1. Introduction
In the use of OAuth2.0, Authorization Server is an unavoidable facility. In most cases, what we call are some well-known, reliable and trusted third-party platforms, such as QQ, wechat, Weibo, Github, etc. Our application can only be registered and accessed as a Client. This means that we only need to implement the logic of the OAuth2.0 client, not the implementation of the authorization server. However, sometimes we still want to build our own Authorization Server. How do we do that? Today we will not discuss the technical details, but the technical selection of OAuth2.0.
2. Current status of Spring Security OAuth2
Spring’s OAuth2.0 functionality will be the first thing to consider when doing Spring Security tutorials. When I went to the official website of Spring to learn about the relevant class library, I found that Spring OAuth2.0 class library is about to expire.
Spring Security OAuth module is about to expire. The subsequent functions have been migrated to Spring Security 5.2.x, but the Authorization Server functions will no longer be provided. The official announcement also mentions that the current Spring Security OAuth branches are 2.3.x and 2.4.x. Version 2.3.x will expire in March 2020. We will support version 2.4.x for at least one year after feature parity is achieved. Users are encouraged to begin migrating their older OAuth 2.0 clients and resource server applications to the new support in Spring Security 5.2. See the official blog for details.
3. Technical selection of OAuth2.0
From the above information, Spring Security will continue to provide client and resource server support for OAuth2 in the future. Authorization servers will be phased out of the Spring Security ecosystem. So it is still ok to choose Spring Security if there is no authorization server requirement. Once there is such a requirement, how should we choose? I’ve researched several open source and free projects here.
3.1 keycloak
Keycloak is made by RedHat. Is an open source tool that addresses authentication and access management for applications and services. You can implement simple configurations to protect applications and services. It provides useful features for identity and access management:
- Single sign-on (SSO), identity proxy and third party login.
- Supports standard protocols such as OpenID Connect, OAuth 2.0 and SAML 2.0.
- Centralized user management.
- Client adapter for easy protection of applications and services.
- Visual administration console and Account administration console.
- Scalability, high performance, fast implementation landing.
Documentation is fairly complete and is a mature, free, commercial grade product.
3.2 Nimbus SDK
Nimbus OAuth 2.0 / OpenID Connect SDK is a class library. Spring officially mentioned in its blog that it can use this library to build Authorization Server. It supports both OAuth2.0 and OpenID Connect, fully implementing these two protocols, and actively following up on supplementary protocols. The disadvantage is that the Chinese tutorial is not much and is a class library nature. However, the official DEMO is provided, and it is not difficult for students with ability to get started.
3.3 Apache Oltu
Apache Oltu is a graduation program of the Apache Foundation. OAuth2.0 provides the common implementation, according to the information provided by the document is relatively simple to get started, modular provides the Authorization Server, Resource Server, Client, JOSE, support. There are still a lot of Chinese tutorials online, the disadvantage is that the project maintenance is relatively late, the latest version was released in 2016.
3.4 Vertx – auth – oauth2
Vertx-auth-oauth2 belongs to the vert. x ecosystem, and provides a relatively complete implementation of OAuth2.0, and the project maintenance is relatively active, the only disadvantage is the limitations of the technology stack.
4. To summarize
Some OAuth2.0 technology selection reference for Java is the above several. I wonder which one you will choose? I have launched a vote on the selection of OAuth2.0 technology on my official account: Felordcn, and I hope you can participate. Vote portal [Copy the link to wechat to open the vote]
Follow our public id: Felordcn for more information
Personal blog: https://felord.cn