jwt/pom.xml
index 3ac138b71..31762c1b3 100644
--- a/tests/annotation/jwt/pom.xml
+++ b/tests/annotation/jwt/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/mappings/pom.xml b/tests/annotation/mappings/pom.xml
index f50323ea3..3936cae0a 100644
--- a/tests/annotation/mappings/pom.xml
+++ b/tests/annotation/mappings/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/multi/pom.xml b/tests/annotation/multi/pom.xml
index d69932108..6d4bae27f 100644
--- a/tests/annotation/multi/pom.xml
+++ b/tests/annotation/multi/pom.xml
@@ -9,7 +9,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/pom.xml b/tests/annotation/pom.xml
index cbb2fdb17..e42187e19 100644
--- a/tests/annotation/pom.xml
+++ b/tests/annotation/pom.xml
@@ -4,7 +4,7 @@
 
 	<groupId>org.demo</groupId>
 	<artifactId>spring-oauth2-tests-parent</artifactId>
-	<version>2.3.8.BUILD-SNAPSHOT</version>
+	<version>2.5.3.BUILD-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -27,7 +27,7 @@
 	<properties>
 		<start-class>demo.Application</start-class>
 		<java.version>1.7</java.version>
-		<spring.version>4.3.25.RELEASE</spring.version>
+		<spring.version>4.3.30.RELEASE</spring.version>
 	</properties>
 
 	<name>spring-oauth2-tests</name>
@@ -36,7 +36,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>1.5.1.RELEASE</version>
+		<version>1.5.22.RELEASE</version>
 		<relativePath/>
 	</parent>
 
@@ -45,18 +45,12 @@
 		<dependency>
 			<groupId>org.springframework.security.oauth</groupId>
 			<artifactId>spring-security-oauth2</artifactId>
-			<version>2.3.8.BUILD-SNAPSHOT</version>
-			<exclusions>
-				<exclusion>
-					<artifactId>jackson-mapper-asl</artifactId>
-					<groupId>org.codehaus.jackson</groupId>
-				</exclusion>
-			</exclusions>
+			<version>2.5.3.BUILD-SNAPSHOT</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-jwt</artifactId>
-			<version>1.0.11.RELEASE</version>
+			<version>1.1.1.RELEASE</version>
 		</dependency>
 	</dependencies>
     </dependencyManagement>
@@ -144,12 +138,12 @@
 					<plugin>
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-checkstyle-plugin</artifactId>
-						<version>3.1.0</version>
+						<version>3.1.1</version>
 						<dependencies>
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>8.18</version>
+								<version>8.31</version>
 							</dependency>
 							<dependency>
 								<groupId>io.spring.nohttp</groupId>
diff --git a/tests/annotation/resource/pom.xml b/tests/annotation/resource/pom.xml
index db64ee194..4639eecd4 100644
--- a/tests/annotation/resource/pom.xml
+++ b/tests/annotation/resource/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/ssl/pom.xml b/tests/annotation/ssl/pom.xml
index 04c5af087..e28d3f2a0 100644
--- a/tests/annotation/ssl/pom.xml
+++ b/tests/annotation/ssl/pom.xml
@@ -11,7 +11,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/annotation/vanilla/pom.xml b/tests/annotation/vanilla/pom.xml
index c498bf342..f3ab8d83f 100644
--- a/tests/annotation/vanilla/pom.xml
+++ b/tests/annotation/vanilla/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/pom.xml b/tests/pom.xml
index f68efa6e6..8a9a2e705 100644
--- a/tests/pom.xml
+++ b/tests/pom.xml
@@ -4,7 +4,7 @@
   <parent>
     <groupId>org.springframework.security.oauth</groupId>
     <artifactId>spring-security-oauth-parent</artifactId>
-    <version>2.3.8.BUILD-SNAPSHOT</version>
+    <version>2.5.3.BUILD-SNAPSHOT</version>
   </parent>
 
   <artifactId>spring-security-oauth-tests</artifactId>
@@ -35,8 +35,8 @@
   <distributionManagement>
 
     <site>
-      <id>static.springframework.org</id>
-      <url>scp://static.springframework.org/var/www/domains/springframework.org/static/htdocs/spring-security/oauth/tests</url>
+        <id>static.spring.io</id>
+        <url>scp://docs-ip.spring.io/var/www/domains/spring.io/docs/htdocs/spring-security/oauth/site/docs/${project.version}</url>
     </site>
 
