Closed alexanderankin closed 2 months ago
@alexanderankin
I am trying to build a product on Spring stack and needed an auth solution (we are integrating multiple auth solutions from clients and want to multiplex into one auth with Spring Auth Server. In order to do this, I needed a demo of Spring Auth Server working standalone and was not able to do this trivially, took a couple days of debugging and research.
Building an OAuth2/OIDC Provider product is a HUGE undertaking. It most definitely can be done using Spring Authorization Server as the foundational base but you would need to build many other product specific features along with it. As well, taking on such an initiative would require in-depth knowledge of the OAuth2 and OIDC specs as well as Spring Security and Spring Authorization Server codebase as mentioned in Getting Started. All of this ramp up will easily take a few months than a couple of days.
As far as "needing a demo of Spring Auth Server working standalone", the Demo Sample is provided. The purpose of the Demo Sample is to showcase all the current features and how to configure/customize. Furthermore, it demonstrates how to integrate Client and Resource Server provided by Spring Security.
The Getting Started guide is not meant to be a detailed guide as it's just the getting started experience. And the various "How-to" guides are meant to be shorter focused guides about specific use cases, which have been very valuable to our users.
Spring Auth Server is a powerful tool and probably no reason it can't compete with the likes of IdentityServer/ADFS/KeyCloak/etc
Spring Authorization Server is a framework NOT a product, like the ones you mention here so it's not comparable. However, you most definitely can use Spring Authorization Server as the base and build your own product that would be comparable to the mentioned ones.
I'm going to have to close this issue as there are too many items listed and it would be very difficult to address each of them in one ticket. FYI, the typical process is to log a specific issue so we can remain focused. So I would appreciate it if you can open new issue(s) (please limit it to 2-3 to start) and we can continue the discussion there. Thanks for your understanding.
ok, sounds good, i will revisit once i have completed the above tasks elsewhere (probably on that repo linked above) and figure out which contributions are welcome and which ones arent.
Expected Behavior
Since Spring Security has an Auth server offerring as well as an OAuth client, there should be a guide for how to set these up to talk to each other
Current Behavior
There is a guide for rich frontend applications, but it is quite minimal and leaves a lot to the imagination. I struggled to adapt to BFF pattern which is explicitly recommended within.
The purpose of this PR is really to gauge interest from the project leadership to solicit PR's to reduce the level of effort required to implement functionality described in guides and expand selection of guides.
Survey of existing guides:
How-to: Authenticate using a Single Page Application with PKCE
:How-to: Authenticate using Social Login
:The purpose of this guide is to demonstrate how to replace Form Login with OAuth 2.0 Login.
- I suppose this can be interpreted to refer to the Getting Started page, which is like another basic guide.How-to: Implement an Extension Authorization Grant Type
:Configure OAuth2 Token Endpoint
heading thehttp
variable is not used at all, except for the return value. Why is this coded as a side effect this way?How-to: Implement Multitenancy
:How-to: Customize the OpenID Connect 1.0 UserInfo response
:How-to: Implement core services with JPA
:How-to: Add authorities as custom claims in JWT access tokens
:How-to: Register a client dynamically
:@Bean (7)
(the latter appears when you click copy from the bottom right corner of the code dialog box. It does not get copied into the clipboard if you select the code with your cursor and then invoke the "Copy" function in the browser).redirect-uri: http://127.0.0.1:8080/login/oauth2/code/{registrationId}
only works because of the variables documented inorg.springframework.security.oauth2.client.registration.ClientRegistration.Builder#redirectUri
(in version6.3.1
)guides I think make sense to add:
internals it makes sense to clarify
OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http);
- what does that do exactly - does it have asecurityMatcher
, or what other information helps developers understand how those are combined with each other (there is already a default one provided withapplyDefaultSecurity
, and they all have prototype scope, so how do i know that mine supercedes the one in the AutoConfiguration class?).Context
I am trying to build a product on Spring stack and needed an auth solution (we are integrating multiple auth solutions from clients and want to multiplex into one auth with Spring Auth Server. In order to do this, I needed a demo of Spring Auth Server working standalone and was not able to do this trivially, took a couple days of debugging and research. I am willing to spend time on this as it will save me time in the future, re-learning and remembering how to do these tasks in the future. I have started a first couple examples here - https://github.com/alexanderankin/how-to-do-in-spring/commit/73800b010f741b7af5c32207cdf570bac27066f1 - https://github.com/alexanderankin/how-to-do-in-spring/commit/744b34ceab6e16633a84786f828de511c0326929
Spring Auth Server is a powerful tool and probably no reason it can't compete with the likes of IdentityServer/ADFS/KeyCloak/etc... if only was easier to get started, imo.