Summary
The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect. The openid4java library that is used by Spring Security has not seen an update since 2015 (4 years). We need to deprecate the OpenID support.
We should add the following deprecation notice:
The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect.
To the following locations:
- Any files in the spring-security-openid module
- The openid portion of the reference
- The openid sample application
- The openid related code in spring-security-config for bot Java Configuration and XML configuration
NOTE: We are NOT deprecating OpenID Connect support. Only the support for OpenID 2.0 protocol will be deprecated (the protocol itself was deprecated).
Comment From: eddumelendez
Hi @rwinch, do you think this is good for first-timers-only?
Comment From: rwinch
Hey @eddumelendez Thanks for the question. I think this is a lot of files to touch for a first timers issue.
Comment From: ThomasVitale
Hi @rwinch, I would be available to take this issue.
Comment From: rwinch
Thanks @ThomasVitale! The issue is yours if you still want it
Comment From: ThomasVitale
I will start working on it then, thanks @rwinch
Comment From: farooqkhan003
@ThomasVitale by any chance if you didn't get time to work on this, can I take this issue?
Comment From: ThomasVitale
Hi @farooqkhan003, I have started with it and then didn't have time to complete it. So far I have added the deprecation notice to all files in the openid module. Would you like to take over and complete the remaining parts of the task? If so, @rwinch can we split the delivery in 2 parts or should it be a single one? In any case, I have created a PR with the changes I have done so far.
Comment From: dadikovi
@farooqkhan003 Are you still working on this issue? If not, @rwinch can I take it?
Comment From: farooqkhan003
@dadikovi unfortunately I didn't get chance to work on this issue.
Comment From: rwinch
@dadikovi Please take it. The issue is yours
Comment From: dadikovi
@rwinch Thanks. I sent in a draft PR. I'm not sure if in case of XML configuration should I write the deprecation notice more formally (eg. in a dedicated tag), or is this okay that I put it in the documentation tag.
Please note that this PR will introduce the deprication notice only in docs, sample applications and configurations. Earlier PR (https://github.com/spring-projects/spring-security/pull/7554) contained the notice for all files in related packages. Should I merge these two together, or is it okay this way?
Comment From: rwinch
Thanks @dadikovi This I responded on gh-8450
Comment From: rwinch
Closing in favor of gh-8450