The latest articles on DEV Community by saculo (@saculo). https://dev.to/saculo https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3115708%2Fbd78592f-648a-4947-ab13-a2b0502882d0.png https://dev.to/saculo en saculo Fri, 02 May 2025 08:29:31 +0000 https://dev.to/saculo/openid-and-universal-login-29eo https://dev.to/saculo/openid-and-universal-login-29eo <p>Hi,</p> <p>Recently I decided to deep dive into OpenID and whole AuthZ/AuthN/Web-app security staff. As I'm Java Dev I decided to write my own blocks. I will use Spring's Authorization Server/Resource Server/OAuth2 Client starters to build that. My starting point is to achieve simple AuthN + AuthZ with something which Auth0 calls "Universal Login". So I want to allow user to Sign Up/Sign In via Socials like GH/Google etc. and store that as a registered client with ID Token to authenticate and Access/Refresh tokens to Authorize... But "bigger problem" and I'm not sure how companies are solving that is allowing an user to Sign Up/Sign In with his own credentials (email + passsword) for example. Would be great to use same Authorization path.<br> Should I store OpenID clients and "regular users" separately?<br> Does OpenID allow path to store and manage also normal (email + password ) flow?</p> <p>How should I solve that? Would be great if you would be able to provide some links/materials/books etc. how this flow (probably common one, as currently almost every company allows registration/login flow like this) should be implemented?</p> <p>Thanks!</p> webdev security java discuss