Revisit oauth2 module structure

[jgrandja]

Summary

The new modules for the new OAuth 2.0 support include: oauth2-core and oauth2-client

The oauth2-core module includes OpenID Connect 1.0 specific implementation artifacts. Does it make sense to break up the module and include a new one called oauth2-oidc?

[jgrandja]

The current dependency hierarchy for the oauth2 modules is as follows:

spring-security-oauth2-core -> spring-security-core

spring-security-oauth2-client -> spring-security-oauth2-core, spring-security-jwt-jose

spring-security-jwt-jose -> spring-security-oauth2-core

I feel this module hierarchy is correct. I was contemplating splitting the OAuth 2.0 and OpenID Connect Core 1.0 into separate modules but after giving it some thought I don't feel this is necessary as it would introduce unnecessary complexity. OIDC core essentially extends from OAuth2 core and therefore are tightly bound.

The one consideration we should decide on is to potentially rename the following modules:

spring-security-oauth2-core -> spring-security-oauth2-oidc-core

spring-security-oauth2-client -> spring-security-oauth2-oidc-client

What are your thoughts on renaming @rwinch?

As we build out new features for OAuth2 / OIDC, I'm envisioning the following module/feature structure:

spring-security-oauth2-core

• OAuth 2.0 Authorization Framework
• OpenID Connect Core 1.0

spring-security-oauth2-client

• OpenID Connect Core 1.0
• OpenID Connect Discovery 1.0 (Future)
• OpenID Connect Dynamic Client Registration 1.0 (Future)
• OpenID Connect Session Management 1.0 (Future)
• OpenID Connect Back-Channel Logout 1.0 (Future)

spring-security-jwt-jose

• JSON Web Token (JWT)
• JSON Web Signature (JWS) (Future)
• JSON Web Encryption (JWE) (Future)
• JSON Web Key (JWK) (Future)

[jgrandja]

@rwinch As discussed, we are good with the current module names so will close this and leave as is.