Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security and OpenID Connect (OIDC)

In my current project I use in a full scope the Spring Security OAuth (http://projects.spring.io/spring-security-oauth/) project to protect our resources (Web API). Everything works fine till now.

I'm now working on the development of the clients and I'm looking for a good support for the authentication scenarios (as OAuth is an authorization protocol). After long, long internet search I'm quite sure I should take the OpenID Connect (http://openid.net/connect/) to fulfill this requirement, as it is "a simple identity layer on top of OAuth 2.0" (I know however, there is no "simple" in case of security topics).

Sad but true I'm not able to find any good resources about the support for OpenID Connect (not to confuse with "pure" OpenID) in Spring Security. There is a OpenID Connect reference implementation at https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server but I have expected something similar direct in/from Spring Security with comprehensive documentation and so on. I have found about 2 years old discussion about it here https://github.com/spring-projects/spring-security-oauth/issues/220 but what is the current status? Looking for "Spring Security support for OpenID Connect" does not deliver any "tangible" results.

Do you have any infos, documentation and/or experience regarding implementation of the OpenID Connect with the help of Spring Security?

like image 596
Adam Bogdan Boczek Avatar asked Mar 13 '16 09:03

Adam Bogdan Boczek


People also ask

What is the difference between OAuth 2.0 and OpenID Connect OIDC?

The main differentiator between these three players is that OAuth 2.0 is a framework that controls authorization to a protected resource such as an application or a set of files, while OpenID Connect and SAML are both industry standards for federated authentication.

Is OpenID and OpenID Connect same?

How is OpenID Connect different than OpenID 2.0? OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly, and usable by native and mobile applications. OpenID Connect defines optional mechanisms for robust signing and encryption.

What is the advantage of OpenID Connect OIDC )?

Benefits of Using OpenID Connect The major factor of using OpenID Connect is that it provides a complete standardized setup, with no additional worries. Since it is built on the top of OAuth 2.0 it is API ready, but adds the extra information with OAuth so that the client can know who logged in, how strongly, etc.

What is spring boot OIDC?

OIDC allows a user to authenticate to an Authorization Server also known as an Identity Provider and be provided an Access Token and a JWT ID Token.


1 Answers

Before OpenID Connect emerged, it was practically okay to assume that the value of the request parameter response_type be either code (for authorization code flow) or token (for implicit flow). However, now an authorization server implementation must be able to handle any combination of (code, token, id_token), and none. Details are described in "OpenID Connect Core 1.0, 3. Authentication" and "OAuth 2.0 Multiple Response Type Encoding Practices".

As the first step to support OpenID Connect, Spring Security OAuth has to become flexible for response_type. You can find a request for it at "Issue 619: Handling additional response_types". However, it is hard to change an existing code that expects only either code or token to a new one that can accept multiple values at a time. As of this writing, the lastest comment of Issue 619 made on Dec. 12, 2015 ends with a sentence as excerpted below.

Any comments are more than welcome as this turned out to be (as I predicted) a large refactor exercise.

If Spring Security OAuth is purely a voluntary project without any support from commercial bodies, such a big change would be unlikely to happen.

My experience: About two years ago, I wrote an OAuth 2.0 server from scratch. It was after it that I knew of the existence of OpenID Connect. After reading specifications related to OpenID Connect, I finally reached a conclusion to dump the existing implementation and re-write the server from scratch again.

As you guessed, OpenID Connect is not simple at all.

See also "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings".


**Update** (2017-Nov-23)

Authorization Server and OpenID Provider on Spring Framework
https://github.com/authlete/spring-oauth-server

Resource Server on Spring Framework
https://github.com/authlete/spring-resource-server

spring-oauth-server supports OAuth 2.0 and OpenID Connect. spring-resource-server has an implementation of UserInfo Endpoint which is defined in "OpenID Connect 1.0, 5.3. UserInfo Endpoint". Both implementations don't use Spring Security OAuth but use Spring Boot and Authlete.

Blog: Spring + OAuth 2.0 + OpenID Connect

like image 162
Takahiko Kawasaki Avatar answered Nov 16 '22 02:11

Takahiko Kawasaki