Spring Security OIDC client for Desktop applications

Expected Behavior

It would be good to use Spring Security OIDC client infrastructure on desktop clients (Spring, SWT, JavaFx, etc.) which are able to integrate a web browser.

Current Behavior

Currently the OAuth2LoginAuthenticationToken presumes to own the Authorization Exchange object, which makes it hard to use if the OIDC Authorization Code flow is executed outside of Spring control. It's possible to work around it by overwriting some of the beans, but its definably not a clean solution.

Context

Within a Desktop Java client (Swing) we have integrated a jxBrowser. Our intention is now to run OIDC Authorization Code Flow within the browser, extract the code response and the userInfo response (with all its tokens) and create an Authentication for the SecurityContextHolder. I'll then want to use it as a filter with the Spring WebFlux client.

I have a working solution at my GitHub: https://github.com/joao-rebelo/oidc-desktop And a description of the solution in this article: https://www.linkedin.com/pulse/oidc-desktop-jo%25C3%25A3o-rebelo/

It would be great to have support to create something similar to the OAuth2LoginAuthenticationToken passing the responses (2 Strings) we got from the browser interaction, so that we don't need to re-implement the Token object, parsing of tokens, and the ServletOAuth2AuthorizedClientExchangeFilterFunction

Comment From: jgrandja

Thanks for putting this sample together @joao-rebelo ! I think this would be valuable to add as a sample in Spring Security for other users that are interested in the desktop application scenario.

I would like to propose that you submit a PR of this sample and it would live here. The sample should be as simple as possible with minimal dependencies. We simply want to demonstrate OIDC authentication flow with a Java desktop application.

To simplify the sample, please ensure:

• Docker is not needed
• If jxBrowser requires a licence then try to find another open source browser to integrate with
• Let's use Spring Authorization Server instead of Keycloak

Copy the minimal code from oauth2-client module that you need to make this work. Then we will look at the sample and see how we can enhance the code in oauth2-client module to allow for reuse and ultimately remove the duplicated code in the sample.

How does this sound?

Comment From: jgrandja

@joao-rebelo The Spring Security samples have been moved to a dedicated repository.

As per my proposal (in previous comment), please submit a PR in the new samples repository and then we'll take a look at how we can enhance the code in oauth2-client module to allow for reuse and ultimately remove the duplicated code in the sample.

I'll close this issue and we can continue the discussion in the PR.