Deprecate OpenID 2.0 support

Deprecate OpenID 2.0 support

config/src/main/java/org/springframework/security/config/annotation/web/builders/HttpSecurity.java

@@ -233,7 +233,9 @@ public final class HttpSecurity extends
 	 * </pre>
 	 *
 	 * @return the {@link OpenIDLoginConfigurer} for further customizations.
-	 *
+	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+	 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+	 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	 * @throws Exception
 	 * @see OpenIDLoginConfigurer
 	 */
@@ -355,6 +357,9 @@ public final class HttpSecurity extends
 	 *
 	 * @param openidLoginCustomizer the {@link Customizer} to provide more options for
 	 * the {@link OpenIDLoginConfigurer}
+	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+	 *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+	 *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	 * @return the {@link HttpSecurity} for further customizations
 	 * @throws Exception
 	 */

config/src/main/java/org/springframework/security/config/annotation/web/configurers/openid/OpenIDLoginConfigurer.java

@@ -118,6 +118,9 @@ import org.springframework.security.web.util.matcher.RequestMatcher;
  * </ul>
  *
  * @author Rob Winch
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @since 3.2
  */
 public final class OpenIDLoginConfigurer<H extends HttpSecurityBuilder<H>> extends

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -350,51 +350,7 @@ final class AuthenticationConfigBuilder {
 		RootBeanDefinition openIDFilter = null;
 
 		if (openIDLoginElt != null) {
-			FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser(
-					"/login/openid", null,
-					OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache,
-					sessionStrategy, allowSessionCreation, portMapper, portResolver);
-
-			parser.parse(openIDLoginElt, pc);
-			openIDFilter = parser.getFilterBean();
-			openIDEntryPoint = parser.getEntryPointBean();
-			openidLoginProcessingUrl = parser.getLoginProcessingUrl();
-			openIDLoginPage = parser.getLoginPage();
-
-			List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
-					Elements.OPENID_ATTRIBUTE_EXCHANGE);
-
-			if (!attrExElts.isEmpty()) {
-				// Set up the consumer with the required attribute list
-				BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder
-						.rootBeanDefinition(OPEN_ID_CONSUMER_CLASS);
-				BeanDefinitionBuilder axFactory = BeanDefinitionBuilder
-						.rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS);
-				ManagedMap<String, ManagedList<BeanDefinition>> axMap = new ManagedMap<>();
-
-				for (Element attrExElt : attrExElts) {
-					String identifierMatch = attrExElt.getAttribute("identifier-match");
-
-					if (!StringUtils.hasText(identifierMatch)) {
-						if (attrExElts.size() > 1) {
-							pc.getReaderContext().error(
-									"You must supply an identifier-match attribute if using more"
-											+ " than one "
-											+ Elements.OPENID_ATTRIBUTE_EXCHANGE
-											+ " element", attrExElt);
-						}
-						// Match anything
-						identifierMatch = ".*";
-					}
-
-					axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt));
-				}
-				axFactory.addConstructorArgValue(axMap);
-
-				consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition());
-				openIDFilter.getPropertyValues().addPropertyValue("consumer",
-						consumerBldr.getBeanDefinition());
-			}
+			openIDFilter = parseOpenIDFilter(sessionStrategy, openIDLoginElt);
 		}
 
 		if (openIDFilter != null) {
@@ -412,6 +368,65 @@ final class AuthenticationConfigBuilder {
 		}
 	}
 
+	/**
+	 * Parses OpenID 1.0 and 2.0 - related parts of configuration xmls
+	 * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+	 * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+	 * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+	 * @param sessionStrategy sessionStrategy
+	 * @param openIDLoginElt the element from the xml file
+	 * @return the parsed filter as rootBeanDefinition
+	 */
+	private RootBeanDefinition parseOpenIDFilter( BeanReference sessionStrategy, Element openIDLoginElt ) {
+		RootBeanDefinition openIDFilter;
+		FormLoginBeanDefinitionParser parser = new FormLoginBeanDefinitionParser(
+				"/login/openid", null,
+				OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS, requestCache,
+				sessionStrategy, allowSessionCreation, portMapper, portResolver);
+
+		parser.parse(openIDLoginElt, pc);
+		openIDFilter = parser.getFilterBean();
+		openIDEntryPoint = parser.getEntryPointBean();
+		openidLoginProcessingUrl = parser.getLoginProcessingUrl();
+		openIDLoginPage = parser.getLoginPage();
+
+		List<Element> attrExElts = DomUtils.getChildElementsByTagName(openIDLoginElt,
+				Elements.OPENID_ATTRIBUTE_EXCHANGE);
+
+		if (!attrExElts.isEmpty()) {
+			// Set up the consumer with the required attribute list
+			BeanDefinitionBuilder consumerBldr = BeanDefinitionBuilder
+					.rootBeanDefinition(OPEN_ID_CONSUMER_CLASS);
+			BeanDefinitionBuilder axFactory = BeanDefinitionBuilder
+					.rootBeanDefinition(OPEN_ID_ATTRIBUTE_FACTORY_CLASS);
+			ManagedMap<String, ManagedList<BeanDefinition>> axMap = new ManagedMap<>();
+
+			for (Element attrExElt : attrExElts) {
+				String identifierMatch = attrExElt.getAttribute("identifier-match");
+
+				if (!StringUtils.hasText(identifierMatch)) {
+					if (attrExElts.size() > 1) {
+						pc.getReaderContext().error(
+								"You must supply an identifier-match attribute if using more"
+										+ " than one "
+										+ Elements.OPENID_ATTRIBUTE_EXCHANGE
+										+ " element", attrExElt);
+					}
+					// Match anything
+					identifierMatch = ".*";
+				}
+
+				axMap.put(identifierMatch, parseOpenIDAttributes(attrExElt));
+			}
+			axFactory.addConstructorArgValue(axMap);
+
+			consumerBldr.addConstructorArgValue(axFactory.getBeanDefinition());
+			openIDFilter.getPropertyValues().addPropertyValue("consumer",
+					consumerBldr.getBeanDefinition());
+		}
+		return openIDFilter;
+	}
+
 	private ManagedList<BeanDefinition> parseOpenIDAttributes(Element attrExElt) {
 		ManagedList<BeanDefinition> attributes = new ManagedList<>();
 		for (Element attElt : DomUtils.getChildElementsByTagName(attrExElt,

config/src/main/resources/org/springframework/security/config/spring-security-5.4.rnc

@@ -615,7 +615,7 @@ opaque-token.attlist &=
     attribute introspector-ref {xsd:token}?
 
 openid-login =
-	## Sets up form login for authentication with an Open ID identity
+	## Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	element openid-login {form-login.attlist, user-service-ref?, attribute-exchange*}
 
 attribute-exchange =
@@ -627,7 +627,7 @@ attribute-exchange.attlist &=
 	attribute identifier-match {xsd:token}?
 
 openid-attribute =
-	## Attributes used when making an OpenID AX Fetch Request
+	## Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a> to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
 	element openid-attribute {openid-attribute.attlist}
 
 openid-attribute.attlist &=

config/src/main/resources/org/springframework/security/config/spring-security-5.4.xsd

@@ -960,7 +960,11 @@
             <xs:element ref="security:oauth2-resource-server"/>
             <xs:element name="openid-login">
                <xs:annotation>
-                  <xs:documentation>Sets up form login for authentication with an Open ID identity
+                  <xs:documentation>Sets up form login for authentication with an Open ID identity. NOTE: The OpenID 1.0 and
+                2.0 protocols have been deprecated and users are &lt;a
+                href="https://openid.net/specs/openid-connect-migration-1_0.html"&gt;encouraged to
+                migrate&lt;/a&gt; to &lt;a href="https://openid.net/connect/"&gt;OpenID Connect&lt;/a&gt;, which is
+                supported by &lt;code&gt;spring-security-oauth2&lt;/code&gt;.
                 </xs:documentation>
                </xs:annotation>
                <xs:complexType>
@@ -1905,7 +1909,11 @@
   </xs:attributeGroup>
   <xs:element name="openid-attribute">
       <xs:annotation>
-         <xs:documentation>Attributes used when making an OpenID AX Fetch Request
+         <xs:documentation>Attributes used when making an OpenID AX Fetch Request. NOTE: The OpenID 1.0 and 2.0
+                protocols have been deprecated and users are &lt;a
+                href="https://openid.net/specs/openid-connect-migration-1_0.html"&gt;encouraged to
+                migrate&lt;/a&gt; to &lt;a href="https://openid.net/connect/"&gt;OpenID Connect&lt;/a&gt;, which is
+                supported by &lt;code&gt;spring-security-oauth2&lt;/code&gt;.
                 </xs:documentation>
       </xs:annotation>
       <xs:complexType>

docs/articles/src/docbook/codebase-structure.xml

@@ -146,7 +146,7 @@
 								<entry valign="middle">spring-security-openid</entry>
 								<entry>OpenID web authentication support.</entry>
 								<entry>If you need to authenticate users against an external OpenID
-									server.</entry>
+									server. (Deprecated)</entry>
 								<entry><literal>org.springframework.security.openid</literal></entry>
 							</row>
 						</tbody>

docs/manual/src/docs/asciidoc/_includes/about/modules.adoc

@@ -102,6 +102,9 @@ The top-level package is `org.springframework.security.cas`.
 
