Skip to content

Add OIDC Authentication Plugin implementation #34

New issue
New issue
Open
Feature
#55
Open
Add OIDC Authentication Plugin implementation#34
Feature
#55
Assignees
jcabannes
Labels
enhancementNew feature or request
@Zorin95670

Description

@Zorin95670
Zorin95670
opened on Mar 9, 2026

Context

Following the refactor of AuthorizationPlugin, plugins are now responsible only for token validation.

To support common authentication mechanisms, we should provide a reference implementation based on OpenID Connect (OIDC).

Providing an OIDC plugin will allow the API to validate JWT access tokens issued by these providers.

Plugin definition

The plugin should be named:

OIDCAuthenticationPlugin

Acronym:

oiap

This acronym can be used in configuration or plugin identification.

Proposal

Create a new AuthenticationPlugin implementation dedicated to OIDC token validation.

This plugin will:

  • Extract the bearer token from the HTTP request
  • Validate the JWT signature
  • Validate standard OIDC claims
  • Populate the TaskExecutionContext with authentication information.

Example plugin structure:

public class OIDCAuthenticationPlugin implements AuthenticationPlugin {

    @Override
    public void validateToken(
        AuthenticationConfiguration configuration,
        HttpServletRequest request,
        TaskExecutionContext context
    ) {
        // Extract Bearer token
        // Discover OIDC configuration
        // Validate JWT signature
        // Validate claims
        // Add claims to context
    }
}

Configuration

For the first iteration, the plugin should only require an issuer-uri configuration parameter, similar to the behavior of Spring Security when using spring.security.oauth2.resourceserver.jwt.issuer-uri.

Example configuration:

authentication:
  type: oiap
  issuer-uri: https://idp.example.com/realms/main

The plugin should automatically retrieve the OpenID configuration from:

{issuer-uri}/.well-known/openid-configuration

From this document, the plugin must retrieve:

  • jwks_uri
  • issuer
  • other metadata if necessary.

Expected validation behavior

The plugin should mimic the default validation performed by Spring Security when using issuer-uri, including:

  • retrieving the JWKS endpoint via discovery
  • validating the JWT signature
  • validating the iss claim
  • validating the token expiration (exp)

Additional validations (such as audience) can be added later if needed.

Claims propagation

After successful validation, the plugin must extract the JWT claims and store them in the TaskExecutionContext as:

Map<String, Object>

This allows downstream components to access token information such as:

  • sub
  • preferred_username
  • email
  • scope
  • roles

Expected benefits

  • Provide a standard authentication plugin out of the box
  • Simplify integration with common identity providers
  • Offer a reference implementation for custom authentication plugins
  • Reduce the effort required to secure APIs with OIDC

Impact

  • Add a new plugin module for the OIDC implementation
  • Add dependencies required for JWT validation
  • Store JWT claims in TaskExecutionContext
  • Update plugin documentation with an OIDC example

Documentation to update

  • docs/plugins/create-authentication-plugin.md
  • Add a section: Using the OIDC Authentication Plugin

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions