OAuth2 Framework Initiative

OAuth2 Framework Initiative

This project aims to provide all the necessary elements for the creation of an authorization server based on the OAuth2 protocol.

Below is a list of components available to you:

Access Token Management :
Access Token based on Json Web Tokens (JWT)
Access Token based on a random string
Possibility of using another manager
Types of Tokens:
Bearer Access Token ( RFC6750 )
MAC Access Token ( IETF draft 02 only ) – Implementation is stopped. It will be preferable to use the POP Access Tokens as soon as they are available
Possibility of using another type of Tokens
[X] Scopes Manager ( RFC6749, Section 3.3 )
Application of policy if no scope is requested
Doing nothing
Issue an error
Assign default scope (s)
Possibility to use a customized policy
Client Manager:
Public Clients ( RFC6749, Section 2.1 ) – Seenone
Clients with Password ( RFC6749, Section 2.3.1 )
HTTP Basic Authentication ( RFC2617 and RFC7617 ) – Seeclient_secret_basic
JWT Assertion Authentication (the password as a shared key) ( OpenID Connect Core ) – Seeclient_secret_jwt
Password Authentication in the Query Body – Seeclient_secret_post
Customers with assertion SAML ( RFC7521 and RFC7522 )
Customers with assertion JWT ( RFC7521 and RFC7523 ) – Seeprivate_key_jwt
Possibility of using other authentication mechanisms
Entry Points:
Authorization ( RFC6749, Section 3.1 )
Token ( RFC6749, Section 3.2 )
Token Revocation ( RFC7009 )
Token Introspection ( RFC7662 )
Dynamic Customer Registration ( RFC7591 )
Dynamic Client Configuration ( RFC7592 )
Signature / encryption keys
User information ( Userinfo)
IFrame for managing the user session
Issuer Discovery

Authorization Code ( RFC6749, Section 4.1 )
Proof Key for Code Exchange by OAuth Public Clients ( RFC7636 )
Possibility of using other methods
Implicit ( RFC6749, Section 4.2 )
Resource Owner Password Credentials ( RFC6749, Section 4.3 )
Client credentials ( RFC6749, Section 4.4 )
Refresh Token ( RFC6749, Section 6 )
SAML Bearer Token ( RFC7521 and RFC7522 )
JWT Bearer Token ( RFC7521 and RFC7523 )
Possibility of using other authorization flows
Partial implementation:

Threat Model and Security Consideration ( RFC6819 )
Planned integration:

POP Access Token ( Proof-of-Possession (PoP) Security Architecture , Proof-of-Possession: Authorization Server to Client Key Distribution and Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs )
A Method for Signing an HTTP Requests for OAuth
Token Exchange: An STS for the REST of Us