Awesome OpenID Connect
OpenID Connect is an authentication protocol and identity layer on top of OAuth 2.0 used in many SSO and adopted in many social logins (Apple, Facebook, Google, etc). Basically, it allows a user to authenticate to a service using an existing account from an OpenID Connect Provider (OP), sharing some identity information after the user consent, and get an access token to access resources on a Relying Party (RP) application.
Find this curated list of providers, services, libraries, and resources to adopt it and know more about existing and draft specs.
Contents
OpenID Providers (OP)
OpenID Connect Providers as SaaS and Open Source solutions.
Auth0 - OpenID Connect and OAuth 2.0 service that is available on the cloud as a SaaS.
Authelia - Open Source authentication, authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing single sign-on (SSO).
Authentik - Open Source Identity Provider focused on flexibility and versatility.
Authlete - Set of APIs for developers to implement OAuth authorization servers and OpenID Connect identity providers.
AWS Cognito - Cognito by Amazon Web Services has OpenID Connect provider in addition to IAM capabilities.
Cloudentity - Cloud Identity and Authorization Platform with FAPI and eKYC support.
Connect2id - OpenID Connect SSO and IdP server for enterprise.
Curity Identity Server - API Security solution that brings identity and API access management together.
Duende IdentityServer - ASP.NET Core OpenID Connect Provider solution.
Duo - OpenID Connect Provider and IdP solution developed by Cisco.
FrontEgg - A Customer Identity solution for SaaS platform with OpenID Connect Provider capability.
ForgeRock Identity Platform - Standards-based OpenID Connect Provider / OAuth 2.0 Authorization Server with an Access Management server.
Keycloak - Open Source project powered by RedHat which provides user federation, strong authentication, user management, fine-grained authorization, and more.
Gluu - OpenID Connect Provider and FAPI certified solution and integrated with IAM.
Gravitee.io - Open Source OpenID Connect/OAuth 2.0 provider aims to be a bridge between applications and identity providers to authenticate, authorize and getting information about user accounts.
LoginRadius - A SaaS CIAM that can act as an OpenID Connect provider.
Logto - An Open-source solution designed for Customer Identity and Access Management (CIAM) and Workforce Identity Management with OpenID Connect based authentication.
Okta - Extensible solution that enables both customer and workforce identity with federation, single sign-on, API security and workflows for both cloud and on-prem solutions.
Microsoft Entra ID - Software component developed by Microsoft providing single sign-on access to systems and applications.
MITREid Connect - Open Source OpenID Connect reference implementation in Java.
OpenIddict - .NET Open Source OpenID Connect Provider implementation with ASP.NET Core 2.1 (and higher) applications support.
OneLogin - SaaS Employee and Customer IAM solution with OpenID Connect Provider capabilities.
Ory Hydra - Open Source OpenID Certified™ OpenID Connect and OAuth Provider.
panva/node-oidc-provider - Open Source and certified OpenID Connect provider implementation in Node.js with FAPI 1.0 and FAPI 2.0 support.
PingFederate - Federation server that provides secure single sign-on, API security and provisioning for enterprise customers, partners, and employees.
SiteMinder - An IAM provided by Broadcom with OpenID Connect Provider support.
Transmit Security - Transmit Security is a CIAM solution that supports an OpenID Connect-based integration.
WSO2 Identity Server - Identity Server which provides modern identity and access management capabilities that can be easily built into organization’s customer experience (CX) applications.
Zitadel - Open Source Identity solution with OpenID Connect provider (OP) and SAMLv2 ready to use.
OpenID Foundation conformance suite - Test conformance suite to obtains OpenID Foundation certification which covers OpenID Connect, FAPI1-Advanced, FAPI2, FAPI-CIBA and OpenID for Identity Assurance (ekyc).
Relying Parties (RP) Libraries
Relying Parties (RP) Libraries for implementing OpenID Connect on a client application.
C
- liboauth2 - Generic library to build C-based OpenID Connect Provider and Relying Party.
- mod_auth_openidc - OpenID Connect Relying Party certified implementation for Apache Server 2.x.
- ngx_oauth2_module - OpenID Connect Relying Party certified implementation for Nginx.
C#
- IdentityModel.OidcClient - C# / .NET OpenID Connect relying party client certified library for native mobile/desktop applications.
Dart
- openid_client - OpenID Connect Relying Party client library for Dart in Flutter, Web and Command Line.
Erlang
- oidcc - Certified OpenID Connect Relying Party client library for Erlang and Elixir with FAPI support.
Golang
- coreos/go-oidc - Go OpenID Connect client.
- zitadel/oidc - OpenID Connect client and server library certified by the OpenID Foundation.
Java
- com.google.oauth-client/google-oauth-client - OAuth Relying Party Java library written by Google for OAuth 2.0 with Android support.
- com.nimbusds/oauth2-oidc-sdk - Java SDK developed by connect2id with OpenID Connect, FAPI, Federation and eKYC / Identity Assurance extensions.
- Spring Security - Spring Security implements OAuth 2.0 and OpenID Connect for Spring based applications.
