[[
wikihub
]]
Search
⌘K
Explore
People
For Agents
Sign in
Explore
People
For Agents
Sign in
@harrisonqian / Awesome / wiki/security/openid-connect.md
Suggest edit
Cancel
Submit suggestion
Title
Name
Note
--- visibility: public --- # OpenID Connect **repo:** [cerberauth/awesome-openid-connect](https://github.com/cerberauth/awesome-openid-connect) **category:** [[security|Security]] --- # Awesome OpenID Connect [](https://awesome.re) > [OpenID Connect](https://openid.net/#introduction) is an authentication protocol and identity layer on top of OAuth 2.0 used in many SSO and adopted in many social logins (Apple, Facebook, Google, etc). Basically, it allows a user to authenticate to a service using an existing account from an OpenID Connect Provider (OP), sharing some identity information after the user consent, and get an access token to access resources on a Relying Party (RP) application. > Find this curated list of providers, services, libraries, and resources to adopt it and know more about existing and draft specs. ## Contents - [OpenID Providers (OP)](#openid-providers-op) - [Relying Parties (RP) Libraries](#relying-parties-rp-libraries) - [C](#c) - [C#](#c-1) - [Dart](#dart) - [Erlang](#erlang) - [Golang](#golang) - [Java](#java) - [JavaScript](#javascript) - [OCaml](#ocaml) - [PHP](#php) - [Python](#python) - [Ruby](#ruby) - [Rust](#rust) - [Relying Parties (RP) Software Plugins](#relying-parties-rp-software-plugins) - [Resources](#resources) - [Flows / Grant Types Specifications](#flows--grant-types-specifications) - [Specifications](#specifications) - [Websites](#websites) - [Thematic Articles](#thematic-articles) - [Playgrounds](#playgrounds) - [Testing Utilities](#[testing](/@harrisonqian/awesome/wiki/testing/testing)-utilities) - [Books](#books) --- ## OpenID Providers (OP) *OpenID Connect Providers as SaaS and Open Source solutions.* - [Auth0](https://auth0.com/docs/authenticate/protocols/openid-connect-protocol) - OpenID Connect and OAuth 2.0 service that is available on the cloud as a SaaS. - [Authelia](https://www.authelia.com/) - Open Source authentication, authorization server and portal fulfilling the identity and access management (IAM) role of information [security](/@harrisonqian/awesome/wiki/security/security) in providing single sign-on (SSO). - [Authentik](https://github.com/goauthentik/authentik) - Open Source Identity Provider focused on flexibility and versatility. - [Authlete](https://www.authlete.com/) - Set of APIs for developers to implement OAuth authorization servers and OpenID Connect identity providers. - [AWS Cognito](https://aws.amazon.com/cognito/) - Cognito by [Amazon Web Services](/@harrisonqian/awesome/wiki/platforms/amazon-web-services) has OpenID Connect provider in addition to IAM capabilities. - [Clerk](https://clerk.com/) - Authentication with user management and OpenID Connect provider capabilities. - [Cloudentity](https://cloudentity.com/) - Cloud Identity and Authorization Platform with FAPI and eKYC support. - [Connect2id](https://connect2id.com/products/server) - OpenID Connect SSO and IdP server for enterprise. - [Curity Identity Server](https://curity.io/product/) - API [Security](/@harrisonqian/awesome/wiki/security/security) solution that brings identity and API access management together. - [Descope](https://docs.descope.com/identity-federation/applications/oidc-apps) - OpenID Connect Provider and Identity Federation solution that provides drag and drop user authentication and authorization flows. - [Dex](https://github.com/dexidp/dex) - Provider that acts as a portal to other identity providers through "connectors." like LDAP, SAML, OIDC or established identity providers like [GitHub](/@harrisonqian/awesome/wiki/development-environment/github), Google, and Active Directory. - [Duende IdentityServer](https://duendesoftware.com/products/identityserver) - ASP[.NET](/@harrisonqian/awesome/wiki/platforms/net) [Core](/@harrisonqian/awesome/wiki/platforms/core) OpenID Connect Provider solution. - [Duo](https://duo.com/) - OpenID Connect Provider and IdP solution developed by Cisco. - [FrontEgg](https://docs.frontegg.com/docs/configure-frontegg-as-oidc-idp) - A Customer Identity solution for SaaS platform with OpenID Connect Provider capability. - [Keycloak](https://www.keycloak.org/) - Open Source