Generic library to build C-based OAuth 2.x and OpenID Connect servers and clients e.g. web-server plugins.
- extends cjose into OAuth 2.x and OpenID Connect specific claims, secrets, and hashes
- adds OAuth 2.x and OpenID Connect protocols by abstracting HTTP requests and responses from web server implementation specifics
- reusable code across other OAuth 2.x and REST related protocols e.g. token exchange with endpoint authentication, source token retrieval, target pass settings etc.
- generic code with plugins for Apache, NGINX, and possibly more (e.g. Envoy, HA Proxy, IIS)
- configurable cache backend/size/options per cache element type
- cookie-based session management (i.e. enforce inactivity timeout, expiry)
- OpenID Connect 1.0
- OAuth 2.0 Resource Owner Password Credentials (RFC 6749)
- OAuth 2.0 Token Introspection (RFC 7662)
- JWT bearer token validation using JWK, JWKS URI, shared symmetric key, X.509 cert, and RSA public key (RFC 6750)
- OAuth 2.0 Authorization Server Metadata (RFC 8414)
- Proof Key for Code Exchange (PKCE) by OAuth Public Clients (RFC 7636)
- OAuth 2.0 Mutual-TLS (MTLS) Certificate-Bound Access Tokens (RFC 8705)
- OAuth 2.0 Demonstration of Proof-of-Possession (DPoP) at the Application Layer (Internet-Draft)
- Amazon ALB EC key URL based
x-amzn-oidc-data
JWT verification - endpoint authentication methods:
client_secret_basic
,client_secret_post
,client_secret_jwt
,private_key_jwt
, TLS client certificate, and HTTP basic authentication - configurable cache backends: shared memory, file-based, memcache, and Redis
- retrieving a token from a header, a query parameter, a post parameter, or a cookie
- setting a token as a header, a query parameter, a post parameter, or a cookie
- Apache and NGINX bindings
liboauth2 depends on the following libraries:
openssl
for SSL and crypto supportlibcurl
for HTTP client supportjansson
for JSON parsingcjose
for JSON Object Signing and Encryption (JOSE) support- (optional)
libmemcached
for memcache cache backend support - (optional)
libhiredis
for Redis cache backend support - (optional)
Apache 2.x
for Apache 2.x bindings support - (optional)
NGINX
for NGINX bindings support - (optional, build time only)
check
for unit test support
See Frequently Asked Questions on the Wiki.
Ask questions in the Discussions tracker.
For commercial support contracts, professional services, training, and use-case specific support, contact OpenIDC at: [email protected]
This software is open sourced by OpenIDC. For commercial support you can contact OpenIDC as described above in the Support section.