Feature Request: (accept a PR to) add guide to documentation for how to set up Spring Auth Server to talk to Spring OAuth Client app

[alexanderankin]

Expected Behavior

Since Spring Security has an Auth server offerring as well as an OAuth client, there should be a guide for how to set these up to talk to each other

Current Behavior

There is a guide for rich frontend applications, but it is quite minimal and leaves a lot to the imagination. I struggled to adapt to BFF pattern which is explicitly recommended within.

The purpose of this PR is really to gauge interest from the project leadership to solicit PR's to reduce the level of effort required to implement functionality described in guides and expand selection of guides.

Survey of existing guides:

• How-to: Authenticate using a Single Page Application with PKCE:
  • does not include complete backend project - missing build scripts
  • does not include main configuration for Spring Auth Server (only cors, looks like)
  • does not include frontend code
• How-to: Authenticate using Social Login:
  • The purpose of this guide is to demonstrate how to replace Form Login with OAuth 2.0 Login. - I suppose this can be interpreted to refer to the Getting Started page, which is like another basic guide.
  • although its a heavy lift, it probably makes sense to try to create some "infrastructure code" for
• How-to: Implement an Extension Authorization Grant Type:
  • in Configure OAuth2 Token Endpoint heading the http variable is not used at all, except for the return value. Why is this coded as a side effect this way?
  • could I add a description of a use case for this? for example, device codes or something.... could just use a restclient to hit another API with the code to 'consume' it - and write a paragraph explaining that this other microservice is actually implemented by a third party (e.g. chrome stick or fire stick tv dongle API)
• How-to: Implement Multitenancy:
  • have not tried to implement, would be nice to include at least a couple of curl commands to show that it works.
• How-to: Customize the OpenID Connect 1.0 UserInfo response:
  • todo add review
• How-to: Implement core services with JPA:
  • todo add review
• How-to: Add authorities as custom claims in JWT access tokens:
  • todo add review
• How-to: Register a client dynamically:
  • todo add review
• the getting started guide:
  • This is fantastic for being the third page in the documentation, but in the event that a developer is unable to turn it into a runnable project, there should be a backup plan which is much more detailed.
  • code is not copyable as it copies over the footnotes as arguments to the bean annotation, consider vs @Bean (7) (the latter appears when you click copy from the bottom right corner of the code dialog box. It does not get copied into the clipboard if you select the code with your cursor and then invoke the "Copy" function in the browser).
  • it would be great to explain some of the internals - where these things get autowired to, things like that.
  • for example: redirect-uri: http://127.0.0.1:8080/login/oauth2/code/{registrationId} only works because of the variables documented in org.springframework.security.oauth2.client.registration.ClientRegistration.Builder#redirectUri (in version 6.3.1)

guides I think make sense to add:

1. spring auth server <-> spring oauth client
   • persistence for auth server (covered separately, i suppose, but) and client app
2. spring auth server <-> spring auth server <-> spring auth client
   • delegate to external auth solution
3. rich auth frontend <-> spring auth server <-> spring oauth client
   • for something like https://developers.google.com/identity/gsi/web/guides/offerings#one_tap

internals it makes sense to clarify

• SecurityFilterChain beans making use of OAuth2AuthorizationServerConfiguration.applyDefaultSecurity(http); - what does that do exactly - does it have a securityMatcher, or what other information helps developers understand how those are combined with each other (there is already a default one provided with applyDefaultSecurity, and they all have prototype scope, so how do i know that mine supercedes the one in the AutoConfiguration class?).
• some stuff in the client as well - like oidc logouts - my issue was mostly with the exact comparison of the urls, would have been helpful to have complete working example.
• todo finish list

Context

I am trying to build a product on Spring stack and needed an auth solution (we are integrating multiple auth solutions from clients and want to multiplex into one auth with Spring Auth Server. In order to do this, I needed a demo of Spring Auth Server working standalone and was not able to do this trivially, took a couple days of debugging and research. I am willing to spend time on this as it will save me time in the future, re-learning and remembering how to do these tasks in the future. I have started a first couple examples here - https://github.com/alexanderankin/how-to-do-in-spring/commit/73800b010f741b7af5c32207cdf570bac27066f1 - https://github.com/alexanderankin/how-to-do-in-spring/commit/744b34ceab6e16633a84786f828de511c0326929

Spring Auth Server is a powerful tool and probably no reason it can't compete with the likes of IdentityServer/ADFS/KeyCloak/etc... if only was easier to get started, imo.

[jgrandja]

@alexanderankin

I am trying to build a product on Spring stack and needed an auth solution (we are integrating multiple auth solutions from clients and want to multiplex into one auth with Spring Auth Server. In order to do this, I needed a demo of Spring Auth Server working standalone and was not able to do this trivially, took a couple days of debugging and research.

Building an OAuth2/OIDC Provider product is a HUGE undertaking. It most definitely can be done using Spring Authorization Server as the foundational base but you would need to build many other product specific features along with it. As well, taking on such an initiative would require in-depth knowledge of the OAuth2 and OIDC specs as well as Spring Security and Spring Authorization Server codebase as mentioned in Getting Started. All of this ramp up will easily take a few months than a couple of days.

As far as "needing a demo of Spring Auth Server working standalone", the Demo Sample is provided. The purpose of the Demo Sample is to showcase all the current features and how to configure/customize. Furthermore, it demonstrates how to integrate Client and Resource Server provided by Spring Security.

The Getting Started guide is not meant to be a detailed guide as it's just the getting started experience. And the various "How-to" guides are meant to be shorter focused guides about specific use cases, which have been very valuable to our users.

Spring Auth Server is a powerful tool and probably no reason it can't compete with the likes of IdentityServer/ADFS/KeyCloak/etc

Spring Authorization Server is a framework NOT a product, like the ones you mention here so it's not comparable. However, you most definitely can use Spring Authorization Server as the base and build your own product that would be comparable to the mentioned ones.

I'm going to have to close this issue as there are too many items listed and it would be very difficult to address each of them in one ticket. FYI, the typical process is to log a specific issue so we can remain focused. So I would appreciate it if you can open new issue(s) (please limit it to 2-3 to start) and we can continue the discussion there. Thanks for your understanding.

[alexanderankin]

ok, sounds good, i will revisit once i have completed the above tasks elsewhere (probably on that repo linked above) and figure out which contributions are welcome and which ones arent.