May 27th, 2012, 10:09 PM
OpenID+OAuth (hybrid) support
Hi there, in this site, https://developers.google.com/accounts/docs/OpenID , there's a section which supports making an openid+oauth request in order to do both, user authentication and authorization (to youtube, or gdocs for instance), all in one step.
I couldn't find support for that in Spring Security. What I've seen, is either OpenID, or OAuth, but not both. Am I correct?
If I am, I'd like to develop something to support it. It wouldn't be a plain OpenID implementation, but I've seen that I'd have to base my development on the class OpenIDAuthenticationFilter, and add the extra oauth parameters in the request as the google website specifies.
what do you think about it? do you think it is something doable? Am I in the correct path?
May 28th, 2012, 04:11 AM
The hybrid approach seems to be a twist on OpenId 2.0 attribute exchange, so you would probably be best starting with the OpenId support in Spring Security, and adding some stuff from OAuth to that.
The hybrid, as described, involves OAuth 1 as well, and since Google are part of the OpenId Connect spec, and also pushing OAuth2 these days, maybe it would be better to look into OpenID Connect as a long term solution with newer techno?
OpenID Connect might supersede that hybrid approach (http://openid.net/connect/) and we might provide support directly for that in Spring Security OAuth2. I have been monitoring the spec and implementing bits of it so we can be confident that it will be doable easily without wrecking any existing APIs.
Tags for this Thread