spring-security/docs/modules/ROOT/pages/servlet/authentication/openid.adoc

[[servlet-openid]]
= OpenID Support

[NOTE]
====
The OpenID 1.0 and 2.0 protocols have been deprecated. You should migrate to OpenID Connect, which is supported by `spring-security-oauth2`.
====

The namespace supports https://openid.net/[OpenID] login either instead of or in addition to normal form-based login, with a simple change:

====
[source,xml]
----
<http>
<intercept-url pattern="/**" access="ROLE_USER" />
<openid-login />
</http>
----
====

You should then register yourself with an OpenID provider (such as myopenid.com), and add the user information to your in-memory `<user-service>`:

====
[source,xml]
----
<user name="https://jimi.hendrix.myopenid.com/" authorities="ROLE_USER" />
----
====

You should be able to login by using the `myopenid.com` site to authenticate.
You can also select a specific `UserDetailsService` bean for use with OpenID by setting the `user-service-ref` attribute on the `openid-login` element.
Note that we have omitted the password attribute from the above user configuration, since this set of user data is being used only to load the authorities for the user.
A random password is generated internally, preventing you from accidentally using this user data as an authentication source elsewhere in your configuration.


== Attribute Exchange
Spring Security includes support for OpenID https://openid.net/specs/openid-attribute-exchange-1_0.html[attribute exchange].
As an example, the following configuration tries to retrieve the email and full name from the OpenID provider for use by the application:

====
[source,xml]
----
<openid-login>
<attribute-exchange>
	<openid-attribute name="email" type="https://axschema.org/contact/email" required="true"/>
	<openid-attribute name="name" type="https://axschema.org/namePerson"/>
</attribute-exchange>
</openid-login>
----
====

The "`type`" of each OpenID attribute is a URI, determined by a particular schema -- in this case, https://axschema.org/[https://axschema.org/].
If an attribute must be retrieved for successful authentication, you can set the `required` attribute.
The exact schema and attributes supported depend on your OpenID provider.
The attribute values are returned as part of the authentication process and can be accessed afterwards by using the following code:

====
[source,java]
----
OpenIDAuthenticationToken token =
	(OpenIDAuthenticationToken)SecurityContextHolder.getContext().getAuthentication();
List<OpenIDAttribute> attributes = token.getAttributes();
----
====

We can obtain the `OpenIDAuthenticationToken` from the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontextholder[SecurityContextHolder].
The `OpenIDAttribute` contains the attribute type and the retrieved value (or values in the case of multi-valued attributes).
You can supply multiple `attribute-exchange` elements by using an `identifier-matcher` attribute on each element.
This contains a regular expression that is matched against the OpenID identifier supplied by the user.
See the OpenID sample application in the codebase for an example configuration, providing different attribute lists for the Google, Yahoo and MyOpenID providers.