OAuth 2.0 client / server SDK for Java with OpenID Connect 1.0 extensions

About OAuth 2.0

OAuth 2.0 is an authorisation framework which enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner (the user), or by allowing the third-party application to obtain access on its own behalf.

OAuth 2.0 is specified in RFC 6749 and its companion specifications.

About OpenID Connect 1.0

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the user based on the authentication performed by an authorisation server, as well as to obtain basic profile information about the user in an interoperable and REST-like manner.

OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing optional encryption of identity data, discovery of OpenID Providers, and session management.

Go to the OpenID Connect specifications for more details.

About this SDK

This open source SDK is your starting point for developing OAuth 2.0 and OpenID Connect based applications in Java.

OAuth 2.0

Supported endpoint requests and responses:

  • Authorisation Server Metadata
  • Authorisation Endpoint
  • Token Endpoint
  • Token Introspection Endpoint
  • Token Revocation Endpoint
  • Client Registration and Management Endpoint
  • Request Object Endpoint
  • Resource protected with an OAuth 2.0 access token

OpenID Connect

Supported endpoint requests and responses:

  • OpenID Provider Metadata
  • Authorisation Endpoint for OpenID Authentication requests
  • Token Endpoint
  • UserInfo Endpoint
  • End-Session (Logout) Endpoint
  • Back-Channel Logout Endpoint

Features:

  • Process plain, signed and encrypted JSON Web Tokens (JWTs) with help of the Nimbus JOSE+JWT library.
  • Full i18n Language Tags (RFC 5646) support via the Nimbus-LangTag library.
  • Java Servlet integration.

This SDK version implements the following standards and drafts:

  • The OAuth 2.0 Authorization Framework (RFC 6749)
  • The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
  • OAuth 2.0 Token Introspection (RFC 7662)
  • OAuth 2.0 Token Revocation (RFC 7009)
  • OAuth 2.0 Authorization Server Metadata (draft-ietf-oauth-amr-values-01)
  • OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)
  • OAuth 2.0 Dynamic Client Registration Management Protocol (RFC 7592)
  • Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521)
  • JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
  • SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522)
  • Proof Key for Code Exchange by OAuth Public Clients (RFC 7636)
  • Authentication Method Reference Values (RFC 8176)
  • OAuth 2.0 Authorization Server Metadata (RFC 8414)
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens (RFC 8705)
  • Resource Indicators for OAuth 2.0 (RFC 8707)
  • OAuth 2.0 Incremental Authorization (draft-ietf-oauth-incremental-authz-00)
  • OAuth 2.0 Device Authorization Grant (draft-ietf-oauth-device-flow-15)
  • The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) (draft-ietf-oauth-jwsreq-21)
  • OAuth 2.0 Pushed Authorization Requests (draft-lodderstedt-oauth-par-01)
  • OpenID Connect Core 1.0 (2014-02-25)
  • OpenID Connect Core Unmet Authentication Requirements 1.0 (2019-05-08)
  • OpenID Connect Discovery 1.0 (2014-02-25)
  • OpenID Connect Dynamic Registration 1.0 (2014-02-25)
  • OpenID Connect Session Management 1.0 (2014-11-08)
  • OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 - draft 00
  • OpenID Connect for Identity Assurance 1.0 - draft 08
  • OpenID Connect Federation 1.0 - draft 11
  • OAuth 2.0 Multiple Response Type Encoding Practices 1.0 (2014-02-25)
  • Financial Services – Financial API - Part 1: Read Only API Security Profile (2018-10-17)
  • Financial Services – Financial API - Part 2: Read and Write API Security Profile (2018-10-17)
  • Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) (2018-10-17)
Packages 
Package Description
com.nimbusds.oauth2.sdk
Classes for representing, serialising and parsing OAuth 2.0 client requests and authorisation server responses.
com.nimbusds.oauth2.sdk.as
OAuth 2.0 Authorisation Server (AS) classes.
com.nimbusds.oauth2.sdk.assertions
Common SAML 2.0 and JWT bearer assertion classes.
com.nimbusds.oauth2.sdk.assertions.jwt
JWT bearer assertions.
com.nimbusds.oauth2.sdk.assertions.saml2
SAML 2.0 bearer assertions.
com.nimbusds.oauth2.sdk.auth
Implementations of OAuth 2.0 client authentication methods at the Token endpoint.
com.nimbusds.oauth2.sdk.auth.verifier
Client authentication verifier framework.
com.nimbusds.oauth2.sdk.client
OAuth 2.0 dynamic client registration.
com.nimbusds.oauth2.sdk.device
OAuth 2.0 device authorisation grant classes.
com.nimbusds.oauth2.sdk.http
HTTP message and utility classes.
com.nimbusds.oauth2.sdk.id
Common OAuth 2.0 identifier and identity classes.
com.nimbusds.oauth2.sdk.jarm
JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) utilities.
com.nimbusds.oauth2.sdk.jose
JavaScript Object Signing and Encryption (JOSE) utilities.
com.nimbusds.oauth2.sdk.pkce
Proof Key for Code Exchange (PKCE) classes.
com.nimbusds.oauth2.sdk.token
OAuth 2.0 access and refresh token implementations.
com.nimbusds.oauth2.sdk.util
Common utility classes.
com.nimbusds.oauth2.sdk.util.date
Date / time utilities.
com.nimbusds.oauth2.sdk.util.tls
TLS / SSL utilities.
com.nimbusds.openid.connect.sdk
Classes for representing, serialising and parsing OpenID Connect client requests and server responses.
com.nimbusds.openid.connect.sdk.assurance
OpenID Connect for Identity Assurance 1.0 classes.
com.nimbusds.openid.connect.sdk.assurance.claims
Identity assurance claims.
com.nimbusds.openid.connect.sdk.assurance.evidences
Identity evidence classes.
com.nimbusds.openid.connect.sdk.claims
Claims and claim sets used in OpenID Connect.
com.nimbusds.openid.connect.sdk.federation
OpenID Connect Federation 1.0 classes.
com.nimbusds.openid.connect.sdk.federation.api
OpenID Connect Federation 1.0 API classes.
com.nimbusds.openid.connect.sdk.federation.config
OpenID Connect Federation 1.0 entity configuration request and response classes.
com.nimbusds.openid.connect.sdk.federation.entities
OpenID Connect Federation 1.0 entity classes.
com.nimbusds.openid.connect.sdk.federation.policy
OpenID Connect Federation 1.0 policy.
com.nimbusds.openid.connect.sdk.federation.policy.language
Interfaces and classes for the OpenID Connect Federation 1.0 policy language.
com.nimbusds.openid.connect.sdk.federation.policy.operations  
com.nimbusds.openid.connect.sdk.federation.trust
OpenID Connect Federation 1.0 trust chains and resolution.
com.nimbusds.openid.connect.sdk.federation.trust.constraints
OpenID Connect Federation 1.0 trust chain constraints.
com.nimbusds.openid.connect.sdk.id
Common OpenID Connect identifier and identity classes.
com.nimbusds.openid.connect.sdk.op
OpenID Connect Provider (OP) classes.
com.nimbusds.openid.connect.sdk.rp
OpenID Connect Relying Party (RP) classes.
com.nimbusds.openid.connect.sdk.token
OpenID Connect token extensions.
com.nimbusds.openid.connect.sdk.validators
Client-side OpenID Connect ID token, access token and authorisation code validators.
com.nimbusds.secevent.sdk.claims
Security event claims.