Deprecate OpenID 2.0 Support

Add deprecation notice to all files in the spring-security-openid module

Fixes gh-7263

openid/spring-security-openid.gradle

@@ -1,3 +1,7 @@
+// NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+// <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+// to <a href="https://openid.net/connect/">OpenID Connect</a>.
+
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {

openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java

@@ -20,6 +20,9 @@ import org.springframework.security.core.AuthenticationException;
 /**
  * Indicates that OpenID authentication was cancelled
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class AuthenticationCancelledException extends AuthenticationException {

openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java

@@ -24,6 +24,9 @@ import java.util.List;
  * This allows the list of attributes for a fetch request to be tailored for different
  * OpenID providers, since they do not all support the same attributes.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Luke Taylor
  * @since 3.1
  */

openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java

@@ -19,6 +19,9 @@ import java.util.Collections;
 import java.util.List;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Luke Taylor
  * @since 3.1
  */

openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java

@@ -41,6 +41,9 @@ import org.openid4java.message.ax.FetchResponse;
 import org.springframework.util.StringUtils;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Ray Krueger
  * @author Luke Taylor
  */

openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java

@@ -27,6 +27,9 @@ import org.springframework.util.Assert;
  * should be requested during a fetch request, or to hold values for an attribute which
  * are returned during the authentication process.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Luke Taylor
  * @since 3.0
  */

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java

@@ -59,6 +59,9 @@ import java.util.*;
  * where it should (normally) be processed by an <tt>OpenIDAuthenticationProvider</tt> in
  * order to load the authorities for the user.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Robin Bramley
  * @author Ray Krueger
  * @author Luke Taylor

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java

@@ -44,6 +44,9 @@ import org.springframework.util.Assert;
  * {@code Authentication} token, so additional properties such as email addresses,
  * telephone numbers etc can easily be stored.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Robin Bramley, Opsera Ltd.
  * @author Luke Taylor
  */

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java

@@ -18,6 +18,9 @@ package org.springframework.security.openid;
 /**
  * Authentication status codes, based on JanRain status codes
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author JanRain Inc.
  * @author Robin Bramley, Opsera Ltd
  * @author Luke Taylor

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java

@@ -26,6 +26,9 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
 /**
  * OpenID Authentication Token
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Robin Bramley
  */
 public class OpenIDAuthenticationToken extends AbstractAuthenticationToken {

openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java

@@ -20,6 +20,9 @@ import javax.servlet.http.HttpServletRequest;
 /**
  * An interface for OpenID library implementations
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Ray Krueger
  * @author Robin Bramley, Opsera Ltd
  */

openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java

@@ -18,6 +18,9 @@ package org.springframework.security.openid;
 /**
  * Thrown by an OpenIDConsumer if it cannot process a request
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class OpenIDConsumerException extends Exception {

openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java

@@ -22,7 +22,9 @@ import java.util.Map;
 import java.util.regex.Pattern;
 
 /**
- *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Luke Taylor
  * @since 3.1
  */

openid/src/main/java/org/springframework/security/openid/package.html

@@ -1,5 +1,9 @@
 <html>
 <body>
-Authenticates standard web browser users via <a href="https://openid.net">OpenID</a>.
+<p>Authenticates standard web browser users via <a href="https://openid.net">OpenID</a>.</p>
+
+<p>NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+    <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+    to <a href="https://openid.net/connect/">OpenID Connect</a>.</p>
 </body>
-</html>
+</html>

openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java

@@ -15,12 +15,12 @@
  */
 package org.springframework.security.openid;
 
-import org.springframework.security.openid.OpenIDAuthenticationToken;
-import org.springframework.security.openid.OpenIDConsumer;
-
 import javax.servlet.http.HttpServletRequest;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class MockOpenIDConsumer implements OpenIDConsumer {

openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java

@@ -40,6 +40,9 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import java.util.*;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Luke Taylor
  */
 public class OpenID4JavaConsumerTests {

openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java

@@ -31,6 +31,11 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
+ */
 public class OpenIDAuthenticationFilterTests {
 
 	OpenIDAuthenticationFilter filter;

openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java

@@ -35,6 +35,9 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 /**
  * Tests {@link OpenIDAuthenticationProvider}
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class OpenIDAuthenticationProviderTests {

openid/src/test/resources/logback-test.xml

@@ -1,3 +1,7 @@
+<!-- NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>. -->
+
 <configuration>
 	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
 	<encoder>