 [[spring-security-openid]]
 == OpenID -- `spring-security-openid.jar`
+[NOTE]
+The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
+
 This module contains OpenID web authentication support.
 It is used to authenticate users against an external OpenID server.
 The top-level package is `org.springframework.security.openid`.

docs/manual/src/docs/asciidoc/_includes/servlet/authentication/openid.adoc

@@ -1,5 +1,9 @@
 [[servlet-openid]]
 == OpenID Support
+
+[NOTE]
+The OpenID 1.0 and 2.0 protocols have been deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.
+
 The namespace supports https://openid.net/[OpenID] login either instead of, or in addition to normal form-based login, with a simple change:
 
 [source,xml]

openid/spring-security-openid.gradle

@@ -1,3 +1,7 @@
+// NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+// <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+// to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+
 apply plugin: 'io.spring.convention.spring-module'
 
 dependencies {

openid/src/main/java/org/springframework/security/openid/AuthenticationCancelledException.java

@@ -20,6 +20,9 @@ import org.springframework.security.core.AuthenticationException;
 /**
  * Indicates that OpenID authentication was cancelled
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class AuthenticationCancelledException extends AuthenticationException {

openid/src/main/java/org/springframework/security/openid/AxFetchListFactory.java

@@ -24,6 +24,9 @@ import java.util.List;
  * This allows the list of attributes for a fetch request to be tailored for different
  * OpenID providers, since they do not all support the same attributes.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.1
  */

openid/src/main/java/org/springframework/security/openid/NullAxFetchListFactory.java

@@ -19,6 +19,9 @@ import java.util.Collections;
 import java.util.List;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.1
  */

openid/src/main/java/org/springframework/security/openid/OpenID4JavaConsumer.java

@@ -41,6 +41,9 @@ import org.openid4java.message.ax.FetchResponse;
 import org.springframework.util.StringUtils;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Ray Krueger
  * @author Luke Taylor
  */

openid/src/main/java/org/springframework/security/openid/OpenIDAttribute.java

@@ -27,6 +27,9 @@ import org.springframework.util.Assert;
  * should be requested during a fetch request, or to hold values for an attribute which
  * are returned during the authentication process.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.0
  */

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationFilter.java

@@ -59,6 +59,9 @@ import java.util.*;
  * where it should (normally) be processed by an <tt>OpenIDAuthenticationProvider</tt> in
  * order to load the authorities for the user.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Robin Bramley
  * @author Ray Krueger
  * @author Luke Taylor

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationProvider.java

@@ -44,6 +44,9 @@ import org.springframework.util.Assert;
  * {@code Authentication} token, so additional properties such as email addresses,
  * telephone numbers etc can easily be stored.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Robin Bramley, Opsera Ltd.
  * @author Luke Taylor
  */

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationStatus.java

@@ -18,6 +18,9 @@ package org.springframework.security.openid;
 /**
  * Authentication status codes, based on JanRain status codes
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author JanRain Inc.
  * @author Robin Bramley, Opsera Ltd
  * @author Luke Taylor

openid/src/main/java/org/springframework/security/openid/OpenIDAuthenticationToken.java

@@ -26,6 +26,9 @@ import org.springframework.security.core.SpringSecurityCoreVersion;
 /**
  * OpenID Authentication Token
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Robin Bramley
  */
 public class OpenIDAuthenticationToken extends AbstractAuthenticationToken {

openid/src/main/java/org/springframework/security/openid/OpenIDConsumer.java

@@ -20,6 +20,9 @@ import javax.servlet.http.HttpServletRequest;
 /**
  * An interface for OpenID library implementations
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Ray Krueger
  * @author Robin Bramley, Opsera Ltd
  */

openid/src/main/java/org/springframework/security/openid/OpenIDConsumerException.java

@@ -18,6 +18,9 @@ package org.springframework.security.openid;
 /**
  * Thrown by an OpenIDConsumer if it cannot process a request
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class OpenIDConsumerException extends Exception {

openid/src/main/java/org/springframework/security/openid/RegexBasedAxFetchListFactory.java

@@ -22,7 +22,9 @@ import java.util.Map;
 import java.util.regex.Pattern;
 
 /**
- *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.1
  */

openid/src/main/java/org/springframework/security/openid/package.html

@@ -1,5 +1,9 @@
 <html>
 <body>
-Authenticates standard web browser users via <a href="https://openid.net">OpenID</a>.
+<p>Authenticates standard web browser users via <a href="https://openid.net">OpenID</a>.</p>
+
+<p>NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+    <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+    to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.</p>
 </body>
-</html>
+</html>

openid/src/test/java/org/springframework/security/openid/MockOpenIDConsumer.java

@@ -15,12 +15,12 @@
  */
 package org.springframework.security.openid;
 
-import org.springframework.security.openid.OpenIDAuthenticationToken;
-import org.springframework.security.openid.OpenIDConsumer;
-
 import javax.servlet.http.HttpServletRequest;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class MockOpenIDConsumer implements OpenIDConsumer {

openid/src/test/java/org/springframework/security/openid/OpenID4JavaConsumerTests.java

