Spring Security
  1. Spring Security
  2. SEC-935

Add support for OpenID attribute exchange

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.0 M2
    • Component/s: OpenID
    • Labels:
      None

      Description

      Simple registration extension for openid login is not currently supported, so that info about user is sent from provider to relaying party.
      we could make OpenidAuthenticationFilter return not just a username url, but url with params.

      I already have some workaround in that and could make a patch

      1. attribute-exchange_2.0.4.patch
        26 kB
        Christopher Schuster
      2. attribute-exchange.patch
        26 kB
        Christopher Schuster
      3. sreg.patch
        35 kB
        Matthias Quasthoff

        Activity

        Hide
        Luke Taylor added a comment -

        I've added support for attribute exchange (sreg support will probably not be implemented, as it is effectively deprecated in favour of attribute exchange). I didn't follow the patches as there appeared to be issues with maintaining state within the consumer which would have introduced very nasty bugs. I've also left out any modification of the principal stored in the final Authentication object to include the attributes. The prinicpal will be the UserDetails object and the attributes will be available directly from the OpenIDAuthenticationToken as a List<OpenIDAttribute>. If desired, users can override the createSuccessfulAuthentication method of OpenIDAuthenticationProvider to merge the returned attributes into a custom UserDetails.

        I've also provided support in the namespace, so you can specify the attributes that should be added to the FetchRequest thus:

        <http>
        ...
        <openid-login>
        <attribute-exchange>
        <openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" count="2"/>
        <openid-attribute name="name" type="http://schema.openid.net/namePerson/friendly" />
        </attribute-exchange>
        </openid-login>

        Show
        Luke Taylor added a comment - I've added support for attribute exchange (sreg support will probably not be implemented, as it is effectively deprecated in favour of attribute exchange). I didn't follow the patches as there appeared to be issues with maintaining state within the consumer which would have introduced very nasty bugs. I've also left out any modification of the principal stored in the final Authentication object to include the attributes. The prinicpal will be the UserDetails object and the attributes will be available directly from the OpenIDAuthenticationToken as a List<OpenIDAttribute>. If desired, users can override the createSuccessfulAuthentication method of OpenIDAuthenticationProvider to merge the returned attributes into a custom UserDetails. I've also provided support in the namespace, so you can specify the attributes that should be added to the FetchRequest thus: <http> ... <openid-login> <attribute-exchange> <openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" count="2"/> <openid-attribute name="name" type="http://schema.openid.net/namePerson/friendly" /> </attribute-exchange> </openid-login>
        Hide
        Andreas Motl added a comment -

        Great! I will try to find some time to investigate how this can be integrated with our attempt to integrate Attribute Exchange with Grails. Are you interested in this and willing to help out, if we are getting problems?

        With kind regards,
        Andreas.

        P.S.: The issues with maintaining state within the consumer had already been resolved within the revised patches. I stored them inside the users session. How did you do it?

        Show
        Andreas Motl added a comment - Great! I will try to find some time to investigate how this can be integrated with our attempt to integrate Attribute Exchange with Grails. Are you interested in this and willing to help out, if we are getting problems? With kind regards, Andreas. P.S.: The issues with maintaining state within the consumer had already been resolved within the revised patches. I stored them inside the users session. How did you do it?
        Hide
        Luke Taylor added a comment -

        There didn't seem to be any need for storing the attribute state in the consumer, as the patches here were doing. I've implemented it so that the consumer maintains an immutable list of attributes built from the above configuration, in order to know how to build its FetchRequest. When the attributes are retrieved, it builds a separate list to store them in the authentication token. I tested it with my identity on myopenid.com and it worked OK.

        Show
        Luke Taylor added a comment - There didn't seem to be any need for storing the attribute state in the consumer, as the patches here were doing. I've implemented it so that the consumer maintains an immutable list of attributes built from the above configuration, in order to know how to build its FetchRequest. When the attributes are retrieved, it builds a separate list to store them in the authentication token. I tested it with my identity on myopenid.com and it worked OK.
        Hide
        Luke Taylor added a comment -

        Closing for now. Please raise any problems you encounter as separate issues.

        Show
        Luke Taylor added a comment - Closing for now. Please raise any problems you encounter as separate issues.
        Hide
        Srikanth Pagadala added a comment -

        Hi Andreas

        Did you get a chance to update the SpringSecurity plugin for Grails with this new enhancement, such auto-registration works out-of-the-box? (as you tried in your patched grails plugin)

        Also would it be possible to enhance plugins with features from oAuth plugin + openId plugin?

        that would really make the SpringSecurity plugin COMPLETE.

        Thanks

        Show
        Srikanth Pagadala added a comment - Hi Andreas Did you get a chance to update the SpringSecurity plugin for Grails with this new enhancement, such auto-registration works out-of-the-box? (as you tried in your patched grails plugin) Also would it be possible to enhance plugins with features from oAuth plugin + openId plugin? that would really make the SpringSecurity plugin COMPLETE. Thanks

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Tatyana Tokareva
          • Votes:
            4 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: