8

I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's. Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. I have done some round of searching across Google but couldn't find much resources for implementing Own OpenId Provider for Oauth2. I have gone through many blogs and could understood that OpenId is basically used when we want to delegate the authentication from Oauth2. OpenId is created on top of Oauth2 but couldn't find much resource for activating or implementing it.

Can anyone please help me on this

My complete source code which I have done using Oauth2 with Spring Framework is as given below

oauth2-spring

Alex Man
  • 4,746
  • 17
  • 93
  • 178
  • I assume (as there is some confusion about the correct naming out there) you mean `OpenID Connect` http://openid.net/connect/. Sorrry, I'm not having a solution at hand. Have a look at where the Spring Security v5 project is heading to: https://spring.io/blog/2017/05/11/spring-security-5-0-0-m1 - they are planning to build on top of https://connect2id.com/products/nimbus-oauth-openid-connect-sdk. But that will take some time. Discuss the situation with your client - as it's not as easy as it may seem. Use existing battle tested solutions if nescessary, but avoid implementing one on your own. – fateddy Feb 11 '18 at 11:59
  • 3
    @fateddy Actually I thinks `OpenID Connect` is somethings that allows clients (Resource Servers) to connects to some already available `OpenID Providers` like Google, Facebook, GitHub etc. Actually I don't want to use any existing `OpenID Providers` like Google, Facebook etc, instead I want to create my own `Relying Party` and `Identity Provider` for doing the authentication stuff on top of `Oauth2`. Is that possible doing some extra config with Oauth2 Framework – Alex Man Feb 11 '18 at 12:11
  • 1
    basically you want to implement your own OpenId server. have a look at this question, and my answer there might be helpful... https://stackoverflow.com/questions/13070282/openid-provider-server-with-java – OhadR Feb 11 '18 at 12:34
  • @AlexMan go through these samples https://connect2id.com/learn/openid-connect - as I didn't go through the OpenID Connect specs myself (is it really just a resource server with a certain contract?) I'm afraid I'm not of much useful help here. – fateddy Feb 11 '18 at 13:20
  • 1
    @AlexMan further reads: https://github.com/spring-projects/spring-security-oauth/issues/220, https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server, http://spring.io/blog/2014/04/18/spring-security-oauth-2-0-0-rc1-available – fateddy Feb 11 '18 at 13:34
  • @AlexMan Are you using OpenID or OpenID Connect ? Mind you they are two different protocols – Kavindu Dodanduwa Feb 12 '18 at 09:49
  • @KcDoD I want to create my own OpenID Provider within which I have to integrate my company LDAP connection for users to do authentication. As per my understanding `OpenID Connect` is a client that we used to connect to an existing `OpenID Provider`, correct me if I am wrong. If yes then I dont want `OpenID Connect` but need to create my own `OpenID Provider` – Alex Man Feb 12 '18 at 14:53
  • Hi guys is there any workaround for this? I am also looking out for options for this – kakabali Mar 07 '19 at 02:22

2 Answers2

2

According to "OAuth 2.0 Features Matrix" in spring-projects/spring-security, Spring Framework is not a good starting point for OpenID Connect. None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server. On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.

The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step. However, it's not true. One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect. If interested, see "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for further details.

There exist many implementations that support OpenID Connect. Why don't you check the list of certified implementations?

Update (November 14, 2019):

The Spring Security team has decided to no longer provide support for authorization servers. See their announce for details.

Takahiko Kawasaki
  • 18,118
  • 9
  • 62
  • 105
0

I think it could be easier to start by first implementing OAuth2 code flow. Then add implicit flow, and finally OpenID Connect part.

If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right. Instead I would recommend using something like Hydra that can be integrated into existing system.

Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...

Son
  • 1,835
  • 2
  • 18
  • 28