Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-31 14:48:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
spring-security/docs/modules/ROOT/pages/servlet/authentication/openid.adoc
Rob Winch a7f3f54a33 architecture/index.adoc -> ../architecture.adoc 
BASE_DIR=docs/modules/ROOT/pages

git --no-pager diff HEAD~1 --diff-filter=R -M | sed -Ez "s%(\nrename to|rename from |similarity index [^\n]+|diff[^\n]+|$BASE_DIR/)%%g" | grep "\S" | while read rename_from_to; do
  from=$(echo $rename_from_to | cut -f 1 -d " ")
  to=$(echo $rename_from_to | cut -f 2 -d " ")
  echo "processing rename from $from to $to"
  find "$BASE_DIR/../" -name "*.adoc" | while read adoc_file; do
    sed -i -E "s%xref:$from%xref:$to%g" "$adoc_file"
  done
done
2021-09-23 15:50:14 -05:00

61 lines
3.0 KiB
Plaintext
Raw Blame History

[[servlet-openid]]
= OpenID Support
[NOTE]
The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
The namespace supports https://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change:
[source,xml]
----
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<openid-login />
</http>
----
You should then register yourself with an OpenID provider (such as myopenid.com), and add the user information to your in-memory `<user-service>`:
[source,xml]
----
<user name="https://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
----
You should be able to login using the `myopenid.com` site to authenticate.
It is also possible to select a specific `UserDetailsService` bean for use OpenID by setting the `user-service-ref` attribute on the `openid-login` element.
Note that we have omitted the password attribute from the above user configuration, since this set of user data is only being used to load the authorities for the user.
A random password will be generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.
== Attribute Exchange
Support for OpenID https://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange].
As an example, the following configuration would attempt to retrieve the email and full name from the OpenID provider, for use by the application:
[source,xml]
----
<openid-login>
<attribute-exchange>
<openid-attribute name="email" type="https://axschema.org/contact/email" required="true"/>
<openid-attribute name="name" type="https://axschema.org/namePerson"/>
</attribute-exchange>
</openid-login>
----
The "type" of each OpenID attribute is a URI, determined by a particular schema, in this case https://axschema.org/[https://axschema.org/].
If an attribute must be retrieved for successful authentication, the `required` attribute can be set.
The exact schema and attributes supported will depend on your OpenID provider.
The attribute values are returned as part of the authentication process and can be accessed afterwards using the following code:
[source,java]
----
OpenIDAuthenticationToken token =
(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
List<OpenIDAttribute> attributes = token.getAttributes();
----
We can obtain the `OpenIDAuthenticationToken` from the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
The `OpenIDAttribute` contains the attribute type and the retrieved value (or values in the case of multi-valued attributes).
You can supply multiple `attribute-exchange` elements, using an `identifier-matcher` attribute on each.
This contains a regular expression which will be matched against the OpenID identifier supplied by the user.
See the OpenID sample application in the codebase for an example configuration, providing different attribute lists for the Google, Yahoo and MyOpenID providers.
Reference in New Issue View Git Blame Copy Permalink