We need a Spring Security 5 XML configuration for authentication in a web application using an OpenID Connect provider with but I only found Java configuration examples with spring boot. There is a lot of confusing information in the web for OpenID (without connect!), the old oauth Spring Security extension, oauth 2 Login (without OpenID) or 3rd party implementations. Currently I am trying to convert the code from OAuth2LoginConfigurer into XML but this is not obvious. There seems to be no AuthenticationEntryPoint for example. Can anyone provide a working XML configuration for OpenID Connect?
3 Answers
Indeed, Spring Security 5 does not support XML Namespace for OAuth2Login configuration and likely will not for release 5.2.
The open issue related to this hasn't got much support so I recommend you voice your support if you would like to see it fixed.
Unfortunately, this support won't be added in the upcoming 5.2 release. There are other higher priority items that we're targeting for 5.2. As an FYI, we prioritize tasks based on user demand and given that there are only 2 upvotes on this issue there isn't much demand for it. This doesn't mean we won't add the support though, it just means it's on the lower priority list.
In the meantime, I have added Open ID Connect 1.0 support to my current project by following the reference implementation MITREid Connect. While the project was implemented using Spring 4, we have been able to use the client in combination with Spring Security 5 and Spring Security OAuth 2.3.4.
Until the github issue is solved in spring security we use a mix of Java configuration and XML configuration to be able to change parameters without compiling and to switch the XML configuration file for specific deployment.
<!-- Enable auto-wiring -->
<context:annotation-config/>
<!-- Scan for auto-wiring classes in spring oauth2 packages -->
<context:component-scan base-package="org.springframework.security.oauth2"/>
<bean class="org.mypackage.OAuth2LoginConfig"/>
<bean class="org.mypackage.OidcRegistrationProperties">
<property name="clientId" value="${clientId}" />
<property name="clientSecret" value="${clientSecret}" />
<property name="clientAuthenticationMethod" value="basic" />
<property name="authorizationGrantType">
<value type="org.springframework.security.oauth2.core.AuthorizationGrantType">authorization_code</value>
</property>
<property name="redirectUri" value="{baseUrl}/login/oauth2/code/{registrationId}" />
<property name="scopes">
<array>
<util:constant static-field="org.springframework.security.oauth2.core.oidc.OidcScopes.OPENID" />
</array>
</property>
<property name="authorizationUri" value="${authorizationUri}" />
<property name="tokenUri" value="${tokenUri}" />
<property name="userInfoUri" value="${userInfoUri}" />
<property name="userNameAttributeName">
<util:constant static-field="org.springframework.security.oauth2.core.oidc.IdTokenClaimNames.SUB" />
</property>
<property name="jwkSetUri" value="${jwkSetUri}" />
<property name="clientName" value="${clientName}" />
</bean>
The other answers refer to this issue, which was resolved in Spring Security 5.3. The XML configuration was documented in the 5.3.1 reference e.g.:
<http>
<oauth2-login client-registration-repository-ref="clientRegistrationRepository"
authorized-client-repository-ref="authorizedClientRepository"
authorized-client-service-ref="authorizedClientService"
authorization-request-repository-ref="authorizationRequestRepository"
authorization-request-resolver-ref="authorizationRequestResolver"
access-token-response-client-ref="accessTokenResponseClient"
user-authorities-mapper-ref="userAuthoritiesMapper"
user-service-ref="oauth2UserService"
oidc-user-service-ref="oidcUserService"
login-processing-url="/login/oauth2/code/*"
login-page="/login"
authentication-success-handler-ref="authenticationSuccessHandler"
authentication-failure-handler-ref="authenticationFailureHandler"
jwt-decoder-factory-ref="jwtDecoderFactory"/>
</http>
Some examples from the test cases:
<http auto-config="true">
<oauth2-client/>
</http>
<client-registrations>
<client-registration registration-id="google"
client-id="google-client-id"
client-secret="google-client-secret"
redirect-uri="http://localhost/callback/google"
scope="scope1,scope2"
provider-id="google"/>
</client-registrations>
<http auto-config="true">
<intercept-url pattern="/**" access="authenticated"/>
<oauth2-login login-page="/custom-login"/>
</http>
Google & GitHub client registrations
<client-registrations>
<client-registration registration-id="google-login" client-id="google-client-id"
client-secret="google-client-secret" client-authentication-method="basic"
authorization-grant-type="authorization_code"
redirect-uri="{baseUrl}/login/oauth2/code/{registrationId}" scope="openid,profile,email"
client-name="Google" provider-id="google"/>
<client-registration registration-id="github-login" client-id="github-client-id"
client-secret="github-client-secret" client-authentication-method="basic"
authorization-grant-type="authorization_code"
redirect-uri="{baseUrl}/login/oauth2/code/{registrationId}" scope="read:user"
client-name="Github" provider-id="github"/>
<provider provider-id="google" authorization-uri="https://accounts.google.com/o/oauth2/v2/auth"
token-uri="https://www.googleapis.com/oauth2/v4/token"
user-info-uri="https://www.googleapis.com/oauth2/v3/userinfo" user-info-authentication-method="header"
user-info-user-name-attribute="sub" jwk-set-uri="https://www.googleapis.com/oauth2/v3/certs"/>
<provider provider-id="github" authorization-uri="https://github.com/login/oauth/authorize"
token-uri="https://github.com/login/oauth/access_token" user-info-uri="https://api.github.com/user"
user-info-authentication-method="header" user-info-user-name-attribute="id"/>
</client-registrations>