There are OAuth 2.0 Providers that are not spec-compliant making it difficult for user's to integrate with using oauth2Login().
For example, LinkedIn does not return the token_type parameter in the Token Response even though it is required as per spec. However, Spring Security 5.1 allows you to customize the Token Response to workaround this issue.
This is just one example, but there are other OAuth 2.0 provider's that are either non-compliant or require custom/additional parameters and/or headers to make oauth2Login() work.
We should consider adding out-of-the-box adaptors (connectors) for common OAuth 2.0 providers that are non-compliant. These adaptors would come with pre-configured properties (similar to CommonOAuth2Provider) as well with configured components required by oauth2Login(), for example, OAuth2AccessTokenResponseClient, OAuth2UserService, etc.
Comment From: gburboz
Will need to define list of common OAuth 2.0 providers for whom out-of-the-box adapters will be provided. Care should be taken for future compatibility if and when those providers update to comply with specs.
Comment From: rwinch
@gburboz Thanks.
I don't expect we will guarantee compatibility with non-standard providers (especially if they make breaking changes). However, we should provide hooks that do allow for customization needed to work with certain providers with minimal effort (in many cases just configuration changes).
If you have suggestion on providers, please let us know.
Comment From: gburboz
The two examples of incompatible behavior from providers LinkedIn and StackExchange/StackOverflow are listed on issue #5657
Comment From: asaikali
It would be great if the client adapters can be generalized in such a way that it is possible to package them in a .jar and have them be found automatically by spring security. I am thinking of a user experience similar to Spring Boot @ConfigurationProperties. Such an approach would make it possible to ship jars like
- linkedin-spring-security-login.jar
- stackoverflow-spring-security-login.jar
- my-corporate-spring-security-login.jar
While it would be nice to have a something in spring security that out of the box includes all the config settings of all the major social networks. Many users will have internally deployed corporate OAuth2 or OIDC providers so a simple way to package my-corporate-spring-security-login.jar is going to reduce developer friction.
Comment From: jgrandja
@asaikali As always, our goal is to make things as simple as possible. So I think having an approach where developers include a jar that automatically configures a custom configuration for a provider makes sense. We'll have a look at this approach when we get to this issue.
Comment From: varpa89
@jgrandja could you provide an example of customisation for ReactiveOAuth2AccessTokenResponseClient?
Comment From: gregsimons
@jgranda I’ll have a try configuring aws cognito now that the userinfo endpoint has been added to their support. I initially had difficult because I had to map values directly out of the ID token in to the user oidc user profile and prevent the user info call. I’ll check this is complaint now that the endpoint has been added
Comment From: jgrandja
Closing as there is not much demand for this enhancement.