71 lines
3.1 KiB
Plaintext
71 lines
3.1 KiB
Plaintext
[[servlet-openid]]
|
|
= OpenID Support
|
|
|
|
[NOTE]
|
|
====
|
|
The OpenID 1.0 and 2.0 protocols have been deprecated. You should migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
|
|
====
|
|
|
|
The namespace supports https://openid.net/[OpenID] login either instead of or in addition to normal form-based login, with a simple change:
|
|
|
|
====
|
|
[source,xml]
|
|
----
|
|
<http>
|
|
<intercept-url pattern="/**" access="ROLE_USER" />
|
|
<openid-login />
|
|
</http>
|
|
----
|
|
====
|
|
|
|
You should then register yourself with an OpenID provider (such as myopenid.com), and add the user information to your in-memory `<user-service>`:
|
|
|
|
====
|
|
[source,xml]
|
|
----
|
|
<user name="https://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
|
|
----
|
|
====
|
|
|
|
You should be able to login by using the `myopenid.com` site to authenticate.
|
|
You can also select a specific `UserDetailsService` bean for use with OpenID by setting the `user-service-ref` attribute on the `openid-login` element.
|
|
Note that we have omitted the password attribute from the above user configuration, since this set of user data is being used only to load the authorities for the user.
|
|
A random password is generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.
|
|
|
|
|
|
== Attribute Exchange
|
|
Spring Security includes support for OpenID https://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange].
|
|
As an example, the following configuration tries to retrieve the email and full name from the OpenID provider for use by the application:
|
|
|
|
====
|
|
[source,xml]
|
|
----
|
|
<openid-login>
|
|
<attribute-exchange>
|
|
<openid-attribute name="email" type="https://axschema.org/contact/email" required="true"/>
|
|
<openid-attribute name="name" type="https://axschema.org/namePerson"/>
|
|
</attribute-exchange>
|
|
</openid-login>
|
|
----
|
|
====
|
|
|
|
The "`type`" of each OpenID attribute is a URI, determined by a particular schema -- in this case, https://axschema.org/[https://axschema.org/].
|
|
If an attribute must be retrieved for successful authentication, you can set the `required` attribute.
|
|
The exact schema and attributes supported depend on your OpenID provider.
|
|
The attribute values are returned as part of the authentication process and can be accessed afterwards by using the following code:
|
|
|
|
====
|
|
[source,java]
|
|
----
|
|
OpenIDAuthenticationToken token =
|
|
(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
|
|
List<OpenIDAttribute> attributes = token.getAttributes();
|
|
----
|
|
====
|
|
|
|
We can obtain the `OpenIDAuthenticationToken` from the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
|
|
The `OpenIDAttribute` contains the attribute type and the retrieved value (or values in the case of multi-valued attributes).
|
|
You can supply multiple `attribute-exchange` elements by using an `identifier-matcher` attribute on each element.
|
|
This contains a regular expression that is matched against the OpenID identifier supplied by the user.
|
|
See the OpenID sample application in the codebase for an example configuration, providing different attribute lists for the Google, Yahoo and MyOpenID providers.
|