project powered by RedHat which provides user federation, strong authentication, user management, fine-grained authorization, and more. - [Gluu](https://gluu.org/) - OpenID Connect Provider and FAPI certified solution and integrated with IAM. - [Gravitee.io](https://www.gravitee.io/platform/access-management) - Open Source OpenID Connect/OAuth 2.0 provider aims to be a bridge between applications and identity providers to authenticate, authorize and getting information about user accounts. - [Kinde](https://kinde.com) - OpenID Connect and OAuth 2.0 service that is available on the cloud as a SaaS. - [LoginRadius](https://www.loginradius.com/) - A SaaS CIAM that can act as an OpenID Connect provider. - [Logto](https://github.com/logto-io/logto) - An Open-source solution designed for Customer Identity and Access Management (CIAM) and Workforce Identity Management with OpenID Connect based authentication. - [Okta](https://www.okta.com/) - Extensible solution that enables both customer and workforce identity with federation, single sign-on, API [security](/@harrisonqian/awesome/wiki/security/security) and workflows for both cloud and on-prem solutions. - [Microsoft Entra ID](https://www.microsoft.com/en-us/security/business/solutions/identity-access) - Software component developed by Microsoft providing single sign-on access to systems and applications. - [MITREid Connect](https://github.com/mitreid-connect/OpenID-Connect-[Java](/@harrisonqian/awesome/wiki/programming-languages/java)-Spring-Server) - Open Source OpenID Connect reference implementation in Java. - [OpenIddict](https://github.com/openiddict/openiddict-core) - .NET Open Source OpenID Connect Provider implementation with ASP[.NET](/@harrisonqian/awesome/wiki/platforms/net) [Core](/@harrisonqian/awesome/wiki/platforms/core) 2.1 (and higher) applications support. - [OneLogin](https://www.onelogin.com/) - SaaS Employee and Customer IAM solution with OpenID Connect Provider capabilities. - [Ory Hydra](https://github.com/ory/hydra) - Open Source OpenID Certified™ OpenID Connect and OAuth Provider. - [Ory Polis (formerly BoxyHQ Jackson)](https://github.com/ory/polis) - Open Source Enterprise SSO bridges or proxies a SAML login flow to OpenID Connect with also user directory sync capabilities. - [panva/node-oidc-provider](https://github.com/panva/node-oidc-provider) - Open Source and certified OpenID Connect provider implementation in [Node.js](/@harrisonqian/awesome/wiki/platforms/node-js) with FAPI 1.0 and FAPI 2.0 support. - [PingFederate](https://www.pingidentity.com/en/platform/capabilities/authentication-authority/pingfederate.html) - Federation server that provides secure single sign-on, API [security](/@harrisonqian/awesome/wiki/security/security) and provisioning for enterprise customers, partners, and employees. - [Pocket ID](https://github.com/pocket-id/pocket-id) - A simple OpenID Connect Provider that allows users to authenticate with their passkeys. - [SiteMinder](https://www.broadcom.com/products/identity/siteminder) - An IAM provided by Broadcom with OpenID Connect Provider support. - [SSOJet](https://ssojet.com) - A OpenID Connect based solution that seamlessly integrates enterprise SSO into your B2B SaaS. - [Transmit Security](https://developer.transmitsecurity.com/guides/user/auth_oidc/) - A CIAM solution that supports an OpenID Connect-based [integration](/@harrisonqian/awesome/wiki/platforms/integration). - [WSO2 Identity Server](https://wso2.com/identity-server/) - Identity Server which provides modern identity and access management capabilities that can be easily built into organization's customer experience (CX) applications. - [Zitadel](https://github.com/zitadel/zitadel) - Open Source Identity solution with OpenID Connect provider (OP) and SAMLv2 ready to use. - [Alibaba Cloud IDaaS](https://www.alibabacloud.com/en/product/identity-as-a-service-idaas) - Alibaba Cloud OpenID Connect Provider as a service. - [SecureAuth](https://www.secureauth.com/) - Identity [security](/@harrisonqian/awesome/wiki/security/security) platform that provides OpenID Connect Provider capabilities. - [FusionAuth](https://fusionauth.io/) - Open Source Identity and Access Management (IAM) solution with OpenID Connect Provider capabilities. - [IBM Verify](https://www.ibm.com/products/verify) - OpenID