Skip to content

Latest commit

 

History

History
235 lines (179 loc) · 24.1 KB

README.md

File metadata and controls

235 lines (179 loc) · 24.1 KB

Awesome OpenID Connect Awesome

OpenID Connect is an authentication protocol and identity layer on top of OAuth 2.0 used in many SSO and adopted in many social logins (Apple, Facebook, Google, etc). Basically, it allows a user to authenticate to a service using an existing account from an OpenID Connect Provider (OP), sharing some identity information after the user consent, and get an access token to access resources on a Relying Party (RP) application.

Find this curated list of providers, services, libraries, and resources to adopt it and know more about existing and draft specs.

Contents


OpenID Providers (OP)

OpenID Connect Providers as SaaS and Open Source solutions.

  • Auth0 - OpenID Connect and OAuth 2.0 service that is available on the cloud as a SaaS.

  • Authelia - Open Source authentication, authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing single sign-on (SSO).

  • Authentik - Open Source Identity Provider focused on flexibility and versatility.

  • Authlete - Set of APIs for developers to implement OAuth authorization servers and OpenID Connect identity providers.

  • AWS Cognito - Cognito by Amazon Web Services has OpenID Connect provider in addition to IAM capabilities.

  • Cloudentity - Cloud Identity and Authorization Platform with FAPI and eKYC support.

  • Connect2id - OpenID Connect SSO and IdP server for enterprise.

  • Curity Identity Server - API Security solution that brings identity and API access management together.

  • Duende IdentityServer - ASP.NET Core OpenID Connect Provider solution.

  • Duo - OpenID Connect Provider and IdP solution developed by Cisco.

  • FrontEgg - A Customer Identity solution for SaaS platform with OpenID Connect Provider capability.

  • ForgeRock Identity Platform - Standards-based OpenID Connect Provider / OAuth 2.0 Authorization Server with an Access Management server.

  • Keycloak - Open Source project powered by RedHat which provides user federation, strong authentication, user management, fine-grained authorization, and more.

  • Gluu - OpenID Connect Provider and FAPI certified solution and integrated with IAM.

  • Gravitee.io - Open Source OpenID Connect/OAuth 2.0 provider aims to be a bridge between applications and identity providers to authenticate, authorize and getting information about user accounts.

  • LoginRadius - A SaaS CIAM that can act as an OpenID Connect provider.

  • Logto - An Open-source solution designed for Customer Identity and Access Management (CIAM) and Workforce Identity Management with OpenID Connect based authentication.

  • Okta - Extensible solution that enables both customer and workforce identity with federation, single sign-on, API security and workflows for both cloud and on-prem solutions.

  • Microsoft Entra ID - Software component developed by Microsoft providing single sign-on access to systems and applications.

  • MITREid Connect - Open Source OpenID Connect reference implementation in Java.

  • OpenIddict - .NET Open Source OpenID Connect Provider implementation with ASP.NET Core 2.1 (and higher) applications support.

  • OneLogin - SaaS Employee and Customer IAM solution with OpenID Connect Provider capabilities.

  • Ory Hydra - Open Source OpenID Certified™ OpenID Connect and OAuth Provider.

  • panva/node-oidc-provider - Open Source and certified OpenID Connect provider implementation in Node.js with FAPI 1.0 and FAPI 2.0 support.

  • PingFederate - Federation server that provides secure single sign-on, API security and provisioning for enterprise customers, partners, and employees.

  • SiteMinder - An IAM provided by Broadcom with OpenID Connect Provider support.

  • Transmit Security - Transmit Security is a CIAM solution that supports an OpenID Connect-based integration.

  • WSO2 Identity Server - Identity Server which provides modern identity and access management capabilities that can be easily built into organization's customer experience (CX) applications.

  • Zitadel - Open Source Identity solution with OpenID Connect provider (OP) and SAMLv2 ready to use.

  • OpenID Foundation conformance suite - Test conformance suite to obtains OpenID Foundation certification which covers OpenID Connect, FAPI1-Advanced, FAPI2, FAPI-CIBA and OpenID for Identity Assurance (ekyc).

Relying Parties (RP) Libraries

Relying Parties (RP) Libraries for implementing OpenID Connect on a client application.

C

  • liboauth2 - Generic library to build C-based OpenID Connect Provider and Relying Party.
  • mod_auth_openidc - OpenID Connect Relying Party certified implementation for Apache Server 2.x.
  • ngx_oauth2_module - OpenID Connect Relying Party certified implementation for Nginx.

C#

  • IdentityModel.OidcClient - C# / .NET OpenID Connect relying party client certified library for native mobile/desktop applications.

