Geek Answers Handbook

Spring Security and OpenID Connect (OIDC)

In my current project, I am fully using the Spring Security OAuth project ( http://projects.spring.io/spring-security-oauth/ ) to protect our resources (Web API). So far, everything is working fine.

Now I am working on customer development, and I am looking for good support for authentication scripts (since OAuth is an authentication protocol). After a long, long internet search, I’m pretty sure that I have to run OpenID Connect ( http://openid.net/connect/ ) to fulfill this requirement, as this is a β€œsimple authentication layer on top of OAuth 2.0” (I know, however, there are no "easy" ones in case of security issues).

Sad, but true. I cannot find any good resources to support OpenID Connect (not to be confused with the "clean" OpenID) in Spring Security. There is a reference OpenID Connect implementation at https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server , but I expected something like this direct to / from Spring security with full documentation, etc., I found about 2 years discussion here https://github.com/spring-projects/spring-security-oauth/issues/220 , but what is the current status? A search for "Spring Security Support for OpenID Connect" yields no tangible results.

Do you have information, documentation, and / or experience regarding implementing OpenID Connect with Spring Security?

+7
spring spring-security oauth openid-connect
source share
1 answer

Before OpenID Connect, it was almost correct to assume that the value of the response_type request parameter would be either code (for the authorization code stream ) or token (for the implicit stream ). However, now the authorization server implementation should be able to handle any combination ( code , token , id_token ) and none . Details are described in " OpenID Connect Core 1.0, 3. Authentication " and " OAuth 2.0 Multiple Response Encoding Methods ".

As a first step in supporting OpenID Connect, Spring Security OAuth should be flexible for response_type . You can find a request for it at Problem 619: Processing additional answer_types parameters . However, it’s difficult to modify existing code that expects only code or token to new code that can take several values ​​at once. At the time of this writing, the last Issue comment 619 , made on December 12, 2015, ends with the sentence below.

Any comments are more than welcome, as it turned out (as I predicted) to be a great refactoring exercise .

If Spring OAuth Security is a purely voluntary project without any commercial support, such a big change is unlikely to happen.

My experience: About two years ago, I wrote an OAuth 2.0 server from scratch. It was after this that I knew about the existence of OpenID Connect. After reading the specifications related to OpenID Connect, I finally came to the conclusion that to reset the existing implementation and rewrite the server from scratch again.

As you may have guessed, OpenID Connect is not easy.

See also "5. Response Type" in " OAuth and OpenID Connect Talking About Findings Full Developer ."

<h / "> Update (2017-November-23)

Authorization Server and OpenID Provider on Spring Framework
https://github.com/authlete/spring-oauth-server

Resource Server on Spring Framework
https://github.com/authlete/spring-resource-server

spring-oauth-server supports OAuth 2.0 and OpenID Connect. spring-resource-server has a UserInfo endpoint implementation that is defined in "OpenID Connect 1.0, 5.3. UserInfo Endpoint ". Both implementations do not use Spring Security OAuth , but use Spring Boot and Authlete .

Blog: Spring + OAuth 2.0 + OpenID Connect

+3
source share

More articles:


All Articles