FINERACT-2616: OIDC Federation support for IdP by alberto-art3ch · Pull Request #5883 · apache/fineract

alberto-art3ch · 2026-05-24T01:54:25Z

Description

We are adding a complete OIDC (OpenID Connect) Federation layer for Apache Fineract, enabling integration with external Identity Providers (Keycloak, Google, Azure AD, Okta, Auth0) without replacing the existing Basic Auth mechanism.

OidcFederationSecurityConfig — New Spring Security filter chain (@order(100)) active only when fineract.security.oidc-federation.enabled=true
OidcTenantAwareFilter — Resolves the Fineract tenant from a configurable JWT claim (fineract_tenant by default) and sets the multi-tenant context
FineractOidcJwtAuthenticationConverter — Maps JWT claims to a FineractOidcUser principal with configurable username claim (preferred_username, email, sub)
FineractOidcUserService — Loads existing Fineract AppUser from the resolved OIDC principal; optionally auto-creates users on first login with configurable default roles
OidcAuthenticationSuccessHandler / OidcLogoutSuccessHandler — Handles post-login and RP-Initiated Logout per provider dialect (Keycloak, Azure AD, Okta, Auth0, generic)
FineractCorsConfiguration — Extracted CORS config as a reusable bean shared across Security filter chains
FineractProperties.FineractSecurityOidcFederationProperties — Config block under fineract.security.oidc-federation

FINERACT-2616

Checklist

Please make sure these boxes are checked before submitting your pull request - thanks!

Write the commit message as per our guidelines
Acknowledge that we will not review PRs that are not passing the build ("green") - it is your responsibility to get a proposed PR to pass the build, not primarily the project's maintainers.
Create/update unit or integration tests for verifying the changes made.
Follow our coding conventions.
Add required Swagger annotation and update API documentation at fineract-provider/src/main/resources/static/legacy-docs/apiLive.htm with details of any API changes
This PR must not be a "code dump". Large changes can be made in a branch, with assistance. Ask for help on the developer mailing list.

Your assigned reviewer(s) will follow our guidelines for code reviews.

adamsaghy · 2026-05-25T13:14:36Z

@alberto-art3ch Please review the failing quality checks.

IOhacker

Under review

galovics

All four review comments from my previous pass have been addressed:

Spring @transactional is used instead of Jakarta
provider is modeled as OidcFederationType enum
catch block in OidcTenantAwareFilter now logs a warning
The hardcoded 1L for head office is replaced with a configurable fineractProperties.getDefaults().getOfficeId()

The mailing list requirement (per-tenant OIDC configuration, different IdP per tenant) has also been implemented - the m_tenant_oidc_config table, TenantOidcConfigApiResource, and DynamicJwtIssuerAuthenticationManagerResolver address exactly what I asked for on the thread.

Build quality checks still need to be green before merge.

alberto-art3ch · 2026-06-08T17:44:42Z

All four review comments from my previous pass have been addressed:

Spring @transactional is used instead of Jakarta

provider is modeled as OidcFederationType enum

catch block in OidcTenantAwareFilter now logs a warning

The hardcoded 1L for head office is replaced with a configurable fineractProperties.getDefaults().getOfficeId()

The mailing list requirement (per-tenant OIDC configuration, different IdP per tenant) has also been implemented - the m_tenant_oidc_config table, TenantOidcConfigApiResource, and DynamicJwtIssuerAuthenticationManagerResolver address exactly what I asked for on the thread.

Build quality checks still need to be green before merge.

@galovics
Quality checks are now in green. Thanks!

adamsaghy · 2026-06-09T12:58:17Z

@IOhacker Kindly asking you to update your review

IOhacker

LGTM

alberto-art3ch force-pushed the FINERACT-2616/oidc-federation-support-for-idp branch from b3c6437 to 355873c Compare May 25, 2026 03:15