Spring 安全和 OpenID Connect (OIDC)
Spring Security and OpenID Connect (OIDC)
在我当前的项目中,我全面使用 Spring Security OAuth (http://projects.spring.io/spring-security-oauth/) 项目来保护我们的资源 (Web API)。到目前为止一切正常。
我现在正致力于客户端的开发,我正在寻找对身份验证方案的良好支持(因为 OAuth 是一种授权协议)。经过长时间的互联网搜索,我很确定我应该使用 OpenID Connect (http://openid.net/connect/) 来满足这个要求,因为它是 "a simple identity layer on top of OAuth 2.0"(但是我知道,没有 "simple"如果是安全主题)。
悲伤但真实我无法在 Spring 安全中找到任何关于支持 OpenID Connect(不要与 "pure" OpenID 混淆)的好资源。 https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server but I have expected something similar direct in/from Spring Security with comprehensive documentation and so on. I have found about 2 years old discussion about it here https://github.com/spring-projects/spring-security-oauth/issues/220 有一个 OpenID Connect 参考实现,但当前状态如何?查找 "Spring Security support for OpenID Connect" 不会提供任何 "tangible" 结果。
您是否有关于在 Spring 安全性的帮助下实施 OpenID Connect 的任何信息、文档 and/or 经验?
在 OpenID Connect emerged, it was practically okay to assume that the value of the request parameter response_type be either code (for authorization code flow) or token (for implicit flow). However, now an authorization server implementation must be able to handle any combination of (code, token, id_token), and none. Details are described in "OpenID Connect Core 1.0, 3. Authentication" and "OAuth 2.0 Multiple Response Type Encoding Practices 之前。
作为支持 OpenID Connect 的第一步,Spring 安全 OAuth 必须针对 response_type 变得灵活。您可以在“Issue 619: Handling additional response_types". However, it is hard to change an existing code that expects only either code or token to a new one that can accept multiple values at a time. As of this writing, the lastest comment of Issue 619 于 2015 年 12 月 12 日以下面摘录的句子结尾找到它的请求。
Any comments are more than welcome as this turned out to be (as I predicted) a large refactor exercise.
如果SpringSecurity OAuth纯粹是一个自愿项目,没有任何商业机构的支持,那么这么大的变化是不可能发生的。
我的经历:大约两年前,我从头开始编写了一个 OAuth 2.0 服务器。正是在这之后,我才知道 OpenID Connect 的存在。在阅读了OpenID Connect相关规范后,我终于得出了一个结论,就是dump现有的实现,从头开始重新编写服务器。
如您所料,OpenID Connect 一点也不简单。
另请参阅 “5. 响应类型”
"Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings".
**更新**(2017 年 11 月 23 日)
Spring 框架上的授权服务器和 OpenID 提供程序
https://github.com/authlete/spring-oauth-server
Spring 框架上的资源服务器
https://github.com/authlete/spring-resource-server
spring-oauth-server supports OAuth 2.0 and OpenID Connect. spring-resource-server has an implementation of UserInfo Endpoint which is defined in "OpenID Connect 1.0, 5.3. UserInfo Endpoint". Both implementations don't use Spring Security OAuth but use Spring Boot and Authlete.
在我当前的项目中,我全面使用 Spring Security OAuth (http://projects.spring.io/spring-security-oauth/) 项目来保护我们的资源 (Web API)。到目前为止一切正常。
我现在正致力于客户端的开发,我正在寻找对身份验证方案的良好支持(因为 OAuth 是一种授权协议)。经过长时间的互联网搜索,我很确定我应该使用 OpenID Connect (http://openid.net/connect/) 来满足这个要求,因为它是 "a simple identity layer on top of OAuth 2.0"(但是我知道,没有 "simple"如果是安全主题)。
悲伤但真实我无法在 Spring 安全中找到任何关于支持 OpenID Connect(不要与 "pure" OpenID 混淆)的好资源。 https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server but I have expected something similar direct in/from Spring Security with comprehensive documentation and so on. I have found about 2 years old discussion about it here https://github.com/spring-projects/spring-security-oauth/issues/220 有一个 OpenID Connect 参考实现,但当前状态如何?查找 "Spring Security support for OpenID Connect" 不会提供任何 "tangible" 结果。
您是否有关于在 Spring 安全性的帮助下实施 OpenID Connect 的任何信息、文档 and/or 经验?
在 OpenID Connect emerged, it was practically okay to assume that the value of the request parameter response_type be either code (for authorization code flow) or token (for implicit flow). However, now an authorization server implementation must be able to handle any combination of (code, token, id_token), and none. Details are described in "OpenID Connect Core 1.0, 3. Authentication" and "OAuth 2.0 Multiple Response Type Encoding Practices 之前。
作为支持 OpenID Connect 的第一步,Spring 安全 OAuth 必须针对 response_type 变得灵活。您可以在“Issue 619: Handling additional response_types". However, it is hard to change an existing code that expects only either code or token to a new one that can accept multiple values at a time. As of this writing, the lastest comment of Issue 619 于 2015 年 12 月 12 日以下面摘录的句子结尾找到它的请求。
Any comments are more than welcome as this turned out to be (as I predicted) a large refactor exercise.
如果SpringSecurity OAuth纯粹是一个自愿项目,没有任何商业机构的支持,那么这么大的变化是不可能发生的。
我的经历:大约两年前,我从头开始编写了一个 OAuth 2.0 服务器。正是在这之后,我才知道 OpenID Connect 的存在。在阅读了OpenID Connect相关规范后,我终于得出了一个结论,就是dump现有的实现,从头开始重新编写服务器。
如您所料,OpenID Connect 一点也不简单。
另请参阅 “5. 响应类型” "Full-Scratch Implementor of OAuth and OpenID Connect Talks About Findings".
**更新**(2017 年 11 月 23 日)
Spring 框架上的授权服务器和 OpenID 提供程序
https://github.com/authlete/spring-oauth-server
Spring 框架上的资源服务器
https://github.com/authlete/spring-resource-server
spring-oauth-server supports OAuth 2.0 and OpenID Connect. spring-resource-server has an implementation of UserInfo Endpoint which is defined in "OpenID Connect 1.0, 5.3. UserInfo Endpoint". Both implementations don't use Spring Security OAuth but use Spring Boot and Authlete.