Connect Provider and Identity as a Service (IDaaS) solution by IBM. - [MojoAuth](https://mojoauth.com) - An OpenID Connect-based passwordless authentication platform using passkeys, magic links, and OTPs. - [CyberArk Identity](https://www.cyberark.com/) - Identity [security](/@harrisonqian/awesome/wiki/security/security) solution that provides OpenID Connect Provider capabilities. - [SailPoint](https://www.sailpoint.com/) - Enterprise identity [security](/@harrisonqian/awesome/wiki/security/security) platform that provides OpenID Connect Provider capabilities. - [SAP Customer Identity](https://help.sap.com/docs/SAP_CUSTOMER_DATA_CLOUD/8b8d6fffe113457094a17701f63e3d6a/4167c2d870b21014bbc5a10ce4041860.html) - SAP's OpenID Connect Provider and Identity as a Service (IDaaS) solution. - [WorkOS](https://workos.com/) - An identity management platform that enables organizations to provide secure access to their workforce, customers, and partners. - [OpenID Foundation conformance suite](https://gitlab.com/openid/conformance-suite) - Test conformance suite to obtains OpenID Foundation certification which covers OpenID Connect, FAPI1-Advanced, FAPI2, FAPI-CIBA and OpenID for Identity Assurance (ekyc). ## Relying Parties (RP) Libraries *Relying Parties (RP) Libraries for implementing OpenID Connect on a client application.* ### C - [liboauth2](https://github.com/OpenIDC/liboauth2) - Generic library to build C-based OpenID Connect Provider and Relying Party. - [mod_auth_openidc](https://github.com/OpenIDC/mod_auth_openidc) - OpenID Connect Relying Party certified implementation for Apache Server 2.x. - [ngx_oauth2_module](https://github.com/OpenIDC/ngx_oauth2_module) - OpenID Connect Relying Party certified implementation for [Nginx](/@harrisonqian/awesome/wiki/back-end-development/nginx). ### C# - [IdentityModel.OidcClient](https://github.com/IdentityModel/IdentityModel.OidcClient) - C# / .NET OpenID Connect relying party client certified library for native mobile/desktop applications. ### Dart - [openid_client](https://github.com/appsup-dart/openid_client) - OpenID Connect Relying Party client library for [Dart](/@harrisonqian/awesome/wiki/programming-languages/dart) in [Flutter](/@harrisonqian/awesome/wiki/platforms/flutter), Web and Command Line. ### Erlang - [oidcc](https://github.com/erlef/oidcc) - Certified OpenID Connect Relying Party client library for [Erlang](/@harrisonqian/awesome/wiki/programming-languages/erlang) and [Elixir](/@harrisonqian/awesome/wiki/programming-languages/elixir) with FAPI support. ### Golang - [coreos/go-oidc](https://github.com/coreos/go-oidc) - Go OpenID Connect client. - [zitadel/oidc](https://github.com/zitadel/oidc) - OpenID Connect client and server library certified by the OpenID Foundation. ### Java - [com.google.oauth-client/google-oauth-client](https://github.com/googleapis/google-oauth-[java](/@harrisonqian/awesome/wiki/programming-languages/java)-client) - OAuth Relying Party Java library written by Google for OAuth 2.0 with [Android](/@harrisonqian/awesome/wiki/platforms/android) support. - [com.nimbusds/oauth2-oidc-sdk](https://mvnrepository.com/artifact/com.nimbusds/oauth2-oidc-sdk) - [Java](/@harrisonqian/awesome/wiki/programming-languages/java) SDK developed by connect2id with OpenID Connect, FAPI, Federation and eKYC / Identity Assurance extensions. - [Spring Security](https://docs.spring.io/spring-security/reference/servlet/oauth2/login/index.html) - [Java](/@harrisonqian/awesome/wiki/programming-languages/java) framework for securing Spring-based applications with OpenID Connect and OAuth 2.0 support. ### JavaScript - [openid-client](https://github.com/panva/node-openid-client) - OpenID Certified™ Relying Party (OpenID Connect/OAuth 2.0 Client) implementation for [Node.js](/@harrisonqian/awesome/wiki/platforms/node-js). - [oauth4webapi](https://github.com/panva/oauth4webapi) - OAuth 2/OpenID Connect library for [JavaScript](/@harrisonqian/awesome/wiki/programming-languages/javascript) Runtimes. - [oidc-client-ts](https://github.com/authts/oidc-client-ts) - TypeScript OpenID Client and OAuth 2.0 client for browser-based applications. *Libraries layer focused on specific framework integration* - [Better Auth](https://github.com/better-auth/better-auth) - TypeScript Framework agnostic authentication library