Is spring-authorization-server a suitable tool for connecting to an existing OIDC server provided by an enterprise?

Is spring-authorization-server appropriate for connecting to an existing OIDC server provided by my enterprise? It looks like spring-authorization-server provides the ability to create and customize these auth flows, and we can also utilize github and google as federated (social) auth providers, but I am trying to determine if I can connect to my organization's auth service.

We deploy our application stack of several spring boot applications on an enclave, and we also deploy on another network that a wider audience can reach. Each of these networks has its own OIDC server, so I envision having each of the apps talk to the spring auth server, and the spring auth server will be configured on each network for that network's provided auth server. I want the application stack (in its entirety) to be as portable as possible, and I want to isolate the differences between the two deployment environments only to configuration, if possible.

I am aware that I can configure the spring security oauth2 client in each of the apps to talk to my company's OIDC server, but I would prefer to avoid doing it that way, of possible.

So, my question is -- how can I point spring-authorization-server to an external OIDC server (that is not google or github)? I have done extensive searching, and I have looked at many, many tutorials and examples. It seems like this should be something that Spring would want to show in their examples, but it is conspicuously absent. That makes me think that it is not designed to do what I want to do, but I hope that I am just missing something.

if you just need to utilize the existed enterprise-provided OIDC server, there is no need for you use spring-authorization-server.

All you need is just a attach oauth2 client.

for example, if you use springboot, it just need add spring-boot-starter-oauth2-client to the dependencies, and then config the spring:security:oauth2:client:registration and spring:security:oauth2:client:provider. so the framework will could resolve the user info and store it in its context.

you can refer to this, https://www.baeldung.com/spring-security-openid-connect

You can indeed connect to any OIDC provider via Spring Authorization Server. In fact, the use case you laid out is a perfect example of what SAS is designed for. Of course there are tradeoffs with any architecture, and generally the Spring team will not make specific recommendations on your architecture (except to recommend architectures that enhance security, such as BFF). This may be one reason you find this specific example missing.

Another reason some examples may be missing is that the details of configuring your specific OIDC provider instead of a common provider requires knowledge that only you have. In those cases, you want to start with a provided example, and begin adapting it from there using the reference documentation for OAuth2 as your guide. It may help to know that you should think of Spring Authorization Server as an OAuth2 (Login) Client for the purposes of configuring an upstream provider.

See for example Configuring Custom Provider Properties. If you are working with a spec-compliant OpenID Connect 1.0 provider, you should only need to provide the required properties for your upstream provider in each environment (such as the client examples in ch4mp's tutorials linked in the comments do) and Spring Security will do the rest. Note that in many cases, you only need to provide an issuer-uri for your provider and it will supply the other properties (via the OpenID Connect 1.0 Provider Configuration Response of the ${issuer-uri}/.well-known/openid-configuration endpoint of your provider).

As you can (hopefully) see, Spring Security handles all of the authentication needs for you. If it seems that demonstrating this in the context of Spring Authorization Server is missing, that's because it's not any different than configuring a regular OAuth2 Login/Client example.

My specific recommendation is to start with How-to: Authenticate using Social Login and replace Google/GitHub with your provider using only properties. As mentioned earlier, you will only run into trouble if your provider is not spec-compliant and requires customization. A thorough read of the reference documentation will help here, and feel free to ask additional (more specific) questions on that.