JavaScript
- openid-client - OpenID Certified™ Relying Party (OpenID Connect/OAuth 2.0 Client) implementation for Node.js.
- oauth4webapi - OAuth 2/OpenID Connect library for JavaScript Runtimes.
- oidc-client-ts - TypeScript OpenID Client and OAuth 2.0 client for browser-based applications.
Libraries layer focused on specific framework integration
- NextAuth.js - Open Source authentication solution for Next.js applications including using OpenID Connect.
- nuxt-auth for Nuxt 2 - Zero-boilerplate authentication support for Nuxt.js 2.
- nuxt-auth for Nuxt3 - Nuxt 3 user authentication and sessions library. nuxt-auth wraps NextAuth.js.
- angular-auth-oidc-client - Angular certified library with OAuth 2.0 and OpenID Connect flows, and Angular schematics.
- angular-oauth2-oidc - Library which bring support for OAuth 2.0 and OpenID Connect (OIDC) in Angular.
OCaml
- ocaml-oidc - Certified OpenID Connect Relying Party implementation in OCaml.
PHP
- thephpleague/oauth2-client - Integration with OAuth 2.0 service providers for PHP.
- Symfony Security - Symfony Security component OpenID Connect access token authentication.
Python
- mozilla-django-oidc - A Django OpenID Connect relying party library maintained by Mozilla.
Ruby
- openid_connect - Ruby OpenID Connect Relying party (RP) and Provider (OP) library.
- omniauth_openid_connect - OpenID Connect Strategy for Ruby OmniAuth library.
Rust
- openidconnect - OpenID Connect Relying party (RP) library for Rust.
Relying Parties (RP) Software Plugins
- MiniOrange OAuth SSO - Wordpress OAuth and OpenID Connect plugin developed and actively maintained by MiniOrange.
Resources
Where to discover learning resources about OpenID Connect.
Flows / Grant Types Specifications
- authorization_code - OAuth 2.0 Authorization Code Grant Type which fit well public client authorization like web apps.
- refresh_token - OAuth 2.0 Refresh Token Grant Type used to exchange a refresh token against a short life access token and sometime a new refresh token as well.
- client_credentials - OAuth 2.0 Client Credentials Grant providing a way to get token without user interaction which fit well machine to machine communications.
- implicit - OAuth 2.0 Implicit Grant Type which is deprecated and should not be used anymore.
- password - OAuth 2.0 Resource Owner Password Credentials Grant Type which is not recommended to use anymore.
- urn:ietf:params:oauth:grant-type:device_code - OAuth 2.0 Device Authorization Grant focused on interaction with user outside of a browser context like smart TVs.
- urn:ietf:params:oauth:grant-type:jwt-bearer - JSON Web Token (JWT) Profile for OAuth 2.0 used to authorize a client to get an access token with another JWT issued by a trusted provider.
- urn:ietf:params:oauth:grant-type:saml2-bearer - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 used to authorize a client to get an access token with a SAML assertion issued by a trusted provider.
- urn:ietf:params:oauth:grant-type:token-exchange - OAuth 2.0 Token Exchange is a Grant Type which provides a way to get tokens from another token and give the ability to add an actor claim.
- Proof Key for Code Exchange (PKCE) Extension - Extension of the Authorization Code flow adding security layer against code interception attack.
Specifications
Published
- OpenID Connect Core 1.0 - Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of Claims to communicate information about the End-User. It also describes the security and privacy considerations for using OpenID Connect.
- The OAuth 2.0 Authorization Framework - Underlying OAuth 2.0 protocol OpenID Connect is based on.
- JSON Web Token (JWT) - JWT specifications used for different tokens mentioned in OAuth 2.0 and OpenID Connect specifications.
- JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - JWT format and validation specifications in the context of OAuth 2.0.
- JSON Web Key (JWK) - JavaScript Object Notation (JSON) data structure that represents a cryptographic key provided by OpenID Connect Provider.
- JSON Web Encryption (JWE) - Specifications for JWE which represents encrypted content using JSON-based data structures.
- JSON Web Signature (JWS) - Specifications for JWS which represents content secured with digital signatures.
- OAuth 2.0 Threat Model and Security Considerations - Known threats using OAuth 2.0 / OpenID Connect and countermeasures.
- OAuth 2.0 Authentication Method Reference Values - List authentication method values for the AMR token claim.
- OAuth 2.0 Authorization Framework: Bearer Token Usage - Describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources.
- OAuth 2.0 for Native Apps - Security and usability best practice for OAuth usage in Native apps.
- OAuth 2.0 Pushed Authorization Requests - Pushed authorization request (PAR) allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request.
- OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens - Standardizes enhanced security options for OAuth 2.0 utilizing client-certificate-based mutual TLS (mTLS).
- OAuth 2.0 JWT-Secured Authorization Request (JAR) - Allows to send request parameters in a JSON Web Token (JWT), which can be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained.
- OpenID Connect Discovery 1.0 - Mechanism for an OpenID Connect Relying Party to discover the End-User’s OpenID Provider and obtain information needed to interact with it.
