GitHub - authelia/oauth2-provider: Authelia OAuth 2.0 Framework (Provider Role)

OAuth 2.0 Framework

This library is the Authelia OAuth 2.0 Framework which is internally used to deliver OAuth 2.0 and OpenID Connect 1.0 Flows to its users.

Notable Implemented or Intended Differences

In an effort to assist users who wish to use this library we aim to maintain the following list of differences:

Module path changed from github.com/ory/fosite to authelia.com/provider/oauth2.
Documentation:
- Add spec support documentation
Overhaul testing:
- Ensure all tests and subtests are well named
- Ensure all tests are simplified where possible
- Restore/Implement conformance tests
Rename interfaces and implementations:
- OAuth2Provider to Provider.
- Fosite to TBA.
Minimum dependency is go version 1.21
Replace string values with constants where applicable ^commit
Simplify the internal JWT logic to leverage github.com/golang-jwt/jwt/v5 or other such libraries
Implement internal JWKS logic
Higher Debug error information visibility (Debug Field includes the complete RFC6749 error with debug information if available)
Fixes:
- ~~Basic Scheme Rejects Special Characters~~ ^commit
- RFC9068 must condition ignored ^commit
- Arguments are treated as case-insensitive ^commit
- Refresh Flow:
  - Requested scope ignored ^commit
  - Original request id not set early enough ^commit
- PKCE Flow:
  - Session generated needlessly ^commit
  - Failure to fetch session causes an error even when not enforced ^commit
- OpenID Flows:
  - Absence of Redirect URI does not result in an error ^commit
- Decode id_token_hint with correct signer
- Write Revocation Response does not correctly error ^commit
- ~~Invalid Token base 64 error not mapped to RFC~~
- Auth Request omitted Response Mode not validated
- Refresh Grant if Token Invalid/Expired status is not 400 ^commit
- Access Token iat and nbf in JWT Profile always original claims ^commit
Features:
- Requested Audience Policy (many clients do not support the parameter)
- PAR Flow:
  - Per-Client Enforcement Policy
- PKCE Flow:
  - Per-Client Enforcement Policy
- CoreStrategy:
  - Customizable Token Prefix ^commit
  - Automatic NewCoreStrategy which provides either:
    - JWT Profile Core Strategy (if a jwt.Signer is provided)
    - HMAC-based Core Strategy
  - JWT Profile Per Client
- Introspection JWT Responses
- Introspection Client Authentication
- Custom Form Post Response Writer
- UserInfo support
- RFC8628: OAuth 2.0 Device Authorization Grant support ^commit
- RFC8693: OAuth 2.0 Token Exchange support ^commit
- RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support
- RFC9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP) support
- RFC9396: OAuth 2.0 Rich Authorization Requests support
- RFC9101: OAuth 2.0 JWT-Secured Authorization Requests
- OpenID Connect Dynamic Client Registration 1.0 support
- Response Mode Rework:
  - JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) support ^commit
  - RFC9207: OAuth 2.0 Authorization Server Issuer Identification support ^commit
  - Response Type None ^commit
- Revocation Flow per policy can decide to revoke Refresh Tokens on request ^commit
- Client Authentication Rework:
  - General Refactor
  - Prevent Multiple Client Authentication Methods
  - Client Secret Validation Interface
  - JWE support for Client Authentication and Issuance
- Testing Package (mocks, etc)
- Clock Drift Support
- Key Management
- Injectable Clock Configurator
- Support s_hash ^commit
Removal of the following dependencies:
- go.opentelemetry.io/otel/trace
- github.com/ecordell/optgen
- github.com/asaskevich/govalidator
- github.com/gorilla/websocket
- github.com/magiconair/properties
- github.com/mattn/goveralls
- github.com/oleiade/reflections
- github.com/ory/go-acc
- github.com/ory/go-convenience
- github.com/ory/x
- github.com/gorilla/sessions
- github.com/gobuffalo/packr
- github.com/form3tech-oss/jwt-go
- github.com/dgrijalva/jwt-go
Migration of the following dependencies:
- github.com/go-jose/go-jose/v3 => github.com/go-jose/go-jose/v4
- github.com/golang/mock => github.com/uber-go/mock
- github.com/cristalhq/jwt/v4 => github.com/golang-jwt/jwt/v5

Thanks

This is a hard fork of ORY Fosite under the Apache 2.0 License for the purpose of performing self-maintenance of this critical Authelia dependency.

