Is it possible to use Spring Social with simple OpenID providers like Wordpress, Livejournal or Steam? Seems like Spring Social can implement only OAuth2.
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User.
Spring implementation is indenpendent on Open Id providers,It means spring behaves same for all OpenId providers, some of the Common OpenID providers are Yahoo!, AOL, Flickr, or MySpace....
So if Spring works same for Wordpress, Livejournal, Steam or any other open Id providers.
As most of the OpenId providers are moving to OAuth2.0 or OAuth connect implementation like google.Spring also came up with OAuth2.0 and social login implmentations.
1) Simple example of Open Id connect with Yahoo OpenId provider.
2) Spring security social login example.
Related
I wrote a spring boot webapp with spring security authentication over jpa. It uses jwt to grant access to a simple html/js application.
I'd like to add oauth2 flow in order to allow users to authenticate over github or google or whatever cloud system.
What kind of solution may I adopt to target it?
I see many applications like udemy, for example, or others. They allow multiple authentication types:
username and password
google account
facebook account
How may I replicate this behaviour in my webapp?
I'm looking to find a tool that will do the authentication (and authorization) part of the project. For the project, I will be using spring boot and java 8.
I will be working with OAuth2.0, the flow for untrusted client(web-applictation) and trusted client(another server)
I was looking at Keycloak and Spring Authorization Server.
But it's unclear what are all the possibilities with the Spring Authorization Server.
Like with Keycloak you have single sign on, identity brokering, social login, user federation, admin console, account management console, standard protocols etc.
Is this also possible with Spring Authorization Server, or what are the possibilities of Spring Authorization Server?
We're working on reference documentation which will include a feature list. In the meantime, see feature list on the GitHub wiki for the project.
From this PR, a possible short overview/answer to your question would be:
Spring Authorization Server is a framework that provides implementations of the OAuth 2.1 and OpenID Connect 1.0 specifications and other related specifications. It is built on top of Spring Security to provide a secure, light-weight, and customizable foundation for building OpenID Connect 1.0 Identity Providers and OAuth2 Authorization Server products.
Update: The reference documentation is now available and contains an Overview page with this information.
You can make custom OAuth resource server implementation or use the SAML standard.
Also, you can implement access by JWT token, which suites well for API-only service.
You can use also "Basic Authentication", but it's too simple for a mature applications.
I need to implement SAML 2.0 sso authentication to our existing Web API. I am fairly new to the topic so i am not sure where to start. i have been playing around with the dev ADFS server (ADFS 4 - Windows server 2016) and been following tutorials on how to setup Relying Trust Party.I have gotten the gist on how SAML works but still lost on how to implement this one via code in my webapi. I want to know how to begin implementing the SAML 2 auth to connect to the ADFS server, the web app is deployed on a different iis server. I have read https://github.com/Sustainsys/Saml2/tree/master but i am not getting how my web api would connect to the ADFS server to retrieve a SAML token and process it.
The problem you have is that the SAML spec. does not cater for API (either webapi or REST API). It's purely a browser SSO redirect protocol.
In ADFS, API are configured by the Application wizard but that's OpenID Connect with a JWT not an XML token.
Update
If your webapi is a REST API then use OIDC with a JWT.
Just FYI: ADFS also supports WS-Fed. WS-Fed does have an API profile (called the active profile) which is essentially WCF.
I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api's. Oauth2 framework is working fine but now my Client wants a dedicated OpenId Provider for authentication purpose on top of Oauth2 framework. I have done some round of searching across Google but couldn't find much resources for implementing Own OpenId Provider for Oauth2. I have gone through many blogs and could understood that OpenId is basically used when we want to delegate the authentication from Oauth2. OpenId is created on top of Oauth2 but couldn't find much resource for activating or implementing it.
Can anyone please help me on this
My complete source code which I have done using Oauth2 with Spring Framework is as given below
oauth2-spring
According to "OAuth 2.0 Features Matrix" in spring-projects/spring-security, Spring Framework is not a good starting point for OpenID Connect. None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server. On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.
The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step. However, it's not true. One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect. If interested, see "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for further details.
There exist many implementations that support OpenID Connect. Why don't you check the list of certified implementations?
Update (November 14, 2019):
The Spring Security team has decided to no longer provide support for authorization servers. See their announce for details.
I think it could be easier to start by first implementing OAuth2 code flow. Then add implicit flow, and finally OpenID Connect part.
If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right. Instead I would recommend using something like Hydra that can be integrated into existing system.
Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...
I'm trying to implement Google's Streamlined Identity Flows for authenticating users on Actioins on Google with Spring Boot and Spring Security (OAuth).
I already managed to implement Google-SignIn but the server side is missing. I could implement every endpoint myself but as with most security concerns I think that it's better to use tested and proved frameworks or components. Now I'm trying to figure out how to use Spring Security's OAuth authorization server functionality.
How to implement the authorization endpoint that lets users authenticate with their browser and respond an authentication token
How to implement the JWT token endpoint
Is it possible to leverage the possibilities of Spring OAuth for this or do I have to create a custom endpoint with #Controller / #RestController for example.
Are their any tutorials or documentations on how to implement such a service with Spring Security?