README

Help me out for a couple of 🍻!

This library provides components to build an authorization server based on the OAuth2 Framework protocol (RFC6749) and associated features.

The following components are implemented:

• Access Token Managers:
  • JWT access token
  • Random string access token
  • Ability to use other Access Token managers
• Access Token Types:
  • Bearer access token (RFC6750)
  • MAC access token (IETF draft 02 only) - The implementation is stopped until the specification has not reach maturity
  • Ability to use other Access Token Types
• Exception manager
• Scope manager (RFC6749, section 3.3)
• Clients Managers:
  • Public clients (RFC6749, section 2.1) - See none authentication method
  • Password clients (RFC6749, section 2.3.1)
    • HTTP Basic Authentication Scheme (RFC2617 and RFC7617) - See client_secret_basic authentication method
    • JWT Assertion using password as shared key (OpenID Connect Core) - See client_secret_jwt authentication method
    • Credentials from request body - See client_secret_post authentication method
  • SAML clients (RFC7521 and RFC7522) - Help requested!
  • JWT clients (RFC7521 and RFC7523) - See private_key_jwt authentication method
  • Unregistered clients (RFC6749, section 2.4) - See none authentication method
  • Ability to use other Client Managers
• Endpoints:
  • Authorization (RFC6749, section 3.1)
  • Token (RFC6749, section 3.2)
  • Token Revocation (RFC7009)
  • Token Introspection (RFC7662)
  • Dynamic Client Registration Protocol (RFC7591)
  • Dynamic Client Registration Management Protocol (RFC7592)
  • Ability to use other Endpoints

• Grant types:

  • Authorization code grant type (RFC6749, section 4.1)
    • Proof Key for Code Exchange by OAuth Public Clients (RFC7636)
      • Plain
      • S256
      • Ability to use other challenge methods
  • Implicit grant type (RFC6749, section 4.2)
  • Resource Owner Password Credentials grant type (RFC6749, section 4.3)
  • Client credentials grant type (RFC6749, section 4.4)
  • Refresh token grant type (RFC6749, section 6)
  • SAML grant type (RFC7521 and RFC7522) - Help requested!
  • JWT Bearer token grant type (RFC7521 and RFC7523)
  • Ability to use other Grant Types

• Partial implementation

  • Threat Model and Security Consideration (RFC6819)
  • OpenID Connect: See the dedicated page of its implementation

• Integration planned

  • Proof-of-Possession (PoP) Security Architecture
  • Proof-of-Possession: Authorization Server to Client Key Distribution
  • Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
  • A Method for Signing an HTTP Requests for OAuth
  • Token Exchange: An STS for the REST of Us

The Release Process

The release process is described here.

Prerequisites

This library needs at least .

It has been successfully tested using PHP 5.6, PHP 7.0, PHP 7.1 and HHVM.

Installation

The preferred way to install this library is to rely on Composer:

composer require "oauth2-framework/server-library"

How to use

Have a look at How to use to use OAuth2 server and handle your first requests.

Contributing

Requests for new features, bug fixed and all other ideas to make this library useful are welcome. The best contribution you could provide is by fixing the opened issues where help is wanted

Please make sure to follow these best practices.

Licence

This library is release under MIT licence.