8

I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's. Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. I have done some round of searching across Google but couldn't find much resources for implementing Own OpenId Provider for Oauth2. I have gone through many blogs and could understood that OpenId is basically used when we want to delegate the authentication from Oauth2. OpenId is created on top of Oauth2 but couldn't find much resource for activating or implementing it.

Can anyone please help me on this

My complete source code which I have done using Oauth2 with Spring Framework is as given below

oauth2-spring

Improve this question
8
  • I assume (as there is some confusion about the correct naming out there) you mean OpenID Connect openid.net/connect. Sorrry, I'm not having a solution at hand. Have a look at where the Spring Security v5 project is heading to: spring.io/blog/2017/05/11/spring-security-5-0-0-m1 - they are planning to build on top of connect2id.com/products/nimbus-oauth-openid-connect-sdk. But that will take some time. Discuss the situation with your client - as it's not as easy as it may seem. Use existing battle tested solutions if nescessary, but avoid implementing one on your own. Commented Feb 11, 2018 at 11:59
  • 3
    @fateddy Actually I thinks OpenID Connect is somethings that allows clients (Resource Servers) to connects to some already available OpenID Providers like Google, Facebook, GitHub etc. Actually I don't want to use any existing OpenID Providers like Google, Facebook etc, instead I want to create my own Relying Party and Identity Provider for doing the authentication stuff on top of Oauth2. Is that possible doing some extra config with Oauth2 Framework Commented Feb 11, 2018 at 12:11
  • 1
    basically you want to implement your own OpenId server. have a look at this question, and my answer there might be helpful... stackoverflow.com/questions/13070282/… Commented Feb 11, 2018 at 12:34
  • @AlexMan go through these samples connect2id.com/learn/openid-connect - as I didn't go through the OpenID Connect specs myself (is it really just a resource server with a certain contract?) I'm afraid I'm not of much useful help here. Commented Feb 11, 2018 at 13:20
  • 1
    @AlexMan further reads: github.com/spring-projects/spring-security-oauth/issues/220, github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server, spring.io/blog/2014/04/18/… Commented Feb 11, 2018 at 13:34

2 Answers 2

Reset to default
2

According to "OAuth 2.0 Features Matrix" in spring-projects/spring-security, Spring Framework is not a good starting point for OpenID Connect. None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server. On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.

The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step. However, it's not true. One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect. If interested, see "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for further details.

There exist many implementations that support OpenID Connect. Why don't you check the list of certified implementations?

Update (November 14, 2019):

The Spring Security team has decided to no longer provide support for authorization servers. See their announce for details.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I don't understand this. In 2024 they are still providing the Authorization Server and on the GitHub repository there is still activity today. Additionally, there's not a single mention that they would not be supporting this any longer. This answer and the linked pages are thus really confusing. Are we now supposed to use something else or is using Authorization Server still an option?
1

I think it could be easier to start by first implementing OAuth2 code flow. Then add implicit flow, and finally OpenID Connect part.

If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right. Instead I would recommend using something like Hydra that can be integrated into existing system.

Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.