Authorization Server

An OAuth 2.0 & OpenID Connect (OIDC) compliant authorization server just for demo purposes to be used as part of OAuth2/OIDC workshops.

Targets

This authorization server should...

be available for free as open-source
support efforts to learn OAuth2/OpenID Connect (self-study or as part of workshops)
provide an easy way for setting up and run it (i.e. without consulting tons of documentation)
support latest specs and drafts for OAuth 2.x and OpenID Connect
be provided as docker container & support testcontainers

IMPORTANT:
The intention of this project is to be used for demos and as part of trainings/workshops.
It is NOT ready for production use!!

If you are looking for a production-grade identity access management solution please consult the list of Certified OpenID provider servers and services at the OpenID Foundation.

Features (Supported)

RFC 6749: OAuth 2.0 Authorization Framework
RFC 8252: OAuth 2.0 for Native Apps
OpenID Connect 1.0
OAuth 2.0 Grant Flows:
RFC 6750: OAuth 2.0 Bearer Token Usage
- Signed Json Web Tokens (using RSA PKI)
- Opaque Tokens + OAuth 2.0 Token Introspection
- OAuth 2.0 Token Revocation
OpenID Connect Discovery
JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
Simple User Access Management API (Following SCIM2 standard)
Simple User Access Management Web UI (Read access only)
Management of OAuth2/OIDC Clients API
Management of OAuth2/OIDC Clients Web UI (Read access only)

Features (NOT Supported)

OAuth 2.0 Grant Flows:
- Implicit Grant (Not supported by intention, because of OAuth 2.0 Security Best Current Practice)
- OIDC Hybrid Grant Flow (Not supported by intention, because of OAuth 2.0 Security Best Current Practice as this flow (same as the implicit flow) also returns the id token via the insecure front channel)

Features (Planned)

Roadmap

Q1 2021: Release 1.0 - Mandatory OAuth 2.0 & OIDC grant flows, user and client management, H2 in-memory storage
Q2 2021: Release 1.1 - Support additional OAuth 2.0 RFCs/Drafts + support other databases for storage

Setup and Run the Authorization Server

To run the server you need at least a Java 11 JDK or higher (versions 11 and 14 are currently tested).

To run the server just perform a gradlew bootrun or run the Spring Boot starter class com.example.authorizationserver.AuthorizationServerApplication via your Java IDE.

It is also planned to provide the server as pre-packaged docker container image at a later project stage.

User Management

It is planned to provide an integrated user management system via Web UI and Rest API. Currently, the Web UI only supports read-only access at localhost:9090/auth/admin. The Rest API also supports creating new users already.

The following predefined users are setup at startup time automatically:

Username	Email	Password	Role
bwayne	bruce.wayne@example.com	wayne	LIBRARY_USER
pparker	peter.parker@example.com	parker	LIBRARY_CURATOR
ckent	clark.kent@example.com	kent	LIBRARY_ADMIN
admin	max.root@example.com	admin	ADMIN

Client Management

It is planned to provide an integrated client management system via Web UI and Rest API. Currently the Web UI only supports read-only access at localhost:9090/auth/admin. The Rest API also supports creating new clients already.

The following predefined clients are setup at startup time automatically:

Client-Id	Client-Secret	Confidential	Grants	Token-Format	Redirect Uris	CORS
confidential-jwt	demo	yes	Authz Code (+/- PKCE), Client Creds	JWT	http://localhost:8080/demo-client/login/oauth2/code/demo	*
public-jwt	--	no	Authz Code + PKCE	JWT	http://localhost:8080/demo-client/login/oauth2/code/demo	*
confidential-opaque	demo	yes	Authz Code (+/- PKCE), Client Creds	Opaque	http://localhost:8080/demo-client/login/oauth2/code/demo	*
public-opaque	--	no	Authz Code + PKCE	Opaque	http://localhost:8080/demo-client/login/oauth2/code/demo	*

Feedback

If you have any feedback on this project this is highly appreciated.

Just send an email to andreas.falk(at)novatec-gmbh.de or contact me via Twitter (@andifalk).

License

Apache 2.0 licensed

yliu138/authorizationserver