Congratulations, Csenge! Looking forward to more contributions!!! On Fri, Sep 12, 2025 at 3:13 AM James Dailey <[email protected]> wrote:
> +1 > This is long anticipated and I look forward to seeing it used. > > > > On Thu, Sep 11, 2025 at 6:28 AM Mihaly Dallos <[email protected]> > wrote: > >> Fantastic news! >> Thank you, Adam, Csenge! >> >> On Thu, Sep 11, 2025 at 1:45 PM Paul <[email protected]> wrote: >> >>> 🔥👍🔥 >>> >>> This is awesome! Thanks >>> Paul >>> >>> On Thu, Sep 11, 2025 at 5:53 AM Ádám Sághy <[email protected]> wrote: >>> >>>> Dear Fineract Community, >>>> >>>> We are pleased to share that the first stage of implementing OAuth 2.1 >>>> with PKCE in Fineract has been completed. A special thanks goes to *Csenge >>>> Soti*, who carried out the majority of the implementation. >>>> >>>> *Kindly review the following PR:* >>>> https://github.com/apache/fineract/pull/5028 >>>> >>>> *Key changes included in this PR:* >>>> • Removal of custom OAuth components (e.g., >>>> OauthAuthenticationProvider) >>>> • Removal of outdated and unmaintained Apache Oltu dependencies >>>> • Integration of a minimal Spring Authorization Server configuration >>>> as a default part of Fineract >>>> • Support for OAuth 2.1 Authorization Code flow with PKCE >>>> • Introduction of a minimal login page, allowing authentication via >>>> tenant identifier, username, and password >>>> >>>> *Additional improvements delivered in this stage:* >>>> • Removal of the deprecated InsecureTwoFactorFilter workaround >>>> • Alignment of filters and features previously available only for HTTP >>>> Basic authentication, including: >>>> • Geolocation filter >>>> • Loan COB filter >>>> • Business date filter >>>> • Idempotency filter >>>> • Correlation ID filter >>>> >>>> *Potential next steps:* >>>> • Introduce further configuration and extensibility options, such as: >>>> • CSRF and CORS settings >>>> • Third-party authorization server support >>>> • Confidential client authentication >>>> • Potential OpenID support >>>> >>>> We would be happy to collaborate with and welcome contributions from >>>> the community on these next items. Your feedback, ideas, and participation >>>> will be invaluable in shaping the continued development of OAuth 2.1 >>>> support in Fineract. >>>> >>>> Regards, >>>> Adam >>>> >>>> Sent from my iPhone >>>> >>>> On 30 Jul 2025, at 14:16, Ádám Sághy <[email protected]> wrote: >>>> >>>> >>>> >>>> Hi dear Fineract community, >>>> >>>> As part of FINERACT-1908 >>>> <https://issues.apache.org/jira/browse/FINERACT-1908>, I’d like to >>>> share some exciting plans regarding the upcoming revamp of our OAuth >>>> functionality, which is currently outdated and based on deprecated >>>> components. >>>> >>>> We are working to replace the existing custom OAuth code with modern, >>>> Spring-based solutions that support OAuth 2.1 and PKCE. Our approach will >>>> leverage the following Spring modules: >>>> >>>> - >>>> >>>> *Resource server*: spring-boot-starter-oauth2-resource-server >>>> - >>>> >>>> *OAuth2 client*: spring-boot-starter-oauth2-client >>>> - >>>> >>>> *Authorization server* (drop-in default): >>>> spring-boot-starter-oauth2-authorization-server >>>> >>>> Default Behavior >>>> >>>> By default, Fineract will act as both: >>>> >>>> - >>>> >>>> An *authorization server*, and >>>> - >>>> >>>> A *resource server* >>>> >>>> However, this default setup will be configurable. You’ll be able to >>>> disable the built-in authorization server and instead integrate with >>>> third-party solutions such as Keycloak or any other OAuth-compliant >>>> provider. >>>> >>>> Having a default authorization server ensures that Fineract can run >>>> standalone without relying on external tools to support the full OAuth >>>> flow. >>>> >>>> We will configure OAuth 2.1 with PKCE in a way that fits well into the >>>> Fineract architecture and provides strong security by default. >>>> >>>> - >>>> >>>> 📖 More about this flow: >>>> >>>> https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce >>>> - >>>> >>>> 🧭 Example flow diagram: [image: PKCE flow] >>>> >>>> ------------------------------ >>>> Phase 1 Deliverables >>>> >>>> We aim to complete the following in the first phase: >>>> >>>> - >>>> >>>> Remove custom OAuth components (e.g. OauthAuthenticationProvider, >>>> etc.) >>>> - >>>> >>>> Remove outdated and unmaintained Apache Oltu dependencies >>>> - >>>> >>>> Integrate a minimal Spring Authorization Server configuration (as a >>>> default part of Fineract) >>>> - >>>> >>>> Support *OAuth 2.1 Authorization Code flow with PKCE* >>>> - >>>> >>>> Provide a minimal login page to authenticate users using: *tenant >>>> identifier + username + password* >>>> >>>> ------------------------------ >>>> Authentication Details >>>> >>>> - >>>> >>>> During authorization, when Fineract acts as the *authorization >>>> server*, the m_appuser table will be queried to validate >>>> credentials. >>>> - >>>> >>>> The resulting access token will include both the *tenant identifier* >>>> and *username*. >>>> - >>>> >>>> When Fineract acts as a *resource server*, it will validate the >>>> token and resolve the authenticated user by looking up the relevant >>>> AppUser >>>> in the database. >>>> - >>>> >>>> *Roles and permissions* will (for now) continue to be handled >>>> internally by Fineract based on the logged-in user and tenant context. >>>> >>>> For full context and tracking, please see the related JIRA tickets: >>>> >>>> - >>>> >>>> FINERACT-1908 <https://issues.apache.org/jira/browse/FINERACT-1908> >>>> - >>>> >>>> FINERACT-1984 <https://issues.apache.org/jira/browse/FINERACT-1984> >>>> >>>> Looking forward to your feedback, thoughts, and any suggestions you may >>>> have! >>>> >>>> Best regards, >>>> >>>> Adam >>>> >>>> >>> >>> -- >>> -- >>> Paul >>> >> >> >> -- >> Mihaly >> >
