Re: Replace current OAuth with OAuth 2.1 PKCE

Thu, 11 Sep 2025 03:54:19 -0700

Dear Fineract Community,

We are pleased to share that the first stage of implementing OAuth 2.1 with PKCE in Fineract has been completed. A special thanks goes to Csenge Soti, who carried out the majority of the implementation.

Kindly review the following PR:
 https://github.com/apache/fineract/pull/5028

Key changes included in this PR:
Removal of custom OAuth components (e.g., OauthAuthenticationProvider)
Removal of outdated and unmaintained Apache Oltu dependencies
Integration of a minimal Spring Authorization Server configuration as a default part of Fineract
Support for OAuth 2.1 Authorization Code flow with PKCE
Introduction of a minimal login page, allowing authentication via tenant identifier, username, and password

Additional improvements delivered in this stage:
Removal of the deprecated InsecureTwoFactorFilter workaround
Alignment of filters and features previously available only for HTTP Basic authentication, including:
Geolocation filter
Loan COB filter
Business date filter
Idempotency filter
Correlation ID filter

Potential next steps:
Introduce further configuration and extensibility options, such as:
CSRF and CORS settings
Third-party authorization server support
Confidential client authentication
Potential OpenID support

We would be happy to collaborate with and welcome contributions from the community on these next items. Your feedback, ideas, and participation will be invaluable in shaping the continued development of OAuth 2.1 support in Fineract.

Regards,
Adam

Sent from my iPhone

On 30 Jul 2025, at 14:16, Ádám Sághy <adamsa...@gmail.com> wrote:



Hi dear Fineract community,

As part of FINERACT-1908, I’d like to share some exciting plans regarding the upcoming revamp of our OAuth functionality, which is currently outdated and based on deprecated components.

We are working to replace the existing custom OAuth code with modern, Spring-based solutions that support OAuth 2.1 and PKCE. Our approach will leverage the following Spring modules:

  • Resource serverspring-boot-starter-oauth2-resource-server

  • OAuth2 clientspring-boot-starter-oauth2-client

  • Authorization server (drop-in default): spring-boot-starter-oauth2-authorization-server

Default Behavior

By default, Fineract will act as both:

  • An authorization server, and

  • resource server

However, this default setup will be configurable. You’ll be able to disable the built-in authorization server and instead integrate with third-party solutions such as Keycloak or any other OAuth-compliant provider.

Having a default authorization server ensures that Fineract can run standalone without relying on external tools to support the full OAuth flow.

We will configure OAuth 2.1 with PKCE in a way that fits well into the Fineract architecture and provides strong security by default.

Phase 1 Deliverables

We aim to complete the following in the first phase:

  • Remove custom OAuth components (e.g. OauthAuthenticationProvider, etc.)

  • Remove outdated and unmaintained Apache Oltu dependencies

  • Integrate a minimal Spring Authorization Server configuration (as a default part of Fineract)

  • Support OAuth 2.1 Authorization Code flow with PKCE

  • Provide a minimal login page to authenticate users using: tenant identifier + username + password

Authentication Details

  • During authorization, when Fineract acts as the authorization server, the m_appuser table will be queried to validate credentials.

  • The resulting access token will include both the tenant identifier and username.

  • When Fineract acts as a resource server, it will validate the token and resolve the authenticated user by looking up the relevant AppUser in the database.

  • Roles and permissions will (for now) continue to be handled internally by Fineract based on the logged-in user and tenant context.

For full context and tracking, please see the related JIRA tickets:

Looking forward to your feedback, thoughts, and any suggestions you may have!

Best regards,

Adam

Reply via email to