Versions Compared

Version Old Version 3 New Version 4
Changes made by

Nick Grosenbacher

Nick Grosenbacher

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This page is starting as a collection of notes, design decisions, etc. related to implementing OAuth2 into Synapse. Part of the process has included considerations about developing our own library, or using an off-the-shelf solution like ORY Hydra. The information on this page may change as the project evolves.

...

And a Jira Epic: 

Jira Legacy
serverSystem JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverIdba6fb084-9827-3160-8067-8ac7470f78b2
keyPLFM-4585

Good summary of OIDC: https://github.com/dexidp/dex/blob/master/Documentation/openid-connect.md

Use cases

High level use-cases, per Bruce Hoff's presentation:

...

The administrative port should not be exposed to public internet traffic. If you want to expose certain endpoints, such as the /clients endpoint for OpenID Connect Dynamic Client Registry, you can do so but you need to properly secure these endpoints with an API Gateway or Authorization Proxy. 

Do we need this?

Spring Security

Most documentation/blog posts on Spring Security do not refer to our use case. Some posts refer to Spring Security OAuth 2, which is no longer under active feature development, and does not support OIDC. Many posts also instruct using OAuth2/OIDC as a client (we wish to act as a provider). We can consider using 


I think this uses the old version of Spring Security:

https://medium.com/@akourtim.ahmed/oauth-2-centralized-authorization-with-spring-boot-2-0-2-and-spring-security-5-and-jdbc-token-store-8dbc063bd5d4


This question seems to outline what we want to do:

https://stackoverflow.com/questions/52683165/creating-oauth-2-0-login-provider-with-spring-boot


OIDC is a layer on OAuth, why can we not just implement it on top of the old version of Spring Security?

This SO post outline the issue: https://stackoverflow.com/questions/35968487/spring-security-and-openid-connect-oidc
After briefly looking into this, my understanding is that to be OIDC compliant, the response_type field in the OIDC spec must be flexible and support any of these:
  • code
  • token
  • id_token
  • id_token token
  • code id_token
  • code token
  • code id_token token
  • none

The old version of Spring Security was not built to handle this. Here is the issue (which has not been resolved at the time of writing: https://github.com/spring-projects/spring-security-oauth/issues/619)

The answerer of the SO post also has a blog post that goes more in-depth: https://medium.com/@darutk/full-scratch-implementor-of-oauth-and-openid-connect-talks-about-findings-55015f36d1c3

Where are the web tokens used? Why are keys used?  Would we have to implement it too?

So how would we use Spring Security

...

5

First we need to make sure it can handle all of our needs. Development on OAuth2+OIDC support is ongoing, so it isn't guaranteed that it can currently do what we need it to.

This shows the state of OAuth2 support in Spring Security 5 (and compares it to Spring Security OAuth 2, the old version). Note that this has not been updated since Jan 2018, and I suspect it is out of date.

https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Features-Matrix