Creating Custom OpenId Provider for Oauth2 Spring Boot

Asked 11/2, 2018 at 11:6 Answered 20/8, 2019 at 23:39

spring spring-security oauth-2.0 openid openid-provider

I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's. Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. I have done some round of searching across Google but couldn't find much resources for implementing Own OpenId Provider for Oauth2. I have gone through many blogs and could understood that OpenId is basically used when we want to delegate the authentication from Oauth2. OpenId is created on top of Oauth2 but couldn't find much resource for activating or implementing it.

Can anyone please help me on this

My complete source code which I have done using Oauth2 with Spring Framework is as given below

oauth2-spring

Mcghee answered 11/2, 2018 at 11:6 Comment(8)

I assume (as there is some confusion about the correct naming out there) you mean OpenID Connect openid.net/connect. Sorrry, I'm not having a solution at hand. Have a look at where the Spring Security v5 project is heading to: spring.io/blog/2017/05/11/spring-security-5-0-0-m1 - they are planning to build on top of connect2id.com/products/nimbus-oauth-openid-connect-sdk. But that will take some time. Discuss the situation with your client - as it's not as easy as it may seem. Use existing battle tested solutions if nescessary, but avoid implementing one on your own. – Doleful 11/2, 2018 at 11:59

@Doleful Actually I thinks OpenID Connect is somethings that allows clients (Resource Servers) to connects to some already available OpenID Providers like Google, Facebook, GitHub etc. Actually I don't want to use any existing OpenID Providers like Google, Facebook etc, instead I want to create my own Relying Party and Identity Provider for doing the authentication stuff on top of Oauth2. Is that possible doing some extra config with Oauth2 Framework – Mcghee 11/2, 2018 at 12:11

basically you want to implement your own OpenId server. have a look at this question, and my answer there might be helpful... #13070782 – Rap 11/2, 2018 at 12:34

@AlexMan go through these samples connect2id.com/learn/openid-connect - as I didn't go through the OpenID Connect specs myself (is it really just a resource server with a certain contract?) I'm afraid I'm not of much useful help here. – Doleful 11/2, 2018 at 13:20

@AlexMan further reads: github.com/spring-projects/spring-security-oauth/issues/220, github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server, spring.io/blog/2014/04/18/… – Doleful 11/2, 2018 at 13:34

@AlexMan Are you using OpenID or OpenID Connect ? Mind you they are two different protocols – Nymphet 12/2, 2018 at 9:49

@KcDoD I want to create my own OpenID Provider within which I have to integrate my company LDAP connection for users to do authentication. As per my understanding OpenID Connect is a client that we used to connect to an existing OpenID Provider, correct me if I am wrong. If yes then I dont want OpenID Connect but need to create my own OpenID Provider – Mcghee 12/2, 2018 at 14:53

Hi guys is there any workaround for this? I am also looking out for options for this – Mirabel 7/3, 2019 at 2:22

According to "OAuth 2.0 Features Matrix" in spring-projects/spring-security, Spring Framework is not a good starting point for OpenID Connect. None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server. On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.

The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step. However, it's not true. One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect. If interested, see "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for further details.

There exist many implementations that support OpenID Connect. Why don't you check the list of certified implementations?

Update (November 14, 2019):

The Spring Security team has decided to no longer provide support for authorization servers. See their announce for details.

Saucier answered 20/8, 2019 at 23:39 Comment(1)

I don't understand this. In 2024 they are still providing the Authorization Server and on the GitHub repository there is still activity today. Additionally, there's not a single mention that they would not be supporting this any longer. This answer and the linked pages are thus really confusing. Are we now supposed to use something else or is using Authorization Server still an option? – Brisson 15/7 at 12:35

I think it could be easier to start by first implementing OAuth2 code flow. Then add implicit flow, and finally OpenID Connect part.

If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right. Instead I would recommend using something like Hydra that can be integrated into existing system.

Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...

Citizenry answered 20/8, 2019 at 21:56 Comment(0)

Recommended topics

Hot tags