Awesome OAuth 2.0 and OpenID Connect

A curated list of resources for OAuth 2.0 and OpenID Connect (OIDC) — specifications, articles, books, playgrounds, and more.

Contents

• Site
• Specification
• Article
• Book
• Server Implementation
• Client Library
• Tool
• Video
• Social Media
• Community

Site

• OAuth on Wikipedia
• OAuth.net by Okta
• OAuth.com by Okta
• OAuth Articles and Posts by Alex Bilbie
• OpenID Connect
• OpenID Connect Explained by Connect2id
• Connect2id Learn Portal
• OpenID Certification

Specification

IETF RFC

• The OAuth 2.0 Authorization Framework (RFC 6749)
• The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
• OAuth 2.0 Threat Model and Security Considerations (RFC 6819)
• OAuth 2.0 Token Revocation (RFC 7009)
• WebFinger (RFC 7033)
• JSON Web Signature (JWS) (RFC 7515)
• JSON Web Encryption (JWE) (RFC 7516)
• JSON Web Key (JWK) (RFC 7517)
• JSON Web Algorithms (JWA) (RFC 7518)
• JSON Web Token (JWT) (RFC 7519)
• Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE) (RFC 7520)
• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521)
• SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522)
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
• OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)
• OAuth 2.0 Dynamic Client Registration Management Protocol (RFC 7592)
• Proof Key for Code Exchange by OAuth Public Clients (RFC 7636)
• OAuth 2.0 Token Introspection (RFC 7662)
• JSON Web Signature (JWS) Unencoded Payload Option (RFC 7797)
• Authentication Method Reference Values (RFC 8176)
• OAuth 2.0 for Native Apps (RFC 8252)
• OAuth 2.0 Authorization Server Metadata (RFC 8414)
• Security Event Token (SET) (RFC 8417)
• Vectors of Trust (RFC 8485)
• OAuth 2.0 Device Authorization Grant (RFC 8628)
• OAuth 2.0 Token Exchange (RFC 8693)
• OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)
• JSON Web Token Best Current Practices (RFC 8725)
• Push-Based Security Event Token (SET) Delivery Using HTTP (RFC 8935)
• Poll-Based Security Event Token (SET) Delivery Using HTTP (RFC 8936)
• JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068)
• The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) (RFC 9101)
• OAuth 2.0 Pushed Authorization Requests (RFC 9126)
• OAuth 2.0 Authorization Server Issuer Identification (RFC 9207)
• JWK Thumbprint URI (RFC 9278)
• OAuth 2.0 Rich Authorization Requests (RFC 9396)
• Client-Cert HTTP Header Field (RFC 9440)
• OAuth 2.0 Demonstrating Proof of Possession (DPoP) (RFC 9449)
• OAuth 2.0 Step Up Authentication Challenge Protocol (RFC 9470)
• Subject Identifiers for Security Event Tokens (RFC 9493)
• OAuth 2.0 Security Best Current Practice (RFC 9700)
• Selective Disclosure for JSON Web Tokens (SD-JWT) (RFC 9901)

IETF Draft

Active

• OAuth 2.0 for Browser-Based Apps (draft-ietf-oauth-browser-based-apps-26)
• The OAuth 2.1 Authorization Framework (draft-ietf-oauth-v2-1-14)
• Cross-Device Flows: Security Best Current Practice (draft-ietf-oauth-cross-device-security-15)
• OAuth Identity and Authorization Chaining Across Domains (draft-ietf-oauth-identity-chaining-07)
• SD-JWT-based Verifiable Digital Credentials (draft-ietf-oauth-sd-jwt-vc-14)
• Token Status List (draft-ietf-oauth-status-list-17)
• Transaction Tokens (draft-ietf-oauth-transaction-tokens-07)

Expired & archived

• Reciprocal OAuth (draft-ietf-oauth-reciprocal-04)
• OAuth 2.0 Token Binding (draft-ietf-oauth-token-binding-08)
• OAuth 2.0 Incremental Authorization (draft-ietf-oauth-incremental-authz-04)

OpenID Connect

• OpenID Connect Core 1.0
• OpenID Connect Discovery 1.0
• OpenID Connect Dynamic Client Registration 1.0
• OAuth 2.0 Multiple Response Types
• OAuth 2.0 Form Post Response Mode
• OpenID Connect RP-Initiated Logout 1.0
• OpenID Connect Session Management 1.0
• OpenID Connect Front-Channel Logout 1.0
• OpenID Connect Back-Channel Logout 1.0
• OpenID Connect Federation 1.0
• OpenID Connect for Identity Assurance 1.0

CIBA

• OpenID Connect CIBA Flow - Core 1.0

FAPI

• FAPI 2.0 Security Profile
• FAPI 2.0 Message Signing
• FAPI 2.0 Attacker Model
• JWT Secured Authorization Response Mode (JARM)
• Grant Management for OAuth 2.0

Shared Signals

• Shared Signals Framework 1.0
• RISC Profile 1.0
• CAEP Specification 1.0

Verifiable Credentials

• OpenID for Verifiable Credential Issuance (OID4VCI)
• OpenID for Verifiable Presentations (OID4VP)
• Self-Issued OpenID Provider v2 (SIOPv2)

