简体繁体中英

Spring native support for OIDC workflow

原文 2019-10-15 01:38:26 2 1 oauth-2.0/ azure-active-directory/ spring-security-oauth2/ openid-connect/ okta

I am trying to enable OIDC authN and authZ workflow for my spring-java-web application. Ideally I wanted to do it in a IDP agnostic way.ieThis application could be integrated with only and any one of the Azure AD,OKTA,AWS SSO,Google-auth by deployment admin.And I want users to be redirected to whatever provider the application is integrated with.

With OIDC as a standard, my understanding is i should be able to write a OIDC auth processing filter that should work with any of the providers. The necessary config that varies per provider ( auth url,client id,secret,JWKS url to get the provider keys etc) will be passed to this filter/rest template as parameters.

Q.1 Is it possible to implement provider agnostic OIDC filter? Can someone give any pointers?

I am aware that Spring natively provides Oauth2 libraries/apis like AuthorizationCodeResourceDetails, OAuth2ClientAuthenticationProcessingFilter. However I do not see any OIDC native processing filter in built. Is there any?

I tried and understood the workflow as given in https://www.baeldung.com/spring-security-openid-connect .However when i try to tweak this code to make it work with Azure AD it fails. Thats because Azure AD requires

The response_type parameter must include id_token.
The request must include nonce parameter to be set in request.

AuthorizationCodeResourceDetails does not support such param. Given that OIDC is a common standard,

Q-2. I fail to understand why every provider still has different requirements? Doesn't it defeat the purpose of OIDC. Infact I read that google throws error if you pass nonce
Q-3. Are there any spring native ways to configure these additional provider specific params like nonce , promt , additional response-type ,preferable with examples?

1 answers

I think your problems with Spring Security OIDC are that you're using the legacy OAuth library (at least that's what the baeldung article is illustrating). OAuth2 and OIDC are part of Spring Security 5.x now and not a separate project. There's an OIDC client "login-client" in this example: https://github.com/jgrandja/oauth2-protocol-patterns that might show different. Yes, OIDC should allow you to swap providers in and out although not all OIDC providers will implement everything (eg discovery, etc.)

ADFS 2016 support for OIDC's `profile` scope?

Identity Server 3 OAuth2 support without OIDC

Add Custom AuthenticationProvider to Spring Boot + oauth +oidc

OAuth 2 OIDC Grant type for 1st-party native mobile applications

Spring Security against Azure OIDC OAuth2 Flow

Spring oauth2login oidc grant access based on user info

Spring Boot Security Oauth2 - adding dynamic OIDC parameters

Difference between OIDC and OAuth2 in spring oauth client

How to get all users from an authorization server using OIDC in spring?

How to know if my spring boot app is using OIDC?

暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ADFS 2016 support for OIDC's `profile` scope? Identity Server 3 OAuth2 support without OIDC Add Custom AuthenticationProvider to Spring Boot + oauth +oidc OAuth 2 OIDC Grant type for 1st-party native mobile applications Spring Security against Azure OIDC OAuth2 Flow Spring oauth2login oidc grant access based on user info Spring Boot Security Oauth2 - adding dynamic OIDC parameters Difference between OIDC and OAuth2 in spring oauth client How to get all users from an authorization server using OIDC in spring? How to know if my spring boot app is using OIDC?

Related Tags

Spring native support for OIDC workflow

Question

1 answers

solution1 0 2019-10-15 13:18:00

solution1
0 2019-10-15 13:18:00