- OpenID Connect Front-Channel Logout - Logout mechanism that uses front-channel communication via the User Agent between the OpenID Connect provider (OP) and Relying Parties (RPs) being logged out that does not need an OpenID Provider iframe on Relying Party pages.
- OpenID Connect Back-Channel Logout - Logout mechanism that uses direct back-channel communication between the OpenID Connect provider (OP) and Relying Parties (RPs) being logged out.
- OpenID Connect RP-Initiated Logout - Defines how a Relying Party can requests that the OpenID Connect provider log out the End-User by redirecting the End-User’s User Agent to the OP’s Logout Endpoint.
- OAuth 2.0 Authorization Server Metadata - A metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server.
- OAuth 2.0 Token Revocation - Endpoint for OAuth authorization servers which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed.
- OAuth 2.0 Dynamic Client Registration Protocol - Defines how an OAuth 2.0 Relying Party (RP) can dynamically register with the OAuth 2.0 server provider.
- OAuth 2.0 Demonstrating Proof of Possession (DPoP) - Demonstrates proof of possession of the client’s private key for OAuth 2.0.
- OpenID Connect Dynamic Client Registration - Mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level which allows for the detection of replay attacks with tokens.
- OAuth 2.0 Token Introspection - Method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token.
- Financial-grade API Security Profile 1.0 - Part 1: Baseline - Baseline security profile of OAuth that is suitable for protecting APIs with a moderate inherent risk in the context of Financial-grade APIs.
- Financial-grade API Security Profile 1.0 - Part 2: Advanced - Advanced security profile of OAuth that is suitable to be used for protecting APIs with high inherent risk in the context of Financial-grade APIs.
- JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - JWT-based mode to encode OAuth authorization response parameters with additional claims used to further protect the transmission.
- Initiating User Registration via OpenID Connect - Specifications for initiating user registration via OpenID Connect and create prompt.
- OpenID Connect Session Management - Specifications about OpenID Connect session management.
- OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0 - Specifications for Client-Initiated Backchannel Authentication (CIBA) flow.
Draft
- JWT Response for OAuth Token Introspection - Proposal for an signed additional JSON Web Token (JWT) secured response for OAuth 2.0 Token Introspection.
- OAuth 2.0 Dynamic Client Registration Management Protocol - Endpoints for management of OAuth 2.0 dynamic client registrations.
- OAuth 2.0 Security Best Current Practice - Best security practice when using OAuth 2.0 and OpenID Connect.
- OpenID Connect Federation 1.0 - Draft specifications for putting in place bilateral federations between to organizations.
- Financial-grade API: Client Initiated Backchannel Authentication Profile - Financial services profile specifications for Client Initiated Backchannel Authentication (aka CIBA).
- OAuth 2.0 for Browser-Based Apps - Security and usability best practice for OAuth usage in Browser-based apps.
- OAuth 2.0 Protected Resource Metadata - Metadata format that an OAuth 2.0 client or authorization server can use to obtain the information needed to interact with an OAuth 2.0 protected resource.
- Selective Disclosure for JWTs (SD-JWT) - Specification for selective disclosure of JWT elements.
Websites
- OpenID - OpenID Connect official website.
- OAuth - OAuth website maintained by Aaron Parecki which list different resources about the protocol.
- ByteByteGo - Oauth 2.0 explains using visual and simple terms.
- Aaron Parecki - Aaron Parecki OAuth WG Member blog posts about OAuth 2.0.
- Alex Bilbie - Alex Bilbie blog posts about OAuth 2.0 topic.
- CerberAuth - A blog talking about OpenID Connect and OAuth 2.0.
- Nacho - An OAuth 2.0 client creation helper helping to choose the right grant type depending on the application.
- Curity Resources - Curity solution resources articles about OpenID Connect.
- Okta Blog - Okta blog posts about OAuth 2.0 and OpenID Connect.
- Medium OAuth 2.0 - Medium blog with learnings, patterns and ideas around use of OAuth 2.0.
- Mike Jones: Self-Issued - Mike Jones blog posts about OAuth 2.0 and OpenID Connect.
Playgrounds
- OAuth.com Playground - OAuth 2.0 / OpenID Connect Playground with authorization flows and step by step of the process of obtaining an access token.
- Curity Playground - Tools for exploring and testing OAuth and OpenID Connect flows.
Books
- 2012 - Getting Started with OAuth 2.0 by Ryan Boyd
- 2018 - OAuth 2.0 Simplified by Aaron Parecki
- 2020 - The Little Book of OAuth 2.0 RFCs by Aaron Parecki
- 2021 - Keycloak - Identity and Access Management for Modern Applications: Harness the power of Keycloak, OpenID Connect, and OAuth 2.0 protocols to secure applications by Stian Thorgersen and Pedro Igor Silva
- 2022 - Solving Identity Management in Modern Applications: Demystifying OAuth 2, OpenID Connect, and SAML 2 by Yvonne Wilson
Contributing
Your contributions are always welcome! Please take a look at the contribution guidelines first.