Announcement Announcement Module
No announcement yet.
Spring Social + OpenId Connect Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Social + OpenId Connect

    Hi All,

    I have a requirement to use a provider who supports OpenId Connect specifications.

    I am not sure whether I can use spring social OAuth2 api itself to authenticate? If not, then do I have to extend spring social to have OpenId connect support??

    Any suggestions on pointers on the same will be greatly appreciated?

  • #2
    Honestly, I've not caught myself up on the details of OpenID Connect, so I don't know that I can answer this question definitively. I do know that OpenID Connection leans on OAuth2, but I can't say for sure whether or not OpenID Connect does anything special with OAuth2 that would prevent using Spring Social as-is to authenticate.

    I'm hoping someone else in the community can pitch in here and give some insight. Since the question has been answered, I'm adding a TODO for myself to get to know OpenID Connect better...and then maybe I can answer your question. But if anyone else knows I'd appreciate hearing the answer myself.


    • #3
      FWIW, I just did a cursory read of the OpenID Connect Basic draft spec and on the surface, it looks almost identical to any OAuth2 authorization code flow. The only difference that I spotted was the inclusion of an ID Token in the access token response. So, unless I'm missing something, Spring Social should work fine with OpenID Connect, but I'm not so sure about obtaining that ID Token. There may need to be some custom work for it to expose the ID Token.

      I see nothing else in the spec that directly uses the ID Token, so it may or may not be necessary to keep it. The only other mention of it in the Basic spec is that any user ID returned in the user info data should be matched against the Token ID before that info can be trusted.

      But again, I defer the definitive answer in this discussion to anyone who knows OpenID Connect better than I do.


      • #4
        Hi Criag,

        Thanks for your response and my initial reaction after looking at OpenId Connect was also the same. I wanted to make sure with the community that OAuth2 API itself can be used.

        I tried it out and with some changes was able to get it working with Spring Social OAuth2. I had to add couple of parameters more to the authorize request as mandated by service provider. I am not sure what is the road map for OpenId Connect, but for now OAuth2 API itself can be used I think.

        On the other note, I was checking whether spring security comes by default with Spring Social. It seems like it got forked sometime back and was planned for 1.1 release which has not happened yet. My ultimate goal is to port this configuration into a grails app. Any pointers on the same would be greatly appreciated.