search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.48k stars 5.77k forks source link

SAML API should accept, adapt, and/or mirror OpenSAML's Credential API #15019

Open OrangeDog opened 3 weeks ago

OrangeDog commented 3 weeks ago

Expected Behavior Ability to do something like this:

RelyingPartyRegistration.Builder builder;
KeyStore keyStore;

Credential credential = new KeyStoreX509CredentialAdapter(keyStore, "alias", "password".toCharArray());
builder.decryptionX509Credentials(creds -> creds.add(credential))
builder.signingX509Credentials(creds -> creds.add(credential))

Current Behavior Currently have to do something like this:

RelyingPartyRegistration.Builder builder;
KeyStore keyStore;

X509Credential credential = new KeyStoreX509CredentialAdapter(keyStore, "alias", "password".toCharArray());
Saml2X509Credential samlCred = new Saml2X509Credential(
        credential.getPrivateKey(),
        credential.getEntityCertificate(),
        Saml2X509Credential.Saml2X509CredentialType.DECRYPTION,
        Saml2X509Credential.Saml2X509CredentialType.SIGNING
);
builder.decryptionX509Credentials(creds -> creds.add(samlCred));
builder.signingX509Credentials(creds -> creds.add(samlCred));

Context

OpenSAML provides org.opensaml.security.credential.Credential and multiple implementations to cover various useful cases. Spring Security instead provides org.springframework.security.saml2.core.Saml2X509Credential with much more restricted functionality. However, internally Spring just uses the Saml2X509Credential to build a Credential.

OrangeDog commented 3 weeks ago

This is similar to https://github.com/spring-projects/spring-boot/issues/40610 but they're probably orthogonal issues.