README

Modular Identity Provider and Access Management Platform

OAuth2 Passport Server is a modern Identity and Access Management (IAM) platform designed to centralize authentication, authorization, and permissions across applications, APIs, microservices, and enterprise systems.

Built on top of OAuth2, OpenID Connect (OIDC), and Elymod, the platform provides a centralized Identity Provider (IdP) capable of managing users, applications, permissions, subscriptions, and services from a single location.

Designed for startups, SaaS platforms, enterprises, and distributed architectures, OAuth2 Passport Server helps organizations eliminate fragmented authentication systems while maintaining full compatibility with industry standards.

Why OAuth2 Passport Server?

As organizations grow, authentication and authorization become fragmented across multiple systems:

• Web applications
• Mobile applications
• APIs
• Internal tools
• Microservices
• Customer portals
• Third-party integrations

Each application often maintains its own users, roles, and permissions.

This results in:

• Duplicate user accounts
• Permission inconsistencies
• Increased maintenance costs
• Security vulnerabilities
• Difficult integrations
• Poor user experience

OAuth2 Passport Server solves these challenges by acting as the central authority responsible for identity, authentication, and access management across the entire organization.

Key Features

Identity and Access Management (IAM)

Centralized user authentication and authorization across applications, services, and APIs.

Identity Provider (IdP)

Act as a centralized identity provider for web applications, mobile applications, APIs, and microservices.

OpenID Connect Provider

Built-in OpenID Connect support including:

• Discovery Endpoint
• JWKS Endpoint
• Identity Tokens
• Standardized Authentication Flows
• Third-Party Integrations

OAuth2 Authorization Server

Currently supported flows:

• Authorization Code Flow
• Authorization Code Flow with PKCE
• Refresh Tokens

Built following modern OAuth2 security recommendations.

Single Sign-On (SSO)

Authenticate once and access multiple connected applications through a centralized identity system.

Hierarchical Scope Management

Permissions are generated using a structured scope model:

group_service_role

Examples:

billing_invoices_read
billing_invoices_create
billing_payments_manage

crm_contacts_read
crm_contacts_update

support_tickets_close

This approach provides significantly more granular authorization than traditional role-based systems.

Benefits include:

• Fine-grained access control
• Consistent permission naming
• Easier auditing
• Better scalability
• Cross-service interoperability

Service Marketplace

Organizations can publish services and manage access through subscriptions.

When a user gains access to a service, the corresponding scopes can be assigned automatically, allowing connected applications to immediately recognize updated permissions.

Microservice Authentication

Perfect for:

• Microservices
• Service-Oriented Architectures (SOA)
• API Ecosystems
• Distributed Systems

Applications can validate tokens using OpenID Connect standards without requiring direct database communication.

OpenID Connect Discovery

OAuth2 Passport Server implements the OpenID Connect Discovery specification.

Applications can automatically discover server capabilities using:

/.well-known/openid-configuration

Supported discovery information includes:

• Issuer
• Authorization Endpoint
• Token Endpoint
• JWKS Endpoint
• Logout Endpoint
• Supported Scopes
• Supported Grant Types

This enables seamless integration with OpenID Connect compatible applications and services.

Powered by Elymod

OAuth2 Passport Server is built on Elymod, a modular application framework designed to extend platform functionality without modifying the core system.

Unlike traditional identity providers, new capabilities can be installed as independent modules.

Benefits

• Zero core modifications
• Upgrade-safe extensions
• Independent module lifecycle
• Vendor-friendly architecture
• Enterprise scalability
• Feature isolation

Dependency Isolation

Each module can manage its own dependencies independently.

PHP Dependencies

Modules can include their own Composer dependencies without affecting the core application.

Node.js Dependencies

Modules can maintain their own frontend ecosystem, including:

• package.json
• Build Pipelines
• Frontend Frameworks
• JavaScript Libraries
• Asset Compilation Tools

This prevents dependency conflicts and allows modules to evolve independently.

Independent Licensing

Each module may define its own licensing model:

• Open Source
• Commercial
• Enterprise
• Internal Use

Organizations can deploy only the functionality they require while maintaining a centralized identity platform.

Enterprise Ready

OAuth2 Passport Server is designed for:

• SaaS Platforms
• Enterprises
• Government Systems
• Internal Corporate Applications
• API Platforms
• Multi-Service Architectures
• Customer Portals
• Identity Providers (IdP)

Security Features

• OAuth2 Compliant
• OpenID Connect Compliant
• PKCE Support
• Refresh Tokens
• RS256 Token Signing
• JWKS Support
• Centralized Authorization
• Hierarchical Scope-Based Permissions
• CSP-Compatible Administration Interface
• Secure Authentication Workflows

Vision

OAuth2 Passport Server is more than an OAuth2 authorization server.

It is a modular identity platform designed to become the central authentication, authorization, and access management layer for modern organizations.

By combining OAuth2, OpenID Connect, advanced permission management, service subscriptions, and Elymod's modular architecture, organizations can build complete digital ecosystems on top of a secure and standards-compliant identity foundation.