1

Is spring-authorization-server appropriate for connecting to an existing OIDC server provided by my enterprise? It looks like spring-authorization-server provides the ability to create and customize these auth flows, and we can also utilize github and google as federated (social) auth providers, but I am trying to determine if I can connect to my organization's auth service.

We deploy our application stack of several spring boot applications on an enclave, and we also deploy on another network that a wider audience can reach. Each of these networks has its own OIDC server, so I envision having each of the apps talk to the spring auth server, and the spring auth server will be configured on each network for that network's provided auth server. I want the application stack (in its entirety) to be as portable as possible, and I want to isolate the differences between the two deployment environments only to configuration, if possible.

I am aware that I can configure the spring security oauth2 client in each of the apps to talk to my company's OIDC server, but I would prefer to avoid doing it that way, of possible.

So, my question is -- how can I point spring-authorization-server to an external OIDC server (that is not google or github)? I have done extensive searching, and I have looked at many, many tutorials and examples. It seems like this should be something that Spring would want to show in their examples, but it is conspicuously absent. That makes me think that it is not designed to do what I want to do, but I hope that I am just missing something.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26
Steve Storck
  • 793
  • 6
  • 25
  • 1
    Maybe, will you find some value in [my tutorials for OAuth2 with Spring](https://github.com/ch4mpy/spring-addons/tree/master/samples/tutorials) – ch4mp May 22 '23 at 05:35
  • @ch4mp Thank you. I will have a look. Would you care to direct me to a particular example? – Steve Storck May 22 '23 at 11:05
  • I see that you are using 3 auth providers, but that you have not included spring-authorization-server in your examples. – Steve Storck May 22 '23 at 11:11
  • 1
    Spring authorization-server is just a "do it yourself" OIDC Provider (you have much more to implement by yourself, compared to competitors). It's usage does not change the way you configure resource servers or clients. The main Readme I linked above tries to clarify OAuth2 flows and actors responsibilities. Which tutorial to read after that really depends on your use-case. – ch4mp May 22 '23 at 15:31
  • My question was a bit different than your answer, I think. You can add external providers to spring-authorization-server, for federation, but I am not sure if they can be custom, or if they have to be things like google and github. – Steve Storck May 22 '23 at 16:14
  • 1
    If you could clarify your use case, particularly what you mean by "connecting to an existing OIDC server provided by my enterprise" that would be helpful for providing a specific answer. It may help to point out that an "OIDC server" is an authorization server by definition, so you do not technically need to introduce an authorization server to connect to another one. However, you can do so if your use case requires it. – Steve Riesenberg May 22 '23 at 16:27
  • 1
    I think every serious OIDC Provider on the market proposes identity federation with other OIDC Providers (not just Google or Github). Spring Authorization Server is not different from those I configured in my tutorials on that point (I could have chosen any of the 3 to federate identities from the 2 others, instead of using the 3 as 1st level OP). – ch4mp May 22 '23 at 16:59
  • @ch4mp understood, but I have been looking for examples where spring-authorization-server uses a custom oidc provider for federation, rather than using google and/or github as one of the other providers. I have read in a few places that it is possible, but either the examples do not exist, or I have missed them. – Steve Storck May 24 '23 at 09:54

2 Answers2

1

if you just need to utilize the existed enterprise-provided OIDC server, there is no need for you use spring-authorization-server.

All you need is just a attach oauth2 client.

for example, if you use springboot, it just need add spring-boot-starter-oauth2-client to the dependencies, and then config the spring:security:oauth2:client:registration and spring:security:oauth2:client:provider. so the framework will could resolve the user info and store it in its context.

you can refer to this, https://www.baeldung.com/spring-security-openid-connect

smileis2333
  • 103
  • 7
  • Thanks for adding this, even though I already understand that I can use spring security oauth2 to directly connect to the existing provider. Unfortunately, this does not answer my question. I want to know how to use a custom provider as part of federated authorization that is similar to using github or google. – Steve Storck May 25 '23 at 19:54
  • i cann't understand why you need spring-authorization-server. Generally, if you OIDC server provided by your enterprise, then all the oauth2 provider(maybe include github, google, facebook ) config and related federation should already maintained in this server. – smileis2333 May 26 '23 at 02:26
  • for your question, my answer it is not suitable, unless you need attach many odic providers and federation them and custom your auth flow. – smileis2333 May 26 '23 at 02:41
  • The enterprise OIDC server is not concerned with federating everything that all client applications need. The individual projects have their own concerns that may extend (or modify) what the central server provides. I also tried to explain the situation in the edit on my post -- if I can isolate the changes that I need between deployment envs to one specific service, it is a lot easier to maintain. – Steve Storck May 26 '23 at 11:44
1

You can indeed connect to any OIDC provider via Spring Authorization Server. In fact, the use case you laid out is a perfect example of what SAS is designed for. Of course there are tradeoffs with any architecture, and generally the Spring team will not make specific recommendations on your architecture (except to recommend architectures that enhance security, such as BFF). This may be one reason you find this specific example missing.

Another reason some examples may be missing is that the details of configuring your specific OIDC provider instead of a common provider requires knowledge that only you have. In those cases, you want to start with a provided example, and begin adapting it from there using the reference documentation for OAuth2 as your guide. It may help to know that you should think of Spring Authorization Server as an OAuth2 (Login) Client for the purposes of configuring an upstream provider.

See for example Configuring Custom Provider Properties. If you are working with a spec-compliant OpenID Connect 1.0 provider, you should only need to provide the required properties for your upstream provider in each environment (such as the client examples in ch4mp's tutorials linked in the comments do) and Spring Security will do the rest. Note that in many cases, you only need to provide an issuer-uri for your provider and it will supply the other properties (via the OpenID Connect 1.0 Provider Configuration Response of the ${issuer-uri}/.well-known/openid-configuration endpoint of your provider).

As you can (hopefully) see, Spring Security handles all of the authentication needs for you. If it seems that demonstrating this in the context of Spring Authorization Server is missing, that's because it's not any different than configuring a regular OAuth2 Login/Client example.

My specific recommendation is to start with How-to: Authenticate using Social Login and replace Google/GitHub with your provider using only properties. As mentioned earlier, you will only run into trouble if your provider is not spec-compliant and requires customization. A thorough read of the reference documentation will help here, and feel free to ask additional (more specific) questions on that.

Steve Riesenberg
  • 4,271
  • 1
  • 4
  • 26
  • Thank you for that. I was starting to suspect that it was not required to use one of the social providers, so I began to add configuration for the provider that my enterprise offers. I have not had a chance to test it yet, but your answer is exactly what I was looking for. Thanks again! – Steve Storck May 31 '23 at 11:42