for SPAs and server-side applications. - [nuxt-auth for Nuxt 2](https://github.com/nuxt-community/auth-module) - Zero-boilerplate authentication support for Nuxt.js 2. - [nuxt-auth for Nuxt3](https://github.com/sidebase/nuxt-auth) - Nuxt 3 user authentication and sessions library. nuxt-auth wraps NextAuth.js. - [angular-auth-oidc-client](https://github.com/damienbod/angular-auth-oidc-client) - [Angular](/@harrisonqian/awesome/wiki/front-end-development/angular) certified library with OAuth 2.0 and OpenID Connect flows, and [Angular](/@harrisonqian/awesome/wiki/front-end-development/angular) schematics. - [angular-oauth2-oidc](https://github.com/manfredsteyer/angular-oauth2-oidc) - Library which bring support for OAuth 2.0 and OpenID Connect (OIDC) in [Angular](/@harrisonqian/awesome/wiki/front-end-development/angular). ### OCaml - [ocaml-oidc](https://github.com/ulrikstrid/ocaml-oidc) - Certified OpenID Connect Relying Party implementation in [OCaml](/@harrisonqian/awesome/wiki/programming-languages/ocaml). ### PHP - [thephpleague/oauth2-client](https://github.com/thephpleague/oauth2-client) - [Integration](/@harrisonqian/awesome/wiki/platforms/integration) with OAuth 2.0 service providers for PHP. - [Symfony Security](https://symfony.com/doc/current/security/access_token.html#using-openid-connect-oidc) - PHP [Security](/@harrisonqian/awesome/wiki/security/security) component with OpenID Connect support. ### Python - [mozilla-django-oidc](https://github.com/mozilla/mozilla-django-oidc/) - A Django OpenID Connect relying party library maintained by Mozilla. ### Ruby - [openid_connect](https://github.com/nov/openid_connect) - [Ruby](/@harrisonqian/awesome/wiki/programming-languages/ruby) OpenID Connect Relying party (RP) and Provider (OP) library. - [omniauth_openid_connect](https://github.com/omniauth/omniauth_openid_connect) - OpenID Connect Strategy for [Ruby](/@harrisonqian/awesome/wiki/programming-languages/ruby) OmniAuth library. ### Rust - [openidconnect](https://github.com/ramosbugs/openidconnect-rs) - OpenID Connect Relying party (RP) library for [Rust](/@harrisonqian/awesome/wiki/programming-languages/rust). ## Relying Parties (RP) Software Plugins - [MiniOrange OAuth SSO](https://wordpress.org/plugins/miniorange-login-with-eve-online-google-facebook/) - Wordpress OAuth and OpenID Connect plugin developed and actively maintained by MiniOrange. ## Resources Where to discover learning resources about OpenID Connect. ### Flows / Grant Types Specifications - [authorization_code](https://datatracker.ietf.org/doc/html/rfc6749?grant_type=authorization_code#section-1.3.1) - OAuth 2.0 Authorization Code Grant Type which fit well public client authorization like web [apps](/@harrisonqian/awesome/wiki/platforms/apps). - [refresh_token](https://datatracker.ietf.org/doc/html/rfc6749?grant_type=refresh_token#section-1.5) - OAuth 2.0 Refresh Token Grant Type used to exchange a refresh token against a short life access token and sometime a new refresh token as well. - [client_credentials](https://datatracker.ietf.org/doc/html/rfc6749?grant_type=client_credentials#section-4.4) - OAuth 2.0 Client Credentials Grant providing a way to get token without user interaction which fit well machine to machine communications. - [implicit](https://datatracker.ietf.org/doc/html/rfc6749?grant_type=implicit#section-4.2) - OAuth 2.0 Implicit Grant Type which is deprecated and should not be used anymore. - [password](https://datatracker.ietf.org/doc/html/rfc6749?grant_type=password#section-4.3) - OAuth 2.0 Resource Owner Password Credentials Grant Type which is not recommended to use anymore. - [urn:ietf:params:oauth:grant-type:device_code](https://datatracker.ietf.org/doc/html/rfc8628) - OAuth 2.0 Device Authorization Grant focused on interaction with user outside of a browser context like smart TVs. - [urn:ietf:params:oauth:grant-type:jwt-bearer](https://datatracker.ietf.org/doc/html/rfc7523) - [JSON](/@harrisonqian/awesome/wiki/miscellaneous/json) Web Token (JWT) Profile for OAuth 2.0 used to authorize a client to get an access token with another JWT issued by a trusted provider. - [urn:ietf:params:oauth:grant-type:saml2-bearer](https://datatracker.ietf.org/doc/html/rfc7522) - [Security](/@harrisonqian/awesome/wiki/security/security) Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 