OAuth 2.0 client / server SDK for Java with OpenID Connect 1.0 extensions
About OAuth 2.0
OAuth 2.0 is an authorisation framework which enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner (the user), or by allowing the third-party application to obtain access on its own behalf.
OAuth 2.0 is specified in RFC 6749 and its companion specifications.
About OpenID Connect 1.0
OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user based on the authentication performed by an authorisation server, as well as to obtain basic profile information about the user in an interoperable and REST-like manner.
OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing optional encryption of identity data, discovery of OpenID Providers, and session management.
Go to the OpenID Connect specifications for more details.
About this SDK
This open source SDK is your starting point for developing OAuth 2.0 and OpenID Connect based applications in Java.
OAuth 2.0
Supported endpoint requests and responses:
- Authorisation Server Metadata
- Authorisation Endpoint
- Token Endpoint
- Token Introspection Endpoint
- Token Revocation Endpoint
- Client Registration and Management Endpoint
- Request Object Endpoint
- Resource protected with an OAuth 2.0 access token
OpenID Connect
Supported endpoint requests and responses:
- OpenID Provider Metadata
- Authorisation Endpoint for OpenID Authentication requests
- Token Endpoint
- UserInfo Endpoint
- End-Session (Logout) Endpoint
- Back-Channel Logout Endpoint
Features:
- Process plain, signed and encrypted JSON Web Tokens (JWTs) with help of the Nimbus JOSE+JWT library.
- Full i18n Language Tags (RFC 5646) support via the Nimbus-LangTag library.
- Java Servlet integration.
This SDK version implements the following standards and drafts:
- The OAuth 2.0 Authorization Framework (RFC 6749)
- The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
- OAuth 2.0 Token Introspection (RFC 7662)
- OAuth 2.0 Token Revocation (RFC 7009)
- OAuth 2.0 Authorization Server Metadata (draft-ietf-oauth-amr-values-01)
- OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)
- OAuth 2.0 Dynamic Client Registration Management Protocol (RFC 7592)
- Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521)
- JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
- SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522)
- Proof Key for Code Exchange by OAuth Public Clients (RFC 7636)
- Authentication Method Reference Values (RFC 8176)
- OAuth 2.0 Authorization Server Metadata (RFC 8414)
- OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (draft-ietf-oauth-mtls-15)
- Resource Indicators for OAuth 2.0 (draft-ietf-oauth-resource-indicators-00)
- OAuth 2.0 Incremental Authorization (draft-ietf-oauth-incremental-authz-00)
- OAuth 2.0 Device Authorization Grant (draft-ietf-oauth-device-flow-15)
- The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) (draft-ietf-oauth-jwsreq-17)
- OAuth 2.0 Pushed Authorization Requests (draft-lodderstedt-oauth-par-01)
- OpenID Connect Core 1.0 (2014-02-25)
- OpenID Connect Core Unmet Authentication Requirements 1.0 (2019-05-08)
- OpenID Connect Discovery 1.0 (2014-02-25)
- OpenID Connect Dynamic Registration 1.0 (2014-02-25)
- OpenID Connect Session Management 1.0 (2014-11-08)
- OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 - draft 00
- OpenID Connect for Identity Assurance 1.0 - draft 08
- OAuth 2.0 Multiple Response Type Encoding Practices 1.0 (2014-02-25)
- Financial Services – Financial API - Part 1: Read Only API Security Profile (2018-10-17)
- Financial Services – Financial API - Part 2: Read and Write API Security Profile (2018-10-17)
- Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (2018-10-17)
| Package | Description |
|---|---|
| com.nimbusds.oauth2.sdk |
Classes for representing, serialising and parsing OAuth 2.0 client requests
and authorisation server responses.
|
| com.nimbusds.oauth2.sdk.as |
OAuth 2.0 Authorisation Server (AS) classes.
|
| com.nimbusds.oauth2.sdk.assertions |
Common SAML 2.0 and JWT bearer assertion classes.
|
| com.nimbusds.oauth2.sdk.assertions.jwt |
JWT bearer assertions.
|
| com.nimbusds.oauth2.sdk.assertions.saml2 |
SAML 2.0 bearer assertions.
|
| com.nimbusds.oauth2.sdk.auth |
Implementations of OAuth 2.0 client authentication methods at the Token
endpoint.
|
| com.nimbusds.oauth2.sdk.auth.verifier |
Client authentication verifier framework.
|
| com.nimbusds.oauth2.sdk.client |
OAuth 2.0 dynamic client registration.
|
| com.nimbusds.oauth2.sdk.device |
OAuth 2.0 device authorisation grant classes.
|
| com.nimbusds.oauth2.sdk.http |
HTTP message and utility classes.
|
| com.nimbusds.oauth2.sdk.id |
Common OAuth 2.0 identifier and identity classes.
|
| com.nimbusds.oauth2.sdk.jarm |
JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) utilities.
|
| com.nimbusds.oauth2.sdk.jose |
JavaScript Object Signing and Encryption (JOSE) utilities.
|
| com.nimbusds.oauth2.sdk.pkce |
Proof Key for Code Exchange (PKCE) classes.
|
| com.nimbusds.oauth2.sdk.token |
OAuth 2.0 access and refresh token implementations.
|
| com.nimbusds.oauth2.sdk.util |
Common utility classes.
|
| com.nimbusds.oauth2.sdk.util.date |
Date / time utilities.
|
| com.nimbusds.openid.connect.sdk |
Classes for representing, serialising and parsing OpenID Connect client
requests and server responses.
|
| com.nimbusds.openid.connect.sdk.assurance |
OpenID Connect for identity assurance.
|
| com.nimbusds.openid.connect.sdk.assurance.claims |
Identity assurance claims.
|
| com.nimbusds.openid.connect.sdk.assurance.evidences |
Identity evidence classes.
|
| com.nimbusds.openid.connect.sdk.claims |
Claims and claim sets used in OpenID Connect.
|
| com.nimbusds.openid.connect.sdk.id |
Common OpenID Connect identifier and identity classes.
|
| com.nimbusds.openid.connect.sdk.op |
OpenID Connect Provider (OP) classes.
|
| com.nimbusds.openid.connect.sdk.rp |
OpenID Connect Relying Party (RP) classes.
|
| com.nimbusds.openid.connect.sdk.token |
OpenID Connect token extensions.
|
| com.nimbusds.openid.connect.sdk.validators |
Client-side OpenID Connect ID token, access token and authorisation code
validators.
|
| com.nimbusds.secevent.sdk.claims |
Security event claims.
|