NOTE Originally reported by @btiernay on https://github.com/spring-projects/spring-security/issues/98
Right now it is unclear how one would implement OpenID Connect using Spring Security. There isn't much on the topic in the documentation or the web. The most popular hit on google for openid connect spring is the following:
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
However, it seems pretty heavy weight and full stack, akin to using CloudFoundry's UAA over Spring's OAuth 2.0 support.
There are the following unanswered questions on SO that get to the heart of the problem:
There is also this mention from the Spring blog:
http://spring.io/blog/2014/04/18/spring-security-oauth-2-0-0-rc1-available
The Authorization Server APIs have been refactored a lot to enable new use cases to be easily added: for example OpenID Connect (OIDC), MAC tokens, or the new Token Revocation standard are easy to add. I know of at least one OIDC implementation that use Spring OAuth2 2.0 already.
However it is unclear what that implementation is, whether or not it comes recommended and if Spring has any plans to support it in the future.
What would be nice is some guidance from Spring at the very least (in documentation for example). However, first class support for OpenID Connect (much like Spring's OAuth2 support) would be great since it represents the future of federated identity management.
ps. JIRA was down when this ticket was created so I apologize for any duplication.
+1. It's pretty straightforward to implement the user info endpoint or even the discovery endpoint, but currently it's not clear how one would extend Spring's code to generate and return an id_token.
Any reference to this impl: "I know of at least one OIDC implementation that use Spring OAuth2 2.0 already." ?
Just a guess but probably mitreid-connect/OpenID-Connect-Java-Spring-Server.
Though do note mitreid-connect/OpenID-Connect-Java-Spring-Server#617.
Any clue of if and when this is going to be implemented? Google is ditching OpenID support in the coming year in favour of OpenID Connect. A lot of us need to migrate!
+1. It is high time that the openid-connect implementation is prioritized. Google has already stopped new domains from using OpenId since May 23 this year.
The mitreid implementation doesn't seem to work out of the box with Google. Has anyone made a custom implementation for Google on top of mitreid client yet?
UPDATE: I've modified a few mitreid clases (authprovider, authfilter, authrequestbuilder) to work with google openidconnect seamlessly.Very briefly, the changes are :
(1) Writing GoogleAuthRequestUrlBuilder which doesn't send 'nonce'
(2) Writing GoogleOIDCAuthenticationFilter, which overrides the handleAuthorizationCodeResponse to exclude nonce check and add the client_id and client_secret to token request as well.
(3) Writing GoogleAuthenticationProvider, which (1) uses the GoogleUserInfoFetcher, instead of UserInfoFetcher. (2) calls the loadUserByUsername to fetch authorities and other user details (3) returns the token with email address (instead of sub) and the details fetched in (2).
(4) Writing the GoogleUserInfoFetcher, which removes the unneccessary if else clauses.
If anybody needs a sample project, please let me know. I will ask the folks at Mitre Id if they would like to add this custom implementation to their github repo.
@rickygarg I would love to see the sample project.
Spring dudes care to comment?
Spring OAuth 2.0 has some basic paraphenalia that could be used to implement that pattern (I've done it myself with Facebook and Github, but not Google). See OAuth2ClientAuthenticationProcessingFilter. I think I just saw a bug in it skimming the code, so it could probably use some love if anyone wants to take a look. You would need a ResourceServerTokenServices that could convert an access token into an Authentication.
In the UAA there is also some stuff here: https://github.com/cloudfoundry/uaa/tree/master/common/src/main/java/org/cloudfoundry/identity/uaa/client with support for a few providers including Google. Something like that would be a good starting point for an implementation in Spring OAuth I think.
@dsyer : I think this is to implement an OpenID Connect consumer (which is relatively straightforward). The hard part is extending Spring OAuth to implement an OpenID Connect provider, and to able to issue ID tokens. I didn't see any way to do it easily (the TokenEndpoint would have to be refactored pretty heavily to issue an id_token in addition to an access_token).
I agree that server-side support is harder, but Spring Security only offers client-side support for OpenID 2.0, and I think that's what the original request was for. Having said that, the Mitre implementation is based on Spring OAuth, so I know the extension points are there for adding id_tokens and stuff.