used to authorize a client to get an access token with a SAML assertion issued by a trusted provider. - [urn:ietf:params:oauth:grant-type:token-exchange](https://datatracker.ietf.org/doc/html/rfc8693) - OAuth 2.0 Token Exchange is a Grant Type which provides a way to get tokens from another token and give the ability to add an actor claim. - [Proof Key for Code Exchange (PKCE) Extension](https://datatracker.ietf.org/doc/html/rfc7636) - Extension of the Authorization Code flow adding [security](/@harrisonqian/awesome/wiki/security/security) layer against code interception attack. ### Specifications #### Published - [CBOR Web Token (CWT)](https://datatracker.ietf.org/doc/html/rfc8392) - CBOR format used for tokens in the context of OpenID Connect and OAuth 2.0. - [OpenID Connect [Core](/@harrisonqian/awesome/wiki/platforms/core) 1.0](https://openid.net/specs/openid-connect-core-1_0.html) - Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of Claims to communicate information about the End-User. It also describes the [security](/@harrisonqian/awesome/wiki/security/security) and privacy considerations for using OpenID Connect. - [The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749) - Underlying OAuth 2.0 protocol OpenID Connect is based on. - [JSON Web Token (JWT)](https://datatracker.ietf.org/doc/html/rfc7519) - JWT specifications used for different tokens mentioned in OAuth 2.0 and OpenID Connect specifications. - [JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens](https://datatracker.ietf.org/doc/html/rfc9068) - JWT format and validation specifications in the context of OAuth 2.0. - [JSON Web Key (JWK)](https://datatracker.ietf.org/doc/html/rfc7517) - [JavaScript](/@harrisonqian/awesome/wiki/programming-languages/javascript) Object Notation (JSON) data structure that represents a cryptographic key provided by OpenID Connect Provider. - [JSON Web Encryption (JWE)](https://datatracker.ietf.org/doc/html/rfc7516) - Specifications for JWE which represents encrypted content using [JSON](/@harrisonqian/awesome/wiki/miscellaneous/json)-based data structures. - [JSON Web Signature (JWS)](https://datatracker.ietf.org/doc/html/rfc7515) - Specifications for JWS which represents content secured with digital signatures. - [OAuth 2.0 Threat Model and [Security](/@harrisonqian/awesome/wiki/security/security) Considerations](https://datatracker.ietf.org/doc/html/rfc6819) - Known threats using OAuth 2.0 / OpenID Connect and countermeasures. - [OAuth 2.0 Authentication Method Reference Values](https://datatracker.ietf.org/doc/html/rfc8176) - List authentication method values for the AMR token claim. - [OAuth 2.0 Authorization Framework: Bearer Token Usage](https://datatracker.ietf.org/doc/html/rfc6750) - Describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources. - [OAuth 2.0 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252) - [Security](/@harrisonqian/awesome/wiki/security/security) and usability best practice for OAuth usage in Native [apps](/@harrisonqian/awesome/wiki/platforms/apps). - [OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126) - Pushed authorization request (PAR) allows clients to push the [payload](/@harrisonqian/awesome/wiki/content-management-systems/payload) of an OAuth 2.0 authorization request to the authorization server via a direct request. - [OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens](https://datatracker.ietf.org/doc/html/rfc8705) - Standardizes enhanced [security](/@harrisonqian/awesome/wiki/security/security) options for OAuth 2.0 utilizing client-certificate-based mutual TLS (mTLS). - [OAuth 2.0 JWT-Secured Authorization Request (JAR)](https://datatracker.ietf.org/doc/html/rfc9101) - Allows to send request parameters in a [JSON](/@harrisonqian/awesome/wiki/miscellaneous/json) Web Token (JWT), which can be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained. - [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) - Mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it. - [OpenID Connect Front-Channel Logout](https://openid.net/specs/openid-connect-frontchannel-1_0.html) - Logout mechanism that uses front-channel communication via the User Agent between the OpenID Connect provider (OP) and Relying Parties (RPs) being logged out that does not need an OpenID