Versions Compared

Version Old Version 4 New Version 5
Changes made by

Nick Grosenbacher

Nick Grosenbacher

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is starting as a collection of notes, design decisions, etc. related to implementing OAuth2 into Synapse. Part of the process has included considerations about developing our own library, or using an off-the-shelf solution like ORY Hydra. The information on this page may change as the project evolves.

...

The administrative port should not be exposed to public internet traffic. If you want to expose certain endpoints, such as the /clients endpoint for OpenID Connect Dynamic Client Registry, you can do so but you need to properly secure these endpoints with an API Gateway or Authorization Proxy. 

Do we need this?

Spring Security

Most documentation/blog posts on Spring Security do not refer to our use case. Some posts refer to Spring Security OAuth 2, which is no longer under active feature development, in "maintenance mode" and does not support OIDC. Many posts also instruct using OAuth2/OIDC as a client (we wish to act as a provider). We can consider using .

https://spring.io/blog/2018/01/30/next-generation-oauth-2-0-support-with-spring-security

I think this uses the old version of Spring Security:

...

After briefly looking into this, my understanding is that to be OIDC compliant, the response_type field in the OIDC spec must be flexible and support any of these:
  • code
  • token
  • id_token
  • id_token token
  • code id_token
  • code token
  • code id_token token
  • none

The old version of Spring Security was not built to handle this. Here is the issue (which has not been resolved at the time of writing: https://github.com/spring-projects/spring-security-oauth/issues/619)

The answerer of the SO post also has a blog post that goes more in-depth: https://medium.com/@darutk/full-scratch-implementor-of-oauth-and-openid-connect-talks-about-findings-55015f36d1c3

Where are the web tokens used? Why are keys used?  Would we have to implement it too?

So how would we use Spring Security 5?

First we need to make sure it can handle all of our needs. Development on OAuth2+OIDC support is ongoing, so it isn't guaranteed that it can currently do what we need it to.

...

https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix


Here are some SpringBoot examples that we could probably leverage:

OAuth2 Authorization Server: https://github.com/spring-projects/spring-security/tree/5.1.1.RELEASE/samples/boot/oauth2authorizationserver

OAuth2 Resource Server: https://github.com/spring-projects/spring-security/tree/5.1.1.RELEASE/samples/boot/oauth2resourceserver


There is no ea

Another library to look into: Connect2ID's OAuth2.0 SDK with OpenID Connect

https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/overview


Apache 2.0 license

This may just help us bootstrap our own solution if Spring doesn't fit our needs. Need to collect more info.