Announcement Announcement Module
No announcement yet.
Single Provider with Multiple Authorize protocols Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Single Provider with Multiple Authorize protocols

    Hi All,

    I have created our own OAuth2 service provider and a separate OpenId Connect service provider and they both worked fine. Internally, I am using OAuth2 itself for openid connect and I am seeing, most of the code is getting replicated.

    I want to merge these two i.e. basically have a single provider module which would support both OAuth2 and OpenId Connect.

    What is the best way to do this? My ideal design is to have one Connection factory managing both type of protocols.

    Any idea or pointers would be helpful. Thanks in advance.


  • #2

    I believe (if I understand your requirements correctly) that I may have had a similar problem when I created a spring social module for Last.Fm.

    Last.Fm's Auth dance is not OAuth2, but is similar, but because I wanted to use the module with ProviderSignInController/ConnectController which require OAuth1 or OAuth2 I wrote a non-oauth ConnectionFactory for Last.Fm and an Oauth2 equivalent.

    I'm not sure if this is the best design - perhaps others may have different ideas, but I ended up creating Last.Fm (non-oauth2) ConnectionFactory, ServiceProvider and Template implementations etc, and creating decorators for these classes which adapted to OAuth2.

    For example,

    adapted to OAuth2 by:

    I had to make some other adaptations, such as writing a custom servlet filter to adapt callback params to those expected by ProviderSignInController/ConnectController. If this is relevant to your own situation, I detailed the approach I took in a blog post:

    Hope this helps,



    • #3
      Hi Michael,

      Thanks for your quick response. My requirements are slightly different.

      I am trying to add a support to a new provider by following instructions given here:

      But, the provider which I want to create supports both protocols, OAuth2 and OpenId Connect. Right now I am not seeing any way to have a single provider module for both protocols because spring social design looks to assume, a service provider can provide support to only one protocol all the time.

      I think I would have to create two seprate modules(spring-social-providerx-oauth2 and spring-social-providerx-openidconnect).

      What I really want is to have spring-social-providerx module alone which supports both OAuth2 and OpenId connect.

      Anybody who has done this before or any pointers would be really helpful
      Last edited by abhijith_p; Jul 20th, 2012, 11:59 AM.


      • #4
        Indeed, it is assumed that any given provider will only be one type of provider. In most cases, this is a perfectly valid assumption; clearly in your case it isn't correct. Likewise, with Google it isn't correct either, as Google supports both OAuth 1 and OAuth 2 for authorization. In the Google case, the choice between OAuth 1 or OAuth 2 ultimately has little or no bearing on how you use their APIs, so it's only necessary to focus on one of those (and OAuth 2, being the simpler of the two, is the most logical choice).

        In your case, are there reasons you might choose OAuth 2 in some cases and OpenID Connect in other cases? If not, then you can choose one and go with it. If there is, however, then you would need to have two separate service provider implementations and two separate connection factory implementations, but not necessarily two completely duplicate modules. Those two specific implementations could still be in the same module alongside a common API binding.

        The only possible complication I see is if working with the API is different for OAuth 2 than it is for OpenID Connect. My understanding of OpenID Connect is that it wouldn't be much different, if at all, and you should be able to extend your base API binding class from AbstractOAuth2ApiBinding and it work otherwise as if the authorization was done via OAuth 2 (after all, OpenID Connect authorization is just OAuth2 authorization with a bit of extra info coming back with the access token). But if I'm wrong and it requires more than just the access token after having authorized via OpenID Connect, then you can still create a common binding, but may not be able to base it from AbstractOAuth2ApiBinding. At this point, I'm just speculating, though...I don't know enough about your specific problem to know if this is even something you must worry about or not.


        • #5
          Single Provider with Multiple Authorize protocols

          Hi Craig,

          Thanks for your response. OpenId connect and OAuth2 are not that different and I have already used the same APIBinding to connect both. As you mentioned, I will try to put both under same module with separate factory for each.