Provider iframe on Relying Party pages. - [OpenID Connect Back-Channel Logout](https://openid.net/specs/openid-connect-backchannel-1_0.html) - Logout mechanism that uses direct back-channel communication between the OpenID Connect provider (OP) and Relying Parties (RPs) being logged out. - [OpenID Connect RP-Initiated Logout](https://openid.net/specs/openid-connect-rpinitiated-1_0.html) - Defines how a Relying Party can requests that the OpenID Connect provider log out the End-User by redirecting the End-User's User Agent to the OP's Logout Endpoint. - [OAuth 2.0 Authorization Server Metadata](https://datatracker.ietf.org/doc/html/rfc8414) - A metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server. - [OAuth 2.0 Token Revocation](https://datatracker.ietf.org/doc/html/rfc7009) - Endpoint for OAuth authorization servers which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed. - [OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591) - Defines how an OAuth 2.0 Relying Party (RP) can dynamically register with the OAuth 2.0 server provider. - [OAuth 2.0 Demonstrating Proof of Possession (DPoP)](https://datatracker.ietf.org/doc/html/rfc9449) - Demonstrates proof of possession of the client's private key for OAuth 2.0. - [OpenID Connect Dynamic Client Registration](https://openid.net/specs/openid-connect-registration-1_0.html) - Mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level which allows for the detection of replay attacks with tokens. - [OAuth 2.0 Token Introspection](https://datatracker.ietf.org/doc/html/rfc7662) - Method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. - [OAuth 2.0 Rich Authorization Requests (RAR)](https://datatracker.ietf.org/doc/html/rfc9396) - Extends OAuth 2.0 authorization requests with additional authorization_details parameter that allows clients to specify their fine-grained authorization requirements using the expressiveness of [JSON](/@harrisonqian/awesome/wiki/miscellaneous/json) data structures. - [Financial-grade API [Security](/@harrisonqian/awesome/wiki/security/security) Profile 1.0 - Part 1: Baseline](https://openid.net/specs/openid-financial-api-part-1-1_0.html) - Baseline [security](/@harrisonqian/awesome/wiki/security/security) profile of OAuth that is suitable for protecting APIs with a moderate inherent risk in the context of Financial-grade APIs. - [Financial-grade API [Security](/@harrisonqian/awesome/wiki/security/security) Profile 1.0 - Part 2: Advanced](https://openid.net/specs/openid-financial-api-part-2-1_0.html) - Advanced security profile of OAuth that is suitable to be used for protecting APIs with high inherent risk in the context of Financial-grade APIs. - [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/oauth-v2-jarm.html) - JWT-based mode to encode OAuth authorization response parameters with additional claims used to further protect the transmission. - [Initiating User Registration via OpenID Connect](https://openid.net/specs/openid-connect-prompt-create-1_0.html) - Specifications for initiating user registration via OpenID Connect and create prompt. - [OpenID Connect Session Management](https://openid.net/specs/openid-connect-session-1_0.html) - Specifications about OpenID Connect session management. - [OpenID Connect Client-Initiated Backchannel Authentication Flow - [Core](/@harrisonqian/awesome/wiki/platforms/core) 1.0](https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html) - Specifications for Client-Initiated Backchannel Authentication (CIBA) flow. - [OpenID Provider Authentication Policy Extension 1.0](https://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html) - Specifications about a mechanism by which a Relying Party can request that particular authentication policies like multi-factor authentication be applied by the OpenID Provider. - [JWT Response for OAuth Token Introspection](https://datatracker.ietf.org/doc/html/rfc9701) - A signed additional [JSON](/@harrisonqian/awesome/wiki/miscellaneous/json) Web Token (JWT) secured response for OAuth 2.0 Token Introspection. - [OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/rfc9728) - Metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource. - [OAuth 2.0 [Security](/@harrisonqian/awesome/wiki/security/security) Best Current Practice](https://datatracker.ietf.org/doc/html/rfc9700) - Best