alberto-art3ch opened a new pull request, #5883:
URL: https://github.com/apache/fineract/pull/5883
## Description
We are adding a complete OIDC (OpenID Connect) Federation layer for Apache
Fineract, enabling integration with external Identity Providers (Keycloak,
Google, Azure AD, Okta, Auth0) without replacing the existing Basic Auth
mechanism.
- OidcFederationSecurityConfig — New Spring Security filter chain
(@Order(100)) active only when `fineract.security.oidc-federation.enabled=true`
- OidcTenantAwareFilter — Resolves the Fineract tenant from a configurable
JWT claim (fineract_tenant by default) and sets the multi-tenant context
- FineractOidcJwtAuthenticationConverter — Maps JWT claims to a
FineractOidcUser principal with configurable username claim
(preferred_username, email, sub)
- FineractOidcUserService — Loads existing Fineract AppUser from the
resolved OIDC principal; optionally auto-creates users on first login with
configurable default roles
- OidcAuthenticationSuccessHandler / OidcLogoutSuccessHandler — Handles
post-login and RP-Initiated Logout per provider dialect (Keycloak, Azure AD,
Okta, Auth0, generic)
- FineractCorsConfiguration — Extracted CORS config as a reusable bean
shared across Security filter chains
- FineractProperties.FineractSecurityOidcFederationProperties — Config
block under `fineract.security.oidc-federation`
[FINERACT-2616](https://issues.apache.org/jira/browse/FINERACT-2616)
## Checklist
Please make sure these boxes are checked before submitting your pull request
- thanks!
- [ ] Write the commit message as per [our
guidelines](https://github.com/apache/fineract/blob/develop/CONTRIBUTING.md#pull-requests)
- [ ] Acknowledge that we will not review PRs that are not passing the build
_("green")_ - it is your responsibility to get a proposed PR to pass the build,
not primarily the project's maintainers.
- [ ] Create/update [unit or integration
tests](https://fineract.apache.org/docs/current/#_testing) for verifying the
changes made.
- [ ] Follow our [coding
conventions](https://cwiki.apache.org/confluence/display/FINERACT/Coding+Conventions).
- [ ] Add required Swagger annotation and update API documentation at
fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with
details of any API changes
- [ ] [This PR must not be a "code
dump"](https://cwiki.apache.org/confluence/display/FINERACT/Pull+Request+Size+Limit).
Large changes can be made in a branch, with assistance. Ask for help on the
[developer mailing list](https://fineract.apache.org/#contribute).
Your assigned reviewer(s) will follow our [guidelines for code
reviews](https://cwiki.apache.org/confluence/display/FINERACT/Code+Review+Guide).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
