liboauth2

Generic library to build C-based OAuth 2.x and OpenID Connect servers and clients e.g. web-server plugins.

Overview

• extends cjose into OAuth 2.x and OpenID Connect specific claims, secrets, and hashes
• adds OAuth 2.x and OpenID Connect protocols by abstracting HTTP requests and responses from web server implementation specifics
• reusable code across other OAuth 2.x and REST related protocols e.g. token exchange with endpoint authentication, source token retrieval, target pass settings etc.
• generic code with plugins for Apache, NGINX, and possibly more (e.g. Envoy, HA Proxy, IIS)
• configurable cache backend/size/options per cache element type
• cookie-based session management (i.e. enforce inactivity timeout, expiry)

Features

• OpenID Connect 1.0
• OAuth 2.0 Resource Owner Password Credentials (RFC 6749)
• OAuth 2.0 Token Introspection (RFC 7662)
• JWT bearer token validation using JWK, JWKS URI, shared symmetric key, X.509 cert, and RSA public key (RFC 6750)
• OAuth 2.0 Authorization Server Metadata (RFC 8414)
• Proof Key for Code Exchange (PKCE) by OAuth Public Clients (RFC 7636)
• OAuth 2.0 Mutual-TLS (MTLS) Certificate-Bound Access Tokens (RFC 8705)
• OAuth 2.0 Demonstrating Proof of Possession (DPoP) (RFC9449)
• Amazon ALB EC key URL based x-amzn-oidc-data JWT verification
• endpoint authentication methods: client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt, TLS client certificate, and HTTP basic authentication
• configurable cache backends: shared memory, file-based, memcache, and Redis
• retrieving a token from a header, a query parameter, a post parameter, or a cookie
• setting a token as a header, a query parameter, a post parameter, or a cookie
• Apache and NGINX bindings

Dependencies

liboauth2 depends on the following libraries:

• openssl for SSL and crypto support
• libcurl for HTTP client support
• jansson for JSON parsing
• cjose for JSON Object Signing and Encryption (JOSE) support
• (optional) libmemcached for memcache cache backend support
• (optional) libhiredis for Redis cache backend support
• (optional) Apache 2.x for Apache 2.x bindings support
• (optional) NGINX for NGINX bindings support
• (optional, build time only) check for unit test support

Support

Community Support

See Frequently Asked Questions on the Wiki.
Ask questions in the Discussions tracker.

Commercial Support

For commercial support contracts, professional services, training, and use-case specific support, contact OpenIDC at: sales@openidc.com

Disclaimer

This software is open sourced by OpenIDC. For commercial support you can contact OpenIDC as described above in the Support section.