@@ -40,6 +40,9 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import java.util.*;
 
 /**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  */
 public class OpenID4JavaConsumerTests {

openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationFilterTests.java

@@ -31,6 +31,11 @@ import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+ */
 public class OpenIDAuthenticationFilterTests {
 
 	OpenIDAuthenticationFilter filter;

openid/src/test/java/org/springframework/security/openid/OpenIDAuthenticationProviderTests.java

@@ -35,6 +35,9 @@ import org.springframework.security.core.userdetails.UserDetailsService;
 /**
  * Tests {@link OpenIDAuthenticationProvider}
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ * <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ * to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Robin Bramley, Opsera Ltd
  */
 public class OpenIDAuthenticationProviderTests {

openid/src/test/resources/logback-test.xml

@@ -1,3 +1,7 @@
+<!-- NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>. -->
+
 <configuration>
 	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
 	<encoder>

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/MessageSecurityWebApplicationInitializer.java

@@ -20,6 +20,9 @@ import org.springframework.security.web.context.AbstractSecurityWebApplicationIn
 /**
  * No customizations of {@link AbstractSecurityWebApplicationInitializer} are necessary.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Rob Winch
  */
 public class MessageSecurityWebApplicationInitializer extends

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/config/SecurityConfig.java

@@ -20,6 +20,11 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.samples.security.CustomUserDetailsService;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+ */
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 	// @formatter:off

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/mvc/UserController.java

@@ -21,6 +21,11 @@ import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+ */
 @Controller
 @RequestMapping("/user/")
 public class UserController {

samples/javaconfig/openid/src/main/java/org/springframework/security/samples/security/CustomUserDetailsService.java

@@ -22,6 +22,11 @@ import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.openid.OpenIDAuthenticationToken;
 
+/**
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+ */
 public class CustomUserDetailsService implements
 		AuthenticationUserDetailsService<OpenIDAuthenticationToken> {
 	public UserDetails loadUserDetails(OpenIDAuthenticationToken token)
@@ -29,4 +34,4 @@ public class CustomUserDetailsService implements
 		return new User(token.getName(), "",
 				AuthorityUtils.createAuthorityList("ROLE_USER"));
 	}
-}
+}

samples/javaconfig/openid/src/main/resources/views/login.html

@@ -7,6 +7,11 @@
   <body th:include="layout :: body" th:with="content=~{::content}">
      <div th:fragment="content">
         <form name="f" th:action="@{/login/openid}" method="post" id="openid_form">
+            <p><strong>
+                NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+                <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+                to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+            </strong></p>
             <input type="hidden" name="action" value="verify" />
 	        <fieldset>
                 <legend>Sign-in or Create New Account</legend>
@@ -43,4 +48,4 @@
     </script>
     </div>
   </body>
-</html>
+</html>

samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetails.java

@@ -23,6 +23,9 @@ import org.springframework.security.core.userdetails.User;
 /**
  * Customized {@code UserDetails} implementation.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.1
  */

samples/xml/openid/src/main/java/org/springframework/security/samples/openid/CustomUserDetailsService.java

@@ -32,6 +32,9 @@ import org.springframework.security.openid.OpenIDAuthenticationToken;
  * Custom UserDetailsService which accepts any OpenID user, "registering" new users in a
  * map so they can be welcomed back to the site on subsequent logins.
  *
+ * @deprecated The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+ *  <a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+ *  to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
  * @author Luke Taylor
  * @since 3.1
  */

samples/xml/openid/src/main/resources/logback.xml

@@ -1,3 +1,7 @@
+<!-- NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>. -->
+
 <configuration>
 	<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
 	<encoder>

samples/xml/openid/src/main/webapp/index.jsp

@@ -6,6 +6,12 @@
 
 <h1>OpenID Sample Home Page</h1>
 
+<p><strong>
+NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+</strong></p>
+
 <sec:authentication property='principal.newUser' var='isNew' />
 <p>
 Welcome<c:if test="${!isNew}"> back,</c:if> <sec:authentication property='principal.name' />!

samples/xml/openid/src/main/webapp/openidlogin.jsp

@@ -29,6 +29,12 @@
 
 <body>
 
+<p><strong>
+NOTE: The OpenID 1.0 and 2.0 protocols have been deprecated and users are
+<a href="https://openid.net/specs/openid-connect-migration-1_0.html">encouraged to migrate</a>
+to <a href="https://openid.net/connect/">OpenID Connect</a>, which is supported by <code>spring-security-oauth2</code>.
+</strong></p>
+
 <c:if test="${not empty param.login_error}">
   <font color="red">
     Your login attempt was not successful, try again.<br/><br/>