An OIDC authorization server building blocks with security and privacy by design philosophy.
This will not provide a full-featured standalone OIDC Server but a limited and secure settings according to your use cases :
online users
usingauthorization_code
flow with mandatory PKCE via Pushed Authorization Request with state enforcement;machine-to-machine
usingclient_credentials
based on asymetric authentication schemes;devices and constrained environments
, you know for IO(v)T (Internet Of vulnerable Thing);offline users
usingrefresh_token
flow for application that need toact as an online user but without its online interaction
.
I have been developing OAuth/OIDC/UMA providers since 2012, in multiple
languages and environments. People generally don't understand
OIDC flows.
It's like driving a car that requires you to know how engine work and how the car is built. But the only thing you want is to drive your car.
OAuth / OIDC is often criticized in favor of SAML, but implementations are more vulnerables than the protocol itself. OAuth is just offered as a developer framework, but it's true to say that not all developers are aware of security problems.
Implementations are done by developers that don't have/take the time to browse the specification maze, they read them quickly with their own belief in mind. As a consequence the specifications are not understood but barely interpreted, that will produce faulty implementations.
Also security products are often associated with NIH syndrom.
What I observed in real life:
- Not using
authorization_code
because it doesn't have user/password in the flow; client_credentials
grant type to be used ascustomer credentials
likepassword
grant type but for external customer user access (login form with client credentials);- Using
client_credentials
from a JS public UI (hardcoded client_secret); - Dynamic authorization application based on token claims without signature checks;
- Authentication based on the fact the you can retrieve the token ... not validating token content (Token is here => You are admin);
Many OIDC providers give you a lot of features that you have to understand and choose to maximize your security posture. So that your security posture is correlated to your understanding of OAuth and OIDC and their implementations in the product.
I don't like this idea to be honest.
I understand the requirements of commercial products to have a wide compatibility
matrix, but by allowing insecure settings for one client you can compromise the
the whole platform, and also lose the customer inside the feature fog
.
But OAuth / OIDC specification are only tools in a toolbox, and they need to be orchestrated in a proper way to provide a simple, efficient and secure service.
That's the reason why I've started this project as an OSS project, to provide a simple and solid implementations of 4 OAuth flows.
- Enforce OIDC features as a complete suite according to selected use-case;
- Provide a complete toolchain to enforce security and privacy without the complete knowledge of all related protocols;
- Enhance security posture based on security objectives not the understand of security protocols;
- Provide a battle-tested framework;
- Provide a wire protocol decoupled framework, OIDC is tighly coupled to HTTP but it can be easily decoupled to become portable between other wire protocols (CoAP);
- A complete OIDC compliant server. By making some optional and recommended
parameters as required,
solid
can't pass the OIDC compliance tests;
I made sample server and various integrations inside examples/
folder.
PAR+DPoP+JARM
is enabled and enforced forauthorization_code
flow;hybrid
flow is not and will be supported; Web applications must use server side component (or lambda) to negociate authorizations; By design, your client-side application code (JS) should not be exposed until you are identified;- Only response_type
code
will be supported to enforce server-side negociation; PKCE+Nonce
is enforced by default for all client types duringauthorization_code
flow;authorization_code
flow could not be started by theuser-agent
, as the default behavior, theclient
must use PAR protocol to retrieve arequest_uri
that will qualify and start theauthorization_code
flow;- Asymetric authentication methods are enforced by default;
- No
HSxxx
/RSxxx
support as JOSE signature algorithms;HSxxx
doesn't provide digital signature;RSxxx
uses RSA algorithms that needs to have high computation to improve security protection level so that it will be more difficult for constrained environment (IoT) to have same security protection level as a normal application;- Only
elliptical curves
involved algorithms will be used;
access_token
/refresh_token
arehybrid
tokens so that they embed protocol validation details (expiration, etc.) without any privacy related info (sub). These informations are referenced via an embededjti
claim that will address an AS-only accessbile record that will contains extra data;audience
parameter is mandatory for request that needscope
in order to target the corresponding application. This will allow various validations betweenclient
andapplication
, andconsent
management;PAR
must use JWT encoded request payload to due request registration.
- OAuth
- Client authentication
-
private_key_jwt
client authentication -
tls_client_auth
client authentication
-
- Core
-
client_credentials
grant type -
authorization_code
grant type -
refresh_token
grant type -
device_code
grant type - Pairwise subject identifier
- Resource Indicators for OAuth 2.0
-
- Client
- Token Management
- Token
- Scheme
- Bearer - rfc6750
- DPoP - draft-fett-oauth-dpop-04
- mTLS constrained tokens - draft-ietf-oauth-mtls-17
- Authentication by reference
- Random string
- Authentication by value
- Scheme
- Client authentication
- Storage
- API
- Client
- Confidential client
- Public client
- Requests
- Authorization request
- Tokens
- Storage
- Sessions
- AuthorizationCode
- DeviceCode
- Client
- in-memory storage
- gRPC driven storage
- API
- Privacy
- Consent management
- HTTP
- Authorization Server
- Standalone
- Caddy plugin
- Reverse Proxy
- Caddy plugin
- Authorization Server
- CoAP
- Authorization Server
- Standalone
- Authorization Server
- AWS
- Auhtorization Server
- AWS Lambda
- Auhtorization Server
- OAuth 2.0
- OAuth 2.0 Client Authentication
- OAuth 2.0 Security Best Current Practice
- Why you should stop using the OAuth implicit grant!
- OAuth 2.0 for Browser-Based Apps
- Financial-grade API - Part 1: Read-Only API Security Profile
- Financial-grade API - Part 2: Read and Write API Security Profile
- PKCE vs. Nonce: Equivalent or Not?
- An Extensive Formal Security Analysis of the OpenID Financial-grade API
- Mix-Up, Revisited
- Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)