security practice when using OAuth 2.0 and OpenID Connect. - [OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0](https://openid.net/specs/openid-connect-eap-acr-values-1_0.html) - Specifications for OpenID Connect Extended Authentication Profile (EAP) ACR Values which allows to request specific authentication methods and assurance levels. - [Resource Indicators for OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc8707) - A mechanism that allows an OAuth 2.0 client to indicate the resource server that it intends to access. - [OAuth 2.0 Authorization Server Issuer Identification](https://datatracker.ietf.org/doc/html/rfc9207) - Defines a new iss parameter in the authorization response in order to identify the authorization server that issued the authorization response and mitigates mix-up attacks. - [FAPI 2.0 [Security](/@harrisonqian/awesome/wiki/security/security) Profile](https://openid.net/specs/fapi-security-profile-2_0.html) - New version of the FAPI security profile that is suitable for protecting APIs with a high inherent risk in the context of Financial-grade APIs. - [FAPI 2.0 Attacker Model](https://openid.net/specs/fapi-attacker-model-2_0.html) - [Security](/@harrisonqian/awesome/wiki/security/security) goals, attacker models and security mechanisms for Financial-grade APIs. - [FAPI 2.0 Message Signing](https://openid.net/specs/fapi-message-signing-2_0.html) - API [security](/@harrisonqian/awesome/wiki/security/security) profile for signing and verifying certain FAPI 2.0 Security Profile based requests and responses. #### Draft - [OAuth 2.0 Dynamic Client Registration Management Protocol](https://datatracker.ietf.org/doc/html/rfc7592) - Endpoints for management of OAuth 2.0 dynamic client registrations. - [OpenID Connect Standard Claims Registration for CBOR Web Tokens](https://datatracker.ietf.org/doc/html/draft-ietf-spice-oidc-cwt-01.html) - Defines how to represent the OpenID Connect standard claims in CBOR Web Tokens (CWTs). - [OpenID Connect Federation 1.0](https://openid.net/specs/openid-federation-1_0.html) - Draft specifications for putting in place bilateral federations between to organizations. - [OpenID AuthZEN](https://openid.net/specs/authorization-api-1_0-01.html) - Standardized API for requesting access decisions from an authorization service in order to ease [integration](/@harrisonqian/awesome/wiki/platforms/integration) between services. - [Financial-grade API: Client Initiated Backchannel Authentication Profile](https://openid.net/specs/openid-financial-api-ciba.html) - Financial services profile specifications for Client Initiated Backchannel Authentication (aka CIBA). - [OAuth 2.0 for Browser-Based Apps](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps) - [Security](/@harrisonqian/awesome/wiki/security/security) and usability best practice for OAuth usage in Browser-based [apps](/@harrisonqian/awesome/wiki/platforms/apps). - [Selective Disclosure for JWTs (SD-JWT)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt) - Specification for selective disclosure of JWT elements. - [OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-13) - Consolidation of OAuth 2.0 specifications into a single document, removing deprecated features and clarifying best practices. - [OAuth 2.0 App2App Browserless Flow](https://github.com/yaron-zehavi/oauth-app2app-browserless) - Describing a protocol enabling native navigation across [apps](/@harrisonqian/awesome/wiki/platforms/apps) performing authentication using the App2App pattern, without requiring a web browser. - [OAuth 2.0 Attestation-Based Client Authentication](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-attestation-based-client-auth-07) - Extension to OAuth 2.0 enabling public clients to authenticate using key-bound attestations. - [OpenID Shared Signals Framework Specification 1.0](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html) - Shared Signals Framework (SSF) enables sharing of signals and events between cooperating peers that enables multiple applications such as Risk Incident Sharing and Coordination (RISC) and the Continuous Access Evaluation Profile (CAEP). ### Websites - [OpenID](https://openid.net/) - The OpenID Connect official website. - [OAuth](https://oauth.net/) - The OAuth website maintained by Aaron Parecki which list different resources about the protocol. - [ByteByteGo](https://blog.bytebytego.com/i/135955829/oauth-explained-with-simple-terms) - Oauth 2.0 explains using visual and simple terms. - [Aaron Parecki](https://aaronparecki.com/articles) - OAuth WG Member blog posts about OAuth 2.0. - [Alex Bilbie](https://alexbilbie.