Fantastic news! Thank you, Adam, Csenge! On Thu, Sep 11, 2025 at 1:45 PM Paul <pchristi...@gmail.com> wrote:
> 🔥👍🔥 > > This is awesome! Thanks > Paul > > On Thu, Sep 11, 2025 at 5:53 AM Ádám Sághy <adamsa...@gmail.com> wrote: > >> Dear Fineract Community, >> >> We are pleased to share that the first stage of implementing OAuth 2.1 >> with PKCE in Fineract has been completed. A special thanks goes to *Csenge >> Soti*, who carried out the majority of the implementation. >> >> *Kindly review the following PR:* >> https://github.com/apache/fineract/pull/5028 >> >> *Key changes included in this PR:* >> • Removal of custom OAuth components (e.g., OauthAuthenticationProvider) >> • Removal of outdated and unmaintained Apache Oltu dependencies >> • Integration of a minimal Spring Authorization Server configuration as >> a default part of Fineract >> • Support for OAuth 2.1 Authorization Code flow with PKCE >> • Introduction of a minimal login page, allowing authentication via >> tenant identifier, username, and password >> >> *Additional improvements delivered in this stage:* >> • Removal of the deprecated InsecureTwoFactorFilter workaround >> • Alignment of filters and features previously available only for HTTP >> Basic authentication, including: >> • Geolocation filter >> • Loan COB filter >> • Business date filter >> • Idempotency filter >> • Correlation ID filter >> >> *Potential next steps:* >> • Introduce further configuration and extensibility options, such as: >> • CSRF and CORS settings >> • Third-party authorization server support >> • Confidential client authentication >> • Potential OpenID support >> >> We would be happy to collaborate with and welcome contributions from the >> community on these next items. Your feedback, ideas, and participation will >> be invaluable in shaping the continued development of OAuth 2.1 support in >> Fineract. >> >> Regards, >> Adam >> >> Sent from my iPhone >> >> On 30 Jul 2025, at 14:16, Ádám Sághy <adamsa...@gmail.com> wrote: >> >> >> >> Hi dear Fineract community, >> >> As part of FINERACT-1908 >> <https://issues.apache.org/jira/browse/FINERACT-1908>, I’d like to share >> some exciting plans regarding the upcoming revamp of our OAuth >> functionality, which is currently outdated and based on deprecated >> components. >> >> We are working to replace the existing custom OAuth code with modern, >> Spring-based solutions that support OAuth 2.1 and PKCE. Our approach will >> leverage the following Spring modules: >> >> - >> >> *Resource server*: spring-boot-starter-oauth2-resource-server >> - >> >> *OAuth2 client*: spring-boot-starter-oauth2-client >> - >> >> *Authorization server* (drop-in default): >> spring-boot-starter-oauth2-authorization-server >> >> Default Behavior >> >> By default, Fineract will act as both: >> >> - >> >> An *authorization server*, and >> - >> >> A *resource server* >> >> However, this default setup will be configurable. You’ll be able to >> disable the built-in authorization server and instead integrate with >> third-party solutions such as Keycloak or any other OAuth-compliant >> provider. >> >> Having a default authorization server ensures that Fineract can run >> standalone without relying on external tools to support the full OAuth flow. >> >> We will configure OAuth 2.1 with PKCE in a way that fits well into the >> Fineract architecture and provides strong security by default. >> >> - >> >> 📖 More about this flow: >> >> https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce >> - >> >> 🧭 Example flow diagram: [image: PKCE flow] >> >> ------------------------------ >> Phase 1 Deliverables >> >> We aim to complete the following in the first phase: >> >> - >> >> Remove custom OAuth components (e.g. OauthAuthenticationProvider, >> etc.) >> - >> >> Remove outdated and unmaintained Apache Oltu dependencies >> - >> >> Integrate a minimal Spring Authorization Server configuration (as a >> default part of Fineract) >> - >> >> Support *OAuth 2.1 Authorization Code flow with PKCE* >> - >> >> Provide a minimal login page to authenticate users using: *tenant >> identifier + username + password* >> >> ------------------------------ >> Authentication Details >> >> - >> >> During authorization, when Fineract acts as the *authorization server*, >> the m_appuser table will be queried to validate credentials. >> - >> >> The resulting access token will include both the *tenant identifier* >> and *username*. >> - >> >> When Fineract acts as a *resource server*, it will validate the token >> and resolve the authenticated user by looking up the relevant AppUser in >> the database. >> - >> >> *Roles and permissions* will (for now) continue to be handled >> internally by Fineract based on the logged-in user and tenant context. >> >> For full context and tracking, please see the related JIRA tickets: >> >> - >> >> FINERACT-1908 <https://issues.apache.org/jira/browse/FINERACT-1908> >> - >> >> FINERACT-1984 <https://issues.apache.org/jira/browse/FINERACT-1984> >> >> Looking forward to your feedback, thoughts, and any suggestions you may >> have! >> >> Best regards, >> >> Adam >> >> > > -- > -- > Paul > -- Mihaly