@totof3110 IME you don't need to touch TokenEndpoint, because you can generate ID tokens in a TokenEnhancer. However, IME what does need refactoring is JwtAccessTokenConverter to unlock the code for signing tokens.
@dsyer Does that mean that there is no plan of extending the Authorization Server into an OpenID (Connect) Provider (even as a separate project)? To me it sounds like a natural evolution of the Authorization Server. OpenID Connect is building on top of the OAuth 2.0 RFC while covering some of its deficiencies. It gives clear instructions on how using an Authorization Server for Authentication.
No, it doesn't mean that, but it's not a high priority for me personally. This is an open source project, so if you have some ideas and want to collaborate on OIDC features, all you have to do is discuss it here and send pull requests. The UAA team at Cloud Foundry are planning to implement OIDC on the server. It might be a good idea to head over to that code and see what they are doing on top of Spring OAuth.
Any advice on a greenfield implementation? The thread is a bit old, so apologies in advance for the potentially out of date question. I did see the Library list on http://openid.net/developers/libraries/ but was unsure of the best fit. Feel free to tell me to research before asking silly questions.
It looks like there is an outstanding pull request #627 that would (at the least) allow application code to implement returning of id_tokens from the AuthorizationEndpoint. Can this be pulled upstream?
I'm not sure #627 is the right approach but it's certainly worth a look (I would change the names of the interfaces at least). The bigger picture: we should definitely put this forward as a priority for a 2.1 (or 3.0) release, but there isn't much bandwidth amongst the comitters right now. Pivotal are trying to hire someone to do this, so if you (or anyone you know) has some experience in Appsec and is interested in a job, please reach out.
Also note that MITREid Connect provides a perfectly fine client module if you want to have OIDC login (either for a web application, or to protect a resource with a token).
Implementing the server part quite complex, and not something I'd expect to see in a "plug and play" Spring module -- you'll probably want to run this to be a separate application anyway (akin to OpenAM, CloudFoundry UAA, or the MITREid Connect server).
Fresh OIDC server (idp) implementation as a Spring Boot app! Would be nice!
But anyway, for all the interested, here's another ongoing effort on top of Spring Oauth, MITREid and Shibboleth idp: https://github.com/uchicago/shibboleth-oidc
Hi, I can see that support for OpenID Connect is planned for 2.1.0 release.
Is there any information when the development of 2.1.0 release will start approximately or when we can expect OpenID Connect + Spring Boot support?
Thank you!
Hello,
From my understanding, OIDC Connect (client-side) support in Spring would need :
Using idToken render calling userEndpointUri useless in the Application Client side.
In the meanwhile, I'm currently using Keycloak as my authentication/authorization server, which is fully OIDC compatible and provides a handy set of adapters for this spec. More concretely, the ones implemented are for Spring Boot and Spring Security, while there's the chance to use the Spring Security one with Spring Boot too. Worth to have a look:
https://github.com/keycloak/keycloak/tree/master/adapters/oidc
And here there're the docs:
does anyone has sample for OpenId connect with Azure AD. I want to use both of them in my RestAPI(Spring Boot)? In future i am planning to integrete these two on my API Gateway ZUUL.
Thanks
Here's an additional example of an OIDC client built on top of spring-security-oauth, for anyone else stumbling across this thread.
@dhiraj65 see https://github.com/Microsoft/azure-spring-boot/issues/244#issuecomment-382840920
If possible, use the Azure AD v2.0 URLs, you then need to add /v2.0/ to the provider URLs in that config, see https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration for the URLs. It's supposed to be easier once spring-security 5.1 is released and supports openid autoconfig, then just point it to the above URL :-)
Closing as this is a major change that we are no longer accepting.
As you may be aware, this project is in maintenance mode and will reach EOL in the very near future. Please see the initial announcement and follow-up announcement for further details.
At this time, we are only accepting bug fixes and minor enhancements that can be cleanly merged into master.
Please see the OAuth 2.0 / OpenID Connect support in Spring Security (since 5.0).
Most helpful comment
Hi, I can see that support for
OpenID Connectis planned for2.1.0release.Is there any information when the development of
2.1.0release will start approximately or when we can expectOpenID Connect+Spring Bootsupport?Thank you!