Article

• OAuth 2.0 系列文 by Yucheng Chuang
  • (1) 世界觀
  • (2) Client 的註冊與認證
  • (3) Endpoints 的規格
  • (4.1) Authorization Code Grant Flow 細節
  • (4.2) Implicit Grant Flow 細節
  • (4.3) Resource Owner Credentials Grant Flow 細節
  • (4.4) Client Credentials Grant Flow 細節
  • (5) 核發與換發 Access Token
  • (6) Bearer Token 的使用方法
  • (7) 安全性問題
  • 各大網站 OAuth 2.0 實作差異
• OAuth 2 Simplified by Aaron Parecki
• 理解OAuth 2.0 by 阮一峰
• 帮你深入理解OAuth2.0协议
• What's OAuth2 Anyway? by Roman Glushko
• How OpenID Connect Works by OpenID Foundation
• OpenID Connect (OAuth.com) by Aaron Parecki

Book

• OAuth 2 in Action
• Getting Started with OAuth 2.0 - Programming Clients for Secure Web API Authorization and Authentication
• Identity and Data Security for Web Development - Best Practices
• OAuth 2.0 – Getting Started in Web-API Security
• OpenID Connect入門 ―アプリケーション開発者のための実践技術解説

Server Implementation

• Keycloak - Open-source IAM by Red Hat, supports OAuth 2.0, OIDC, and SAML 2.0 (Java)
• Ory Hydra - Headless, cloud-native OAuth 2.0 and OIDC server, OpenID Certified (Go)
• Dex - Federated OIDC provider by CNCF, widely used in the Kubernetes ecosystem (Go)
• Authentik - Self-hosted identity provider supporting OAuth 2.0, OIDC, SAML, SCIM, and LDAP (Python/Go)
• Authelia - Authentication and SSO server with OIDC Identity Provider support (Go)
• node-oidc-provider - Certified OpenID Connect provider for Node.js (JavaScript)
• Spring Authorization Server - Official Spring project for OAuth 2.0 and OIDC Authorization Servers (Java)
• OpenIddict - Flexible open-source OIDC server for ASP.NET Core (.NET)
• ZITADEL - Cloud-native identity management with OAuth 2.0 and OIDC (Go)
• Logto - Developer-friendly, open-source Auth0 alternative with OIDC support (TypeScript)
• Casdoor - UI-first IAM platform supporting OAuth 2.0, OIDC, SAML, CAS, and more (Go)

Client Library

Go

• golang.org/x/oauth2 - Official Go OAuth 2.0 client library
• go-oidc - OpenID Connect support for Go, built on golang.org/x/oauth2

JavaScript / TypeScript

• openid-client - Certified OpenID Connect Relying Party for Node.js
• jose - Universal JavaScript module for JWS, JWE, JWT, JWK, and JWKS
• passport - Authentication middleware for Node.js with OAuth 2.0 / OIDC strategies
• arctic - OAuth 2.0 provider helpers for 50+ providers with minimal abstraction

Python

• Authlib - OAuth and OIDC client/server library for Flask, Django, FastAPI, and more
• OAuthLib - Generic, spec-compliant OAuth request-signing logic
• requests-oauthlib - OAuth support for Python requests, built on OAuthLib
• PyJWT - JSON Web Token encoding and decoding

Java

• Nimbus JOSE + JWT - Popular Java library for JOSE and JWT
• Nimbus OAuth 2.0 SDK - Comprehensive OAuth 2.0 and OpenID Connect SDK
• ScribeJava - Simple OAuth 1.0 / 2.0 client library

Rust

• oauth2-rs - Extensible, strongly-typed OAuth 2.0 client
• openidconnect-rs - OpenID Connect library built on oauth2-rs

.NET

• Duende IdentityServer - OAuth 2.0 and OIDC framework for ASP.NET Core (free for dev/OSS)
• Microsoft.Identity.Web - Microsoft Identity integration for ASP.NET Core

PHP

• league/oauth2-server - Standards-compliant OAuth 2.0 authorization server
• league/oauth2-client - OAuth 2.0 client library

Ruby

• Doorkeeper - OAuth 2.0 provider for Ruby on Rails
• OmniAuth - Multi-provider authentication framework

Mobile

• AppAuth (iOS) - OpenID Certified OIDC/OAuth 2.0 SDK for iOS, following RFC 8252 best practices
• AppAuth (Android) - OpenID Certified OIDC/OAuth 2.0 SDK for Android, following RFC 8252 best practices

Other

• mod_auth_openidc - OpenID Certified OIDC Relying Party module for Apache HTTP Server

Tool

Playground

• OAUTH.TOOLS - Interactive OAuth/OIDC playground by Curity
• Google OAuth 2.0 Playground
• OIDC Playground
• OIDC Debugger - Web-based tool for testing OIDC authorization requests
• OpenID Connect Conformance Suite - Official OIDC provider conformance test suite

JWT

• jwt.io - JWT debugger and library directory by Auth0
• jwt.ms - JWT decoder by Microsoft
• token.dev - Modern JWT debugger with a clean interface
• mkjwk.org - JSON Web Key (JWK) generator
• jwt-cli - Command-line JWT decoder/encoder (Rust)

CLI

• oauth2c - Command-line OAuth 2.0 client supporting all grant types, PKCE, DPoP, mTLS
• step-cli - CLI for certificates, tokens, and OIDC flows

Video

• OAuth 2.0 and OpenID Connect (in plain English) by Nate Barbettini
• An Illustrated Guide to OAuth and OpenID Connect by OktaDev
• The Nuts and Bolts of OAuth 2.0 by Aaron Parecki
• Identity, Authentication + OAuth = OpenID Connect by Dominick Baier

Social Media

• OAuth 2.0 Explained by Alex Xu (ByteByteGo)

Community

• IETF OAuth Working Group Mailing List - Where OAuth specifications are discussed and developed
• OpenID Foundation - Organization behind OpenID Connect standards and certification
• Identiverse - Premier annual conference on digital identity