Dart

  • openid_client - OpenID Connect Relying Party client library for Dart in Flutter, Web and Command Line.

Erlang

  • oidcc - Certified OpenID Connect Relying Party client library for Erlang and Elixir with FAPI support.

Golang

  • coreos/go-oidc - Go OpenID Connect client.
  • zitadel/oidc - OpenID Connect client and server library certified by the OpenID Foundation.

Java

JavaScript

  • openid-client - OpenID Certified™ Relying Party (OpenID Connect/OAuth 2.0 Client) implementation for Node.js.
  • oauth4webapi - OAuth 2/OpenID Connect library for JavaScript Runtimes.
  • oidc-client-ts - TypeScript OpenID Client and OAuth 2.0 client for browser-based applications.

Libraries layer focused on specific framework integration

  • NextAuth.js - Open Source authentication solution for Next.js applications including using OpenID Connect.
  • nuxt-auth for Nuxt 2 - Zero-boilerplate authentication support for Nuxt.js 2.
  • nuxt-auth for Nuxt3 - Nuxt 3 user authentication and sessions library. nuxt-auth wraps NextAuth.js.
  • angular-auth-oidc-client - Angular certified library with OAuth 2.0 and OpenID Connect flows, and Angular schematics.
  • angular-oauth2-oidc - Library which bring support for OAuth 2.0 and OpenID Connect (OIDC) in Angular.

OCaml

  • ocaml-oidc - Certified OpenID Connect Relying Party implementation in OCaml.

PHP

Python

Ruby

Rust

  • openidconnect - OpenID Connect Relying party (RP) library for Rust.

Relying Parties (RP) Software Plugins

  • MiniOrange OAuth SSO - Wordpress OAuth and OpenID Connect plugin developed and actively maintained by MiniOrange.

Resources

Where to discover learning resources about OpenID Connect.

Flows / Grant Types Specifications

  • authorization_code - OAuth 2.0 Authorization Code Grant Type which fit well public client authorization like web apps.
  • refresh_token - OAuth 2.0 Refresh Token Grant Type used to exchange a refresh token against a short life access token and sometime a new refresh token as well.
  • client_credentials - OAuth 2.0 Client Credentials Grant providing a way to get token without user interaction which fit well machine to machine communications.
  • implicit - OAuth 2.0 Implicit Grant Type which is deprecated and should not be used anymore.
  • password - OAuth 2.0 Resource Owner Password Credentials Grant Type which is not recommended to use anymore.
  • urn:ietf:params:oauth:grant-type:device_code - OAuth 2.0 Device Authorization Grant focused on interaction with user outside of a browser context like smart TVs.
  • urn:ietf:params:oauth:grant-type:jwt-bearer - JSON Web Token (JWT) Profile for OAuth 2.0 used to authorize a client to get an access token with another JWT issued by a trusted provider.
  • urn:ietf:params:oauth:grant-type:saml2-bearer - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 used to authorize a client to get an access token with a SAML assertion issued by a trusted provider.
  • urn:ietf:params:oauth:grant-type:token-exchange - OAuth 2.0 Token Exchange is a Grant Type which provides a way to get tokens from another token and give the ability to add an actor claim.
  • Proof Key for Code Exchange (PKCE) Extension - Extension of the Authorization Code flow adding security layer against code interception attack.

Specifications

Published

Draft

Websites

  • OpenID - OpenID Connect official website.
  • OAuth - OAuth website maintained by Aaron Parecki which list different resources about the protocol.
  • ByteByteGo - Oauth 2.0 explains using visual and simple terms.
  • Aaron Parecki - Aaron Parecki OAuth WG Member blog posts about OAuth 2.0.
  • Alex Bilbie - Alex Bilbie blog posts about OAuth 2.0 topic.
  • CerberAuth - A blog talking about OpenID Connect and OAuth 2.0.
  • Nacho - An OAuth 2.0 client creation helper helping to choose the right grant type depending on the application.
  • Curity Resources - Curity solution resources articles about OpenID Connect.
  • Okta Blog - Okta blog posts about OAuth 2.0 and OpenID Connect.
  • Medium OAuth 2.0 - Medium blog with learnings, patterns and ideas around use of OAuth 2.0.
  • Mike Jones: Self-Issued - Mike Jones blog posts about OAuth 2.0 and OpenID Connect.

Playgrounds

  • OAuth.com Playground - OAuth 2.0 / OpenID Connect Playground with authorization flows and step by step of the process of obtaining an access token.
  • Curity Playground - Tools for exploring and testing OAuth and OpenID Connect flows.

Books

Contributing

Your contributions are always welcome! Please take a look at the contribution guidelines first.