+1 Thanks for the update and transparency .
On Thu, Jul 31, 2025 at 3:25 PM VICTOR MANUEL ROMERO RODRIGUEZ < victor.rom...@fintecheando.mx> wrote: > Hello Adam, > > I agree with this change. > > Regards > > Victor Romero > > El mié, 30 jul 2025 a las 6:17, Ádám Sághy (<adamsa...@gmail.com>) > escribió: > >> Hi dear Fineract community, >> >> As part of FINERACT-1908 >> <https://issues.apache.org/jira/browse/FINERACT-1908>, I’d like to share >> some exciting plans regarding the upcoming revamp of our OAuth >> functionality, which is currently outdated and based on deprecated >> components. >> >> We are working to replace the existing custom OAuth code with modern, >> Spring-based solutions that support OAuth 2.1 and PKCE. Our approach will >> leverage the following Spring modules: >> >> - >> >> *Resource server*: spring-boot-starter-oauth2-resource-server >> - >> >> *OAuth2 client*: spring-boot-starter-oauth2-client >> - >> >> *Authorization server* (drop-in default): >> spring-boot-starter-oauth2-authorization-server >> >> Default Behavior >> >> By default, Fineract will act as both: >> >> - >> >> An *authorization server*, and >> - >> >> A *resource server* >> >> However, this default setup will be configurable. You’ll be able to >> disable the built-in authorization server and instead integrate with >> third-party solutions such as Keycloak or any other OAuth-compliant >> provider. >> >> Having a default authorization server ensures that Fineract can run >> standalone without relying on external tools to support the full OAuth flow. >> >> We will configure OAuth 2.1 with PKCE in a way that fits well into the >> Fineract architecture and provides strong security by default. >> >> - >> >> 📖 More about this flow: >> >> https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce >> - >> >> 🧭 Example flow diagram: [image: PKCE flow] >> >> ------------------------------ >> Phase 1 Deliverables >> >> We aim to complete the following in the first phase: >> >> - >> >> Remove custom OAuth components (e.g. OauthAuthenticationProvider, >> etc.) >> - >> >> Remove outdated and unmaintained Apache Oltu dependencies >> - >> >> Integrate a minimal Spring Authorization Server configuration (as a >> default part of Fineract) >> - >> >> Support *OAuth 2.1 Authorization Code flow with PKCE* >> - >> >> Provide a minimal login page to authenticate users using: *tenant >> identifier + username + password* >> >> ------------------------------ >> Authentication Details >> >> - >> >> During authorization, when Fineract acts as the *authorization server*, >> the m_appuser table will be queried to validate credentials. >> - >> >> The resulting access token will include both the *tenant identifier* >> and *username*. >> - >> >> When Fineract acts as a *resource server*, it will validate the token >> and resolve the authenticated user by looking up the relevant AppUser in >> the database. >> - >> >> *Roles and permissions* will (for now) continue to be handled >> internally by Fineract based on the logged-in user and tenant context. >> >> For full context and tracking, please see the related JIRA tickets: >> >> - >> >> FINERACT-1908 <https://issues.apache.org/jira/browse/FINERACT-1908> >> - >> >> FINERACT-1984 <https://issues.apache.org/jira/browse/FINERACT-1984> >> >> Looking forward to your feedback, thoughts, and any suggestions you may >> have! >> >> Best regards, >> >> Adam >> >
