OAuth2 Server Library
OAuth2 Java Server Library is a backbone of OAuth2 provider which will provide basic OAuth2 support.
Please note: We take oauth2-server's security and our users' trust very seriously. If you believe you have found a security issue in oauth2-server library, please responsibly disclose by contacting us at [email protected].
Build Status
Supported Flows
- Client authorization with authorization_code
- 2-legged oauth2 authorization with JWT
Example config servlet for usage of the OAuth2 server library
OAuth2SupportServlet
class OAuth2SupportServlet extends OAuth2Servlet {
private final OAuth2Config config;
public OAuth2SupportServlet(OAuth2Config config) {
this.config = config;
}
public getConfig() {
return config;
}
}
// usage
ServletContext servletContext = servletContextEvent.getServletContext();
servletContext.addServlet("oauth2",
new OAuth2SupportServlet(OAuth2Config.newConfig()
.tokens(tokens)
.jwtKeyStore(jwtKeyStore)
.keyStore(keyStore)
.identityFinder(identityFinder)
.resourceOwnerIdentityFinder(resourceOwnerIdentityFinder)
.clientAuthorizationRepository(clientAuthorizationRepository)
.clientFinder(clientFinder)
.loginPageUrl("/ServiceLogin?continue=")
.build())
.addMapping("/o/oauth2/v1/*");
The responding interfaces are responsible for:
-
IdentityFinder - Used to find the identity of the client that is requesting authorization.
-
ClientAuthorizationRepository - Used to generate and persist auth codes for authorized clients and to use them later in the Access token request step.
-
Tokens - Used to generate Access and Refresh tokens and persist them for later use when a protected resource is requested.
-
JwtKeyStore - Used to find the Key blocks for verifying JWT authorizations
-
KeyStore - Used to find the keys used for signing and verifying of the signatures of the id_tokens.
-
ResourceOwnerIdentityFinder - Used during the authorization of the request to find the identity.
-
ClientFinder - Used to persist and find OAuth Clients
Endpoints in the OAuth2Servlet
For example if you bind your OAuth2Servlet to /o/oauth2/v1/*
-
/o/oauth2/v1/auth
- Used for Authorization codes -
/o/oauth2/v1/token
- Used for Access and Refresh tokens -
/o/oauth2/v1/revoke
- Used to revoke Access/Refresh tokens -
/o/oauth2/v1/tokenInfo
Used to receive an id_token for the given Access token -
/o/oauth2/v1/userInfo
Used to receive a UserInfo for the given Access token -
/o/oauth2/v1/certs
Used to receive the used certificates
id_token
Our library supports the OpenID id_token (http://openid.net/specs/openid-connect-core-1_0.html) which could be obtained on the tokenInfo endpoint. Note that for optimisation purposes to lower round trips an id_token is also returned with the refresh token response and jwt token response. The id_token uses a custom header CID (Certificate ID) that can be used to recognise which certificate was used to sign the token.
ToDo
- dependency clean up
License
Copyright 2017 clouWay ood.
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.