We however:

Acknowledge the amazing hard work of the ORY developers in making such an amazing framework that we can do this with.
Plan to continue to contribute back to te ORY fosite and related projects.
Have ensured the licensing is unchanged in this fork of the library.
Do not have a formal affiliation with ORY and individuals utilizing this library should not allow their usage to be a reflection on ORY as this library is not maintained by them.

Name		Name	Last commit message	Last commit date
Latest commit History 848 Commits
.github		.github
compose		compose
handler		handler
i18n		i18n
integration		integration
internal		internal
scripts		scripts
storage		storage
testing/mock		testing/mock
token		token
x/errorsx		x/errorsx
.gitignore		.gitignore
.golangci.yml		.golangci.yml
.prettierignore		.prettierignore
.reference-ignore		.reference-ignore
.renovaterc		.renovaterc
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
access_error.go		access_error.go
access_error_test.go		access_error_test.go
access_request.go		access_request.go
access_request_handler.go		access_request_handler.go
access_request_handler_test.go		access_request_handler_test.go
access_request_test.go		access_request_test.go
access_response.go		access_response.go
access_response_test.go		access_response_test.go
access_response_writer.go		access_response_writer.go
access_response_writer_test.go		access_response_writer_test.go
access_write.go		access_write.go
access_write_test.go		access_write_test.go
arguments.go		arguments.go
arguments_test.go		arguments_test.go
audience_strategy.go		audience_strategy.go
audience_strategy_test.go		audience_strategy_test.go
authorize_error.go		authorize_error.go
authorize_error_test.go		authorize_error_test.go
authorize_helper.go		authorize_helper.go
authorize_helper_test.go		authorize_helper_test.go
authorize_helper_whitebox_test.go		authorize_helper_whitebox_test.go
authorize_request.go		authorize_request.go
authorize_request_handler.go		authorize_request_handler.go
authorize_request_handler_oidc_request_test.go		authorize_request_handler_oidc_request_test.go
authorize_request_handler_test.go		authorize_request_handler_test.go
authorize_request_test.go		authorize_request_test.go
authorize_response.go		authorize_response.go
authorize_response_test.go		authorize_response_test.go
authorize_response_writer.go		authorize_response_writer.go
authorize_response_writer_test.go		authorize_response_writer_test.go
authorize_validators_test.go		authorize_validators_test.go
authorize_write.go		authorize_write.go
authorize_write_test.go		authorize_write_test.go
client.go		client.go
client_authentication.go		client_authentication.go
client_authentication_jwks_strategy.go		client_authentication_jwks_strategy.go
client_authentication_jwks_strategy_test.go		client_authentication_jwks_strategy_test.go
client_authentication_secret.go		client_authentication_secret.go
client_authentication_secret_bcrypt.go		client_authentication_secret_bcrypt.go
client_authentication_secret_bcrypt_test.go		client_authentication_secret_bcrypt_test.go
client_authentication_strategy.go		client_authentication_strategy.go
client_authentication_test.go		client_authentication_test.go
client_manager.go		client_manager.go
client_test.go		client_test.go
client_with_custom_token_lifespans.go		client_with_custom_token_lifespans.go
client_with_custom_token_lifespans_test.go		client_with_custom_token_lifespans_test.go
config.go		config.go
config_default.go		config_default.go
context.go		context.go
equalKeys_test.go		equalKeys_test.go
errors.go		errors.go
errors_test.go		errors_test.go
fosite.go		fosite.go
fosite_test.go		fosite_test.go
generate-mocks.sh		generate-mocks.sh
generate.go		generate.go
go.mod		go.mod
go.sum		go.sum
handler.go		handler.go
helper.go		helper.go
helper_test.go		helper_test.go
i18n_helper.go		i18n_helper.go
i18n_helper_test.go		i18n_helper_test.go
introspect.go		introspect.go
introspect_test.go		introspect_test.go
introspection_request_handler.go		introspection_request_handler.go
introspection_request_handler_test.go		introspection_request_handler_test.go
introspection_response_writer.go		introspection_response_writer.go
introspection_response_writer_test.go		introspection_response_writer_test.go
oauth2.go		oauth2.go
package-lock.json		package-lock.json
package.json		package.json
pushed_authorize_request_handler.go		pushed_authorize_request_handler.go
pushed_authorize_request_handler_test.go		pushed_authorize_request_handler_test.go
pushed_authorize_response.go		pushed_authorize_response.go
pushed_authorize_response_writer.go		pushed_authorize_response_writer.go
pushed_authorize_response_writer_test.go		pushed_authorize_response_writer_test.go
request.go		request.go
request_test.go		request_test.go
response_handler.go		response_handler.go
revoke_handler.go		revoke_handler.go

License

authelia/oauth2-provider

Folders and files

Latest commit

History