[github](/@harrisonqian/awesome/wiki/development-environment/github).io/tag/oauth/) - Blog posts about OAuth 2.0 topic. - [CerberAuth](https://www.cerberauth.com/) - A blog talking about OpenID Connect and OAuth 2.0. - [Nacho](https://nacho.cerberauth.com/) - An OAuth 2.0 client creation helper helping to choose the right grant type depending on the application. - [Curity Resources](https://curity.io/resources/openid-connect/) - Curity solution resources articles about OpenID Connect. - [Okta Blog](https://developer.okta.com/blog/tags/oidc/) - Okta vendor blog posts about OAuth 2.0 and OpenID Connect. - [Medium OAuth 2.0](https://medium.com/oauth-2) - Medium blog with learnings, patterns and ideas around use of OAuth 2.0. - [Mike Jones: Self-Issued](https://self-issued.info/) - Mike Jones blog posts about OAuth 2.0 and OpenID Connect. - [IAMDevBox](https://www.iamdevbox.com/) - Developer blog covering OAuth 2.0/2.1, OIDC, SAML, Keycloak, ForgeRock, and PingIdentity with hands-on [tutorials](/@harrisonqian/awesome/wiki/computer-science/tutorials) and troubleshooting guides. ### Thematic Articles - [OAuth for Model Context Protocol](https://aaronparecki.com/2025/04/03/15/oauth-for-model-context-protocol) - Aaron Parecki article about how OAuth works and how it should be used in the context of model context protocol (MCP) server. - [OAuth common vulnerabilities](https://portswigger.net/web-security/oauth) - PortSwigger article about OAuth 2.0 common vulnerabilities and how to mitigate them. - [MCP OAuth 2.1 Authentication: How AI Agents Securely Connect to Tools](https://www.iamdevbox.com/posts/mcp-oauth-21-authentication-how-ai-agents-securely-connect-to-tools/) - How the Model Context Protocol uses OAuth 2.1 with mandatory PKCE, RFC 8707 audience binding, and zero-configuration discovery for AI agent authentication. ### Playgrounds - [OAuth.com Playground](https://www.oauth.com/playground/) - OAuth 2.0 / OpenID Connect Playground with authorization flows and step by step of the process of obtaining an access token. - [SecureAuthCorp/oauth2c](https://github.com/SecureAuthCorp/oauth2c) - OAuth 2.0 and OpenID Connect command line client for [testing](/@harrisonqian/awesome/wiki/testing/testing) and exploring different flows. - [Curity Playground](https://oauth.tools/) - Tools for exploring and [testing](/@harrisonqian/awesome/wiki/testing/testing) OAuth and OpenID Connect flows. - [MojoAuth: Passkey Playground](https://mojoauth.com/oidc-playground/) - Build and visualize OpenID Connect requests with this interactive tool. Configure parameters, generate request URLs, and decode JWT tokens. ### Testing Utilities - [OAuth Mock Server](https://oauth.kogiqa.com/) - A free and open-source OAuth mock server that simulates the biggest providers just by replacing the URL. Useful for E2E [testing](/@harrisonqian/awesome/wiki/testing/testing). ### Books - [2012 - Getting Started with OAuth 2.0 by Ryan Boyd](https://www.oreilly.com/library/view/getting-started-with/9781449317843/) - [2018 - OAuth 2.0 Simplified by Aaron Parecki](https://www.amazon.com/OAuth-2-0-Simplified-Aaron-Parecki/dp/1387751514/) - [2020 - The Little Book of OAuth 2.0 RFCs by Aaron Parecki](https://www.amazon.com/Little-Book-OAuth-2-0-RFCs/dp/B084DFYJS1/) - [2021 - Keycloak - Identity and Access Management for Modern Applications: Harness the power of Keycloak, OpenID Connect, and OAuth 2.0 protocols to secure applications by Stian Thorgersen and Pedro Igor Silva](https://www.amazon.com/Keycloak-Management-Applications-protocols-applications-ebook/dp/B092KP135B/) - [2022 - Solving Identity Management in Modern Applications: Demystifying OAuth 2, OpenID Connect, and SAML 2 by Yvonne Wilson](https://www.amazon.com/Solving-Identity-Management-Modern-Applications-ebook/dp/B0BMQHF83G/) ## Contributing Your contributions are always welcome! Please take a look at the [contribution guidelines](https://github.com/cerberauth/awesome-openidconnect/blob/master/CONTRIBUTING.md) first.