OpenID 1.0 and 2.0 protocols are deprecated and users are encouraged to migrate to OpenID Connect, which is supported by spring-security-oauth2.

The namespace supports logging in using OpenID instead of or in addition to regular form logging, for which You only need to make a small change:

<intercept-url pattern="/**" access="ROLE_USER" />
<openid-login />

You should then register through an OpenID provider (for example, and add the user information to the in-memory <user-service>:

<user name="" authorities="ROLE_USER" />

You should be able to log in using for authentication. You can also select a specific UserDetailsService bean to use OpenID by setting the user-service-ref attribute on the openid-login element. Note that we have omitted the password attribute from the user configuration above because this set of user data is only used to load the permissions for the user. The password will be randomly generated internally, preventing this user data from being unintentionally used as a source of authentication elsewhere in the configuration.

Attribute exchange

Support for attribute exchange in OpenID. As an example, the following configuration will try to obtain the email address and full name from the OpenID provider for use by the application:

    <openid-attribute name="email" type="" required="true"/>
    <openid-attribute name="name" type=""/>

The "type" of each OpenID attribute is a URI defined by a particular schema, in this case. If the attribute must be obtained for successful authentication, you can set the required attribute. The exact schema and supported attributes depend on your OpenID provider. The attribute values are returned as part of the authentication process and can then be accessed using the following code:

OpenIDAuthenticationToken token =
List<OpenIDAttribute> attributes = token.getAttributes();

We can get the OpenIDAuthenticationToken from the SecurityContextHolder. OpenIDAttribute contains the attribute type and the value to be retrieved (or values in the case of multivalued attributes). You can pass multiple attribute-exchange elements by using the identifier-matcher attribute for each one. Contains a regular expression that will be matched against the OpenID supplied by the user. For an example configuration, see the codebase for the OpenID sample application, which provides different attribute lists for the Google, Yahoo, and MyOpenID providers.