Zero-Dependency RFC 8252 OAuth 2.0 Authorization Flow

Last update: Jun 17, 2022

Related tags

Overview

Tiny OAuth2 Client

This is a minimal zero-dependency implementation of the RFC 8252 OAuth 2.0 for Native Apps, relying on Loopback Interface Redirection (i.e. no need to register a private-use URI scheme) with full support for PKCE and CSRF Protection.

Requirements

Java 11+
Ideally some JSON or JWT parser of your choice

Usage

Configure your authorization server to allow http://127.0.0.1/* as a redirect target and look up these configuration values:

client identifier
token endpoint
authorization endpoint

// this library will just perform the Authorization Flow:
var httpResponse = TinyOAuth2.client("oauth-client-id")
		.withTokenEndpoint(URI.create("https://login.example.com/oauth2/token"))
		.authFlow(URI.create("https://login.example.com/oauth2/authorize"))
		.authorize(uri -> System.out.println("Please login on " + uri));

// from this point onwards, please proceed with the JSON/JWT parser of your choice:
if (httpResponse.statusCode() == 200) {
	var jsonString = httpResponse.body()
	var bearerToken = parseJson(jsonString).get("access_token");
	// ...
}

If your authorization server doesn't allow wildcards, you can also configure a fixed path (and even port) via e.g. setRedirectPath("/callback") and setRedirectPorts(8080).

Why this library?

Often you just need to authorize your client and nothing more. Most OAuth2 libraries try to do a lot more
Nano-tiny-minuscule attack surface, since this doesn't contain any JOSE/JWT signature code, nor a fully-fledged web server
Focus is strictly on the authorization flow. Use any library for dealing with the tokens, you like.
Modular jar, exposing only one single public API. No need to read docs, you can't do anything wrong.

Spring Kurulumundan Başlayarak, Spring IOC ve Dependency Injection, Hibernate, Maