Openauth

OpenAuth is a standards-based authentication server and identity provider that implements OAuth 2.0 and OpenID Connect protocols. It serves as a centralized system for managing user identities, issuing access tokens, and orchestrating authentication flows across various services.

The project functions as a federated identity gateway, aggregating external providers such as Google, GitHub, Microsoft, Apple, and Discord into a unified login flow. It distinguishes itself with a multi-tenant architecture that supports pluggable identity providers and customizable user interface frameworks for branding and theme management.

The platform covers comprehensive identity management, including local password authentication, email verification, and security PINs. It features a decoupled persistence layer with storage adapters for DynamoDB, key-value stores, and in-memory systems. Security capabilities include PKCE support, schema-based subject validation for identity payloads, and client access restrictions based on request metadata.

The software is designed for multi-environment deployment, allowing it to run as a standalone service or an embedded module across different cloud runtimes.

Features

Centralized App Authentication Layers - Acts as a centralized authentication layer managing passwords and multi-provider logins for multiple services.

OAuth 2.0 Authorization Servers - Functions as a standards-compliant OAuth 2.0 and OpenID Connect authorization server that manages client registrations and issues tokens.

Token Authenticity Verifications - Validates the authenticity and expiration of access tokens to secure API requests and manage sessions.

Authentication Flows - Generates secure redirect URLs to initiate OAuth 2.0 and OpenID Connect authorization flows.

Proof Key for Code Exchange - Supports the secure exchange of authorization codes for access tokens, utilizing PKCE to prevent interception attacks.

Email Verification Flows - Provides workflows for verifying user identity by sending unique one-time validation codes via email.

OAuth and Identity Providers - Supports a modular system for delegating authentication to various external identity providers and third-party platforms.

Identity Gateways - Operates as an identity gateway bridging local services to various external authentication providers.

Identity Payload Extractions - Extracts and validates user identity data from access tokens to identify the authenticated subject.

Token Subject Specifications - Specifies the structure and content of the user identity data embedded within issued tokens.

Multi-Tenant Authentication Services - Supports a multi-tenant architecture with isolated user pools and tenant-specific configurations.

OAuth 2.0 Authorization Flows - Implements the standard OAuth 2.0 protocol for exchanging authorization codes and tokens to secure application access.

PKCE Authorization Flows - Implements secure authorization code flows using PKCE to exchange temporary codes for access tokens via browser redirects.

Token and Key Storage - Manages the persistent storage of OAuth refresh tokens and security credentials.

OAuth Provider Integrations - Integrates with generic external OAuth 2.0 providers to facilitate user sign-in without local credentials.

OIDC Identity Token Issuance - Issues OIDC identity tokens based on validated user roles and attributes.

OpenID Connect Providers - Functions as an OpenID Connect provider to issue identity tokens and enable single sign-on.

OpenID Connect Support - Implements the OpenID Connect protocol to manage user identities across external authentication services.

Password Authentication - Verifies user identities using traditional username and password combinations to grant access to protected resources.

Session Token Refreshers - Implements mechanisms to obtain new access tokens using refresh tokens to maintain session continuity.

Third-Party Identity Integrations - Aggregates external providers such as Google, GitHub, Microsoft, and Discord into a unified login flow.

Identity Header Injections - Injects authenticated user attributes into access tokens for downstream authorization.

Identity Payload Definitions - Defines the data structure and validation rules for user identities embedded into access tokens.

Token Payload Validations - Enforces schema-based validation for user identity attributes embedded within issued access tokens.

Schema Validation - Uses schema validation to verify the data structure of user identities mapped to access tokens.

Data Storage Adapters - Implements a modular adapter pattern to decouple authentication logic from various storage backends.

Cloudflare Workers KV Stores - Persists authentication server data using Cloudflare Workers KV for distributed access and high availability.

Storage Backend Adapters - Provides storage backend adapters to decouple authentication logic from specific persistence layers like DynamoDB or in-memory stores.

Multi-Runtime Deployment - Supports deployment as either a standalone service or an embedded module across different cloud runtimes.

Request Access Restrictions - Evaluates request metadata and redirect URIs to restrict client access to the issuer.

Customizable Login Interfaces - Provides a framework for creating branded, customizable login and provider selection interfaces.

Apple Authentication Providers - Enables user identity verification through Apple accounts using OAuth2 and OIDC protocols.

Identity Store Adapters - Features pluggable identity store adapters for swapping between DynamoDB, KV stores, and memory.

User Identity Verification - Implements user-facing verification flows that deliver security PINs via email or phone using custom callbacks.

Google Account Authentications - Implements user identity verification using Google accounts via OAuth2 and OpenID Connect.

Identity Providers - Provides a centralized identity provider role that orchestrates which authentication services are presented to the user.

Token Lifecycle Management - Manages the lifecycle of refresh tokens and authorization codes within a persistence layer to maintain user sessions.

Microsoft Account Integrations - Implements authentication and authorization flows for Microsoft personal, work, and school accounts.

Facebook Integrations - Provides authentication and authorization flows specifically for verifying identities via Facebook accounts.

Spotify Identity Verifications - Verifies user identities via the OAuth 2.0 protocol by integrating with Spotify identity services.

PIN Code Authentications - Handles the exchange of unique PIN codes to authenticate users and link their devices.

Third-Party Authentication Providers - Provides integration with GitHub as an external identity provider for user authentication.

AWS Cognito Providers - Verifies user identities and manages sessions by integrating with AWS Cognito OAuth endpoints.

Discord Identity Providers - Integrates with the Discord authentication service to verify user identities.

Data Validation Schemas - Enforces specific data structures for user identity payloads using validation schemas before they are embedded into tokens.

OAuth 2.0 Provider Integrations - Uses the OAuth 2.0 specification to integrate Slack as an identity provider for user authentication.

Authentication UI Components - Renders dedicated UI components for password-based authentication, sign-up, and verification workflows.

anomalycoopenauth

Features

Star history