Authorization Server

An OAuth 2.0 & OpenID Connect (OIDC) compliant authorization server just for demo purposes to be used as part of OAuth2/OIDC workshops.

Targets

This authorization server should...

• be available for free as open-source
• support efforts to learn OAuth2/OpenID Connect (self-study or as part of workshops)
• provide an easy way for setting up and run it (i.e. without consulting tons of documentation)
• support latest specs and drafts for OAuth 2.x and OpenID Connect
• be provided as docker container & support testcontainers

IMPORTANT:
The intention of this project is to be used for demos and as part of trainings/workshops.
It is NOT ready for production use!!

If you are looking for a production-grade identity access management solution please consult the list of Certified OpenID provider servers and services at the OpenID Foundation.

Features (Supported)

• RFC 6749: OAuth 2.0 Authorization Framework
• RFC 8252: OAuth 2.0 for Native Apps
• OpenID Connect 1.0
• OAuth 2.0 Grant Flows:
  • Authorization Code Grant (+ PKCE)
  • Client Credentials Grant
  • Resource Owner Password Credentials Grant
• RFC 6750: OAuth 2.0 Bearer Token Usage
  • Signed Json Web Tokens (using RSA PKI)
  • Opaque Tokens + OAuth 2.0 Token Introspection
  • OAuth 2.0 Token Revocation
• OpenID Connect Discovery
• JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
• Simple User Access Management API (Following SCIM2 standard)
• Simple User Access Management Web UI (Read access only)
• Management of OAuth2/OIDC Clients API
• Management of OAuth2/OIDC Clients Web UI (Read access only)

Features (NOT Supported)

• OAuth 2.0 Grant Flows:
  • Implicit Grant (Not supported by intention, because of OAuth 2.0 Security Best Current Practice)
  • OIDC Hybrid Grant Flow (Not supported by intention, because of OAuth 2.0 Security Best Current Practice as this flow (same as the implicit flow) also returns the id token via the insecure front channel)

Features (Planned)

• RFC 8628: OAuth 2.0 Device Authorization Grant
• RFC 8693: OAuth 2.0 Token Exchange
• RFC 8707: OAuth 2.0 Resource Indicators
• RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
• OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP)
• The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
• OAuth 2.0 Pushed Authorization Requests
• OAuth 2.0 Rich Authorization Requests
• JWT Response for OAuth Token Introspection
• OAuth 2.0 Incremental Authorization
• The OAuth 2.1 Authorization Framework

Roadmap

• Q1 2021: Release 1.0 - Mandatory OAuth 2.0 & OIDC grant flows, user and client management, H2 in-memory storage
• Q2 2021: Release 1.1 - Support additional OAuth 2.0 RFCs/Drafts + support other databases for storage

Setup and Run the Authorization Server

To run the server you need at least a Java 11 JDK or higher (versions 11 and 14 are currently tested).

To run the server just perform a gradlew bootrun or run the Spring Boot starter class com.example.authorizationserver.AuthorizationServerApplication via your Java IDE.

It is also planned to provide the server as pre-packaged docker container image at a later project stage.

User Management

It is planned to provide an integrated user management system via Web UI and Rest API. Currently, the Web UI only supports read-only access at localhost:9090/auth/admin. The Rest API also supports creating new users already.

The following predefined users are setup at startup time automatically:

| Username | Email | Password | Role | | ---------| ------------------------ | -------- | --------------- | | bwayne | bruce.wayne@example.com | wayne | LIBRARY_USER | | pparker | peter.parker@example.com | parker | LIBRARY_CURATOR | | ckent | clark.kent@example.com | kent | LIBRARY_ADMIN | | admin | max.root@example.com | admin | ADMIN |

Client Management

It is planned to provide an integrated client management system via Web UI and Rest API. Currently the Web UI only supports read-only access at localhost:9090/auth/admin. The Rest API also supports creating new clients already.

The following predefined clients are setup at startup time automatically:

| Client-Id | Client-Secret | Confidential | Grants | Token-Format | Redirect Uris | CORS | | --------------------| --------------| ------------ | ----------------------------------- |--------------|---------------|------| | confidential-jwt | demo | yes | Authz Code (+/- PKCE), Client Creds | JWT | http://localhost:8080/demo-client/login/oauth2/code/demo | * | | public-jwt | -- | no | Authz Code + PKCE | JWT | http://localhost:8080/demo-client/login/oauth2/code/demo | * | | confidential-opaque | demo | yes | Authz Code (+/- PKCE), Client Creds | Opaque | http://localhost:8080/demo-client/login/oauth2/code/demo | * | | public-opaque | -- | no | Authz Code + PKCE | Opaque | http://localhost:8080/demo-client/login/oauth2/code/demo | * |

Feedback

If you have any feedback on this project this is highly appreciated.

Just send an email to andreas.falk(at)novatec-gmbh.de or contact me via Twitter (@andifalk).

License

Apache 2.0 licensed