   </distributionManagement>
diff --git a/tests/xml/approval/pom.xml b/tests/xml/approval/pom.xml
index 9670361f7..cbedf4734 100644
--- a/tests/xml/approval/pom.xml
+++ b/tests/xml/approval/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/client/pom.xml b/tests/xml/client/pom.xml
index ba328b9a6..74e023154 100644
--- a/tests/xml/client/pom.xml
+++ b/tests/xml/client/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/common/pom.xml b/tests/xml/common/pom.xml
index d27ee217c..286196a8a 100644
--- a/tests/xml/common/pom.xml
+++ b/tests/xml/common/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/form/pom.xml b/tests/xml/form/pom.xml
index ddbf2c629..9e636fe8f 100644
--- a/tests/xml/form/pom.xml
+++ b/tests/xml/form/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/jdbc/pom.xml b/tests/xml/jdbc/pom.xml
index 7d8534555..3b2b1f8f9 100644
--- a/tests/xml/jdbc/pom.xml
+++ b/tests/xml/jdbc/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/jwt/pom.xml b/tests/xml/jwt/pom.xml
index b01a89398..8e3ffe1b0 100644
--- a/tests/xml/jwt/pom.xml
+++ b/tests/xml/jwt/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/mappings/pom.xml b/tests/xml/mappings/pom.xml
index 446740d23..375fec92a 100644
--- a/tests/xml/mappings/pom.xml
+++ b/tests/xml/mappings/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>
diff --git a/tests/xml/pom.xml b/tests/xml/pom.xml
index 7afbc4dde..6d03a2e3c 100644
--- a/tests/xml/pom.xml
+++ b/tests/xml/pom.xml
@@ -4,7 +4,7 @@
 
 	<groupId>org.demo</groupId>
 	<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-	<version>2.3.8.BUILD-SNAPSHOT</version>
+	<version>2.5.3.BUILD-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -21,7 +21,7 @@
 	<properties>
 		<start-class>demo.Application</start-class>
 		<java.version>1.7</java.version>
-		<spring.version>4.3.25.RELEASE</spring.version>
+		<spring.version>4.3.30.RELEASE</spring.version>
 	</properties>
 
 	<name>spring-oauth2-tests-xml</name>
@@ -39,18 +39,12 @@
 		<dependency>
 			<groupId>org.springframework.security.oauth</groupId>
 			<artifactId>spring-security-oauth2</artifactId>
-			<version>2.3.8.BUILD-SNAPSHOT</version>
-			<exclusions>
-				<exclusion>
-					<artifactId>jackson-mapper-asl</artifactId>
-					<groupId>org.codehaus.jackson</groupId>
-				</exclusion>
-			</exclusions>
+			<version>2.5.3.BUILD-SNAPSHOT</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-jwt</artifactId>
-			<version>1.0.11.RELEASE</version>
+			<version>1.1.1.RELEASE</version>
 		</dependency>
 	</dependencies>
     </dependencyManagement>
@@ -93,12 +87,12 @@
 					<plugin>
 						<groupId>org.apache.maven.plugins</groupId>
 						<artifactId>maven-checkstyle-plugin</artifactId>
-						<version>3.1.0</version>
+						<version>3.1.1</version>
 						<dependencies>
 							<dependency>
 								<groupId>com.puppycrawl.tools</groupId>
 								<artifactId>checkstyle</artifactId>
-								<version>8.18</version>
+								<version>8.31</version>
 							</dependency>
 							<dependency>
 								<groupId>io.spring.nohttp</groupId>
diff --git a/tests/xml/vanilla/pom.xml b/tests/xml/vanilla/pom.xml
index cc733d5a1..bc6c63fc6 100644
--- a/tests/xml/vanilla/pom.xml
+++ b/tests/xml/vanilla/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>org.demo</groupId>
 		<artifactId>spring-oauth2-tests-xml-parent</artifactId>
-		<version>2.3.8.BUILD-SNAPSHOT</version>
+		<version>2.5.3.BUILD-SNAPSHOT</version>
 	</parent>
 
 	<dependencies>