Skip to content

Add comprehensive SSL support for JVM OpenID Connect clients (Please Dont Merge - Just Review) #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Add comprehensive SSL support for JVM OpenID Connect clients (Please Dont Merge - Just Review) #123

wants to merge 4 commits into from

Conversation

@juergmar
Copy link

@juergmar juergmar commented Jul 15, 2025
edited
Loading

Summary

This PR adds comprehensive SSL/TLS support for JVM implementations of the Kotlin Multiplatform OIDC library, including:

🛠️ Core SSL API Enhancement

  • Add JvmSslConfigurer with enhanced HTTP client SSL configuration
  • Introduce flexible SslConfig data classes for SSL setup
  • Create SslEnabledOpenIdConnectClient wrapper for SSL-aware clients
  • Add fluent OpenIdConnectClientBuilder with SSL configuration API
  • Support custom trust stores, certificate sources, and SSL contexts

📱 Complete Sample Application

  • New desktop-app-with-ssl sample with Compose UI demonstrating SSL scenarios
  • Docker setup with Keycloak integration for testing
  • Automated certificate generation scripts for development
  • Multiple SSL configuration screens (Self-signed, Resources, File-based)
  • OAuth flow testing with various SSL certificate sources

📚 Comprehensive Documentation

  • 700+ line SSL_EXAMPLES.md with detailed usage examples and setup guides
  • Updated README with SSL feature documentation
  • Certificate management and troubleshooting guides
  • Docker integration examples and security considerations

Breaking Changes

  • Removed ACME/Let's Encrypt certificate support (was complex and rarely used)
  • Simplified SSL certificate source factory patterns

Test Plan

  • SSL sample application builds and runs successfully
  • OAuth flows work with self-signed certificates
  • Resource-based certificate loading functions correctly
  • File-based certificate sources work as expected
  • Docker setup with Keycloak integration operational
  • All existing tests pass

This implementation focuses on practical SSL use cases while maintaining the library's ease of use and multiplatform compatibility. Its still experimental.

@oberstrike
Simplify SSL infrastructure by removing ACME/Let's Encrypt support
c176b88 
- Remove complex ACME implementation and factory patterns
- Simplify certificate source management
- Streamline JVM authentication flow without ACME dependencies
- Remove SslWebserverFactory in favor of direct SSL webserver usage
- Clean up certificate utilities to focus on core functionality
@oberstrike
Add comprehensive SSL API for OpenID Connect clients
a6cb0b2 
- Add JvmSslConfigurer with enhanced HTTP client SSL configuration
- Introduce SslConfig data classes for flexible SSL setup
- Create SslEnabledOpenIdConnectClient wrapper for SSL-aware clients
- Add OpenIdConnectClientBuilder with fluent SSL configuration API
- Extend OpenIdConnectClientConfig with SSL configuration extensions
- Support custom trust stores, certificate sources, and SSL contexts
@oberstrike
Add comprehensive SSL sample application with Docker infrastructure
d06c2db 
- Create desktop-app-with-ssl sample with Compose UI demonstrating SSL scenarios
- Implement multiple SSL configuration screens (Self-signed, Resources, File-based)
- Add complete Docker setup with Keycloak integration and certificate management
- Include automated certificate generation scripts for development
- Provide comprehensive shell scripts for quick environment setup and reset
- Add reference documentation and SSL certificate management guides
- Support OAuth flow testing with various SSL certificate sources
- Include debug logging and state management for SSL troubleshooting
@oberstrike
Add comprehensive SSL documentation and build configuration
a870700 
- Add SSL_EXAMPLES.md with detailed usage examples and setup guides
- Update README.md with SSL feature documentation and quick start
- Add SSL-related dependencies to gradle/libs.versions.toml
- Update .gitignore for SSL sample app artifacts and certificates
- Document HTTP client SSL configuration patterns
- Provide certificate management and troubleshooting guides
- Include Docker integration examples and security considerations
@juergmar juergmar changed the title Add comprehensive SSL support for JVM OpenID Connect clients Add comprehensive SSL support for JVM OpenID Connect clients (Please Dont Merge) Jul 15, 2025
@juergmar juergmar changed the title Add comprehensive SSL support for JVM OpenID Connect clients (Please Dont Merge) Add comprehensive SSL support for JVM OpenID Connect clients (Please Dont Merge - Just Review) Jul 15, 2025
@juergmar juergmar marked this pull request as draft July 15, 2025 10:49
@juergmar
Copy link
Author

Any opinions? @kalinjul

@kalinjul
Copy link
Owner

Hi, thanks for all your work!
From what i understand, you implemented SSL support for the embedded desktop webbrowser.
I guess it is required for some IDP that does not accept http redirect URIs?
Can you explain your use case?

This is a rather large PR and I'm not sure when i find the time to go through it.

@juergmar
Copy link
Author

Hi! Thanks for taking a look at this PR. You're absolutely right about the size - I understand it's a lot to review.

Primary Use Case: Enterprise environments where IDPs require HTTPS redirect URIs for security compliance. Many corporate identity providers (especially those following strict security policies) reject HTTP redirect URIs entirely, making the current HTTP-only embedded webserver unusable.

Specific Problem:

Secondary Use Cases:

  1. Custom Certificates: Corporate environments with internal CAs that need custom trust stores
  2. Mutual TLS: Some IDPs require client certificates for authentication
  3. Security Compliance: Policies that forbid HTTP in OAuth flows entirely

Size Concern: I completely understand the maintenance burden. Would you prefer I break this into smaller PRs? I could start with just:

  1. Basic HTTPS webserver support
  2. Self-signed certificate generation
  3. Simple trust store configuration

The comprehensive sample app and documentation could come later.

No rush - I know you're busy - we all are.

@kalinjul
Copy link
Owner

Alright, thanks for explaining.
About the client configuration part, is this "just" for your secondary use cases?

What is you strategy in production?
As far as i understand, you will need to have a client certificate which will be delivered together with your Application, so it can be used when hosting the embedded redirect webserver. This certificate would than be public, as it is inside the client app, so it is somewhat useless.
Alternatively, the certificate can be generated and self-signed on the fly (i think you also implemented this).
But the browser will not trust this certificates, right?

And: Am I correct to assume that using https in this context is not about actual security?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juergmar @kalinjul @oberstrike