Spring Security SEC-2934: Support OpenID Connect

Scott Rossillo (Migrated from SEC-2934) said:

About OpenID Connect:

bq. OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.

There are at least two open source servers implementing OpenID Connect, Keycloak and WSO2 Identity Server. Integrating a Spring Security based application with these servers is currently not directly supported by any Spring Security project.

There is a ticket in Spring Social for this SOCIAL-454 (due to Google's move to OpenID Connect) but Spring Security or Spring Security OAuth may be a better place for this.

Comment From: spring-projects-issues

Scott Rossillo said:

OpenID Connect is almost mentioned here SECOAUTH-115.

Comment From: spring-projects-issues

Daisuke Miyamoto said:

+1

Comment From: pnreddysvu

+1

Comment From: DanailMinchev

@rwinch

I can see you have added 4.1.0 RC1 milestone and today Spring Security 4.1.0 released. If possible: could you please provide information if OpenID Connect will be available in next few releases, is it planned to be implemented and available in Spring Boot? Any information will be useful to me.

I found https://github.com/spring-projects/spring-security-oauth/issues/220, but can't answer my questions.

Thank you!

Comment From: rwinch

@DanailMinchev Thank you for your question.

At the moment there is a pretty big divide between OAuth and Spring Security. So this will not be coming to Spring Security.

The lead for Spring Security OAuth has been overwhelmed with other responsibilities and hasn't had time to work much on the project. We (the security team) recently got a new team member and we are in the process of uplifting some of the existing OAuth support. In that time we may add openid connect. However, we haven't triaged/prioritized the issues.

However, long term we plan to pull Spring Security OAuth into Spring Security proper w/ a rewrite. This is because as it stands Spring Security OAuth (and Spring OAuth story in general) is not where I think it should be. Spring Social does not use Spring Security OAuth, there is Spring Boot, and Spring Cloud Security...all of which do OAuth.

Comment From: jgrandja

Closing as OpenID Connect client-side support is already available in Spring Security since 5.0.