+1 This is long anticipated and I look forward to seeing it used.
On Thu, Sep 11, 2025 at 6:28 AM Mihaly Dallos <mihaly_dal...@docktape.com> wrote: > Fantastic news! > Thank you, Adam, Csenge! > > On Thu, Sep 11, 2025 at 1:45 PM Paul <pchristi...@gmail.com> wrote: > >> 🔥👍🔥 >> >> This is awesome! Thanks >> Paul >> >> On Thu, Sep 11, 2025 at 5:53 AM Ádám Sághy <adamsa...@gmail.com> wrote: >> >>> Dear Fineract Community, >>> >>> We are pleased to share that the first stage of implementing OAuth 2.1 >>> with PKCE in Fineract has been completed. A special thanks goes to *Csenge >>> Soti*, who carried out the majority of the implementation. >>> >>> *Kindly review the following PR:* >>> https://github.com/apache/fineract/pull/5028 >>> >>> *Key changes included in this PR:* >>> • Removal of custom OAuth components (e.g., OauthAuthenticationProvider) >>> • Removal of outdated and unmaintained Apache Oltu dependencies >>> • Integration of a minimal Spring Authorization Server configuration as >>> a default part of Fineract >>> • Support for OAuth 2.1 Authorization Code flow with PKCE >>> • Introduction of a minimal login page, allowing authentication via >>> tenant identifier, username, and password >>> >>> *Additional improvements delivered in this stage:* >>> • Removal of the deprecated InsecureTwoFactorFilter workaround >>> • Alignment of filters and features previously available only for HTTP >>> Basic authentication, including: >>> • Geolocation filter >>> • Loan COB filter >>> • Business date filter >>> • Idempotency filter >>> • Correlation ID filter >>> >>> *Potential next steps:* >>> • Introduce further configuration and extensibility options, such as: >>> • CSRF and CORS settings >>> • Third-party authorization server support >>> • Confidential client authentication >>> • Potential OpenID support >>> >>> We would be happy to collaborate with and welcome contributions from the >>> community on these next items. Your feedback, ideas, and participation will >>> be invaluable in shaping the continued development of OAuth 2.1 support in >>> Fineract. >>> >>> Regards, >>> Adam >>> >>> Sent from my iPhone >>> >>> On 30 Jul 2025, at 14:16, Ádám Sághy <adamsa...@gmail.com> wrote: >>> >>> >>> >>> Hi dear Fineract community, >>> >>> As part of FINERACT-1908 >>> <https://issues.apache.org/jira/browse/FINERACT-1908>, I’d like to >>> share some exciting plans regarding the upcoming revamp of our OAuth >>> functionality, which is currently outdated and based on deprecated >>> components. >>> >>> We are working to replace the existing custom OAuth code with modern, >>> Spring-based solutions that support OAuth 2.1 and PKCE. Our approach will >>> leverage the following Spring modules: >>> >>> - >>> >>> *Resource server*: spring-boot-starter-oauth2-resource-server >>> - >>> >>> *OAuth2 client*: spring-boot-starter-oauth2-client >>> - >>> >>> *Authorization server* (drop-in default): >>> spring-boot-starter-oauth2-authorization-server >>> >>> Default Behavior >>> >>> By default, Fineract will act as both: >>> >>> - >>> >>> An *authorization server*, and >>> - >>> >>> A *resource server* >>> >>> However, this default setup will be configurable. You’ll be able to >>> disable the built-in authorization server and instead integrate with >>> third-party solutions such as Keycloak or any other OAuth-compliant >>> provider. >>> >>> Having a default authorization server ensures that Fineract can run >>> standalone without relying on external tools to support the full OAuth flow. >>> >>> We will configure OAuth 2.1 with PKCE in a way that fits well into the >>> Fineract architecture and provides strong security by default. >>> >>> - >>> >>> 📖 More about this flow: >>> >>> https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce >>> - >>> >>> 🧭 Example flow diagram: [image: PKCE flow] >>> >>> ------------------------------ >>> Phase 1 Deliverables >>> >>> We aim to complete the following in the first phase: >>> >>> - >>> >>> Remove custom OAuth components (e.g. OauthAuthenticationProvider, >>> etc.) >>> - >>> >>> Remove outdated and unmaintained Apache Oltu dependencies >>> - >>> >>> Integrate a minimal Spring Authorization Server configuration (as a >>> default part of Fineract) >>> - >>> >>> Support *OAuth 2.1 Authorization Code flow with PKCE* >>> - >>> >>> Provide a minimal login page to authenticate users using: *tenant >>> identifier + username + password* >>> >>> ------------------------------ >>> Authentication Details >>> >>> - >>> >>> During authorization, when Fineract acts as the *authorization >>> server*, the m_appuser table will be queried to validate credentials. >>> - >>> >>> The resulting access token will include both the *tenant identifier* >>> and *username*. >>> - >>> >>> When Fineract acts as a *resource server*, it will validate the >>> token and resolve the authenticated user by looking up the relevant >>> AppUser >>> in the database. >>> - >>> >>> *Roles and permissions* will (for now) continue to be handled >>> internally by Fineract based on the logged-in user and tenant context. >>> >>> For full context and tracking, please see the related JIRA tickets: >>> >>> - >>> >>> FINERACT-1908 <https://issues.apache.org/jira/browse/FINERACT-1908> >>> - >>> >>> FINERACT-1984 <https://issues.apache.org/jira/browse/FINERACT-1984> >>> >>> Looking forward to your feedback, thoughts, and any suggestions you may >>> have! >>> >>> Best regards, >>> >>> Adam >>> >>> >> >> -- >> -- >> Paul >> > > > -- > Mihaly >
