Hello Fineract community, I would like to open a vote on FINERACT-2616: OIDC Federation Support for External Identity Providers <https://issues.apache.org/jira/browse/FINERACT-2616>
This allows organizations with an existing corporate IdP (Keycloak, Google Workspace, Azure AD, Okta, Auth0) to enable SSO without forking authentication logic or maintaining a parallel user database. The feature is fully opt-in (*fineract.security.oidc-federation.enabled=true*) and does not affect existing Basic Auth or OAuth2 deployments. Fineract PR raised <https://github.com/apache/fineract/pull/5883> --- The core of this contribution is *OidcAppUserResolutionServiceImpl*, which bridges an external OIDC identity to a Fineract AppUser using a *three-step strategy* on every authenticated request: 1. *Lookup by username* — using the configured usernameClaim (default: preferred_username) 2. *Fallback by email *— matches users pre-existing in Fineract by their corporate email 3. *Auto-creation* — when enabled via *fineract.security.oidc-federation.auto-create-**user=true*, provisions a new *AppUser* on first login, assigned to the head office with the configured defaultRoles merged with any roles extracted from the OIDC token. Throws *OidcUserNotFoundException* when auto-create is disabled and no match is found. --- Please vote: [ ] +1 approve [ ] +0 no objection [ ] -1 object because: Thank you, Jose Alberto Hernandez
