An OAuth 2.0 & OpenID Connect (OIDC) compliant authorization server just for demo purposes to be used as part of OAuth2/OIDC workshops.
This authorization server should...
- be available for free as open-source
- support efforts to learn OAuth2/OpenID Connect (self-study or as part of workshops)
- provide an easy way for setting up and run it (i.e. without consulting tons of documentation)
- support latest specs and drafts for OAuth 2.x and OpenID Connect
- be provided as docker container & support testcontainers
IMPORTANT:
The intention of this project is to be used for demos and as part of trainings/workshops.
It is NOT ready for production use!!
If you are looking for a production-grade identity access management solution please consult the list of Certified OpenID provider servers and services at the OpenID Foundation.
- RFC 6749: OAuth 2.0 Authorization Framework
- RFC 8252: OAuth 2.0 for Native Apps
- OpenID Connect 1.0
- OAuth 2.0 Grant Flows:
- RFC 6750: OAuth 2.0 Bearer Token Usage
- Signed Json Web Tokens (using RSA PKI)
- Opaque Tokens + OAuth 2.0 Token Introspection
- OAuth 2.0 Token Revocation
- OpenID Connect Discovery
- Simple User Access Management API
- Simple User Access Management Web UI (Read access only)
- Management of OAuth2/OIDC Clients API
- Management of OAuth2/OIDC Clients Web UI (Read access only)J2
- OAuth 2.0 Grant Flows:
- Implicit Grant (Not supported by intention, because of OAuth 2.0 Security Best Current Practice)
- RFC 8628: OAuth 2.0 Device Authorization Grant
- RFC 8693: OAuth 2.0 Token Exchange
- RFC 8707: OAuth 2.0 Resource Indicators
- RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
- OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
- JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
- The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
- OAuth 2.0 Pushed Authorization Requests
- OAuth 2.0 Rich Authorization Requests
- JWT Response for OAuth Token Introspection
- OAuth 2.0 Incremental Authorization
- The OAuth 2.1 Authorization Framework
- End of 2020: Release 1.0 - Mandatory OAuth 2.0 & OIDC grant flows, user and client management, H2 in-memory storage
- January/February 2021: Release 1.1 - Support additional OAuth 2.0 RFCs/Drafts + support other databases for storage
To run the server you need at least a Java 11 JDK or higher (versions 11 and 14 are currently tested).
To run the server just perform a gradlew bootrun
or
run the Spring Boot starter class com.example.authorizationserver.AuthorizationServerApplication via your Java IDE.
It is also planned to provide the server as pre-packaged docker container image at a later project stage.
It is planned to provide an integrated user management system via Web UI and Rest API. Currently, the Web UI only supports read-only access at localhost:9090/auth/admin. The Rest API also supports creating new users already.
The following predefined users are setup at startup time automatically:
Username | Password | Role | |
---|---|---|---|
bwayne | bruce.wayne@example.com | wayne | LIBRARY_USER |
pparker | peter.parker@example.com | parker | LIBRARY_CURATOR |
ckent | clark.kent@example.com | kent | LIBRARY_ADMIN |
admin | max.root@example.com | admin | ADMIN |
It is planned to provide an integrated client management system via Web UI and Rest API. Currently the Web UI only supports read-only access at localhost:9090/auth/admin. The Rest API also supports creating new clients already.
The following predefined clients are setup at startup time automatically:
Client-Id | Client-Secret | Confidential | Grants | Token-Format | Redirect Uris | CORS |
---|---|---|---|---|---|---|
confidential-jwt | demo | yes | Authz Code (+/- PKCE), Client Creds | JWT | http://localhost:8080/demo-client/login/oauth2/code/demo | * |
public-jwt | -- | no | Authz Code + PKCE | JWT | http://localhost:8080/demo-client/login/oauth2/code/demo | * |
confidential-opaque | demo | yes | Authz Code (+/- PKCE), Client Creds | Opaque | http://localhost:8080/demo-client/login/oauth2/code/demo | * |
public-opaque | -- | no | Authz Code + PKCE | Opaque | http://localhost:8080/demo-client/login/oauth2/code/demo | * |
If you have any feedback on this project this is highly appreciated.
Just send an email to andreas.falk(at)novatec-gmbh.de or contact me via Twitter (@andifalk).
Apache 2.0 licensed