Creating Custom OpenId Provider for Oauth2 Spring Boot

Question

I have used Oauth2 framework for authorization and access control for protecting my spring boot microservice api\'s. Oauth2 framework is working fine but now my Client wants a d

Answer 1

I think it could be easier to start by first implementing OAuth2 code flow. Then add implicit flow, and finally OpenID Connect part.

If you want to have a serious OpenID Provider I would suggest not implementing from scratch as there are a lot of details to get right. Instead I would recommend using something like Hydra that can be integrated into existing system.

Have created from scratch a OpenID Provider (SimpleLogin.io), I can say that it takes almost forever to be 100% compliant to the protocol ...

Answer 2

According to "OAuth 2.0 Features Matrix" in spring-projects/spring-security, Spring Framework is not a good starting point for OpenID Connect. None of the new projects (Spring Security, Spring Cloud Security and Spring Boot OAuth2) supports Authorization Server. On the other hand, the old project (Spring Security OAuth) has architectural problems that prevent OpenID Connect support.

The website of OpenID Connect says "OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol." This sentence may give an impression that OpenID Connect can be implemented on top of an existing OAuth 2.0 implementation step by step. However, it's not true. One evidence is spring-security-oauth Issue 619 where you see the project has given up supporting OpenID Connect. If interested, see "5. Response Type" in "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings" for further details.

There exist many implementations that support OpenID Connect. Why don't you check the list of certified implementations?

Update (November 14, 2019):

The Spring Security team has decided to no longer provide support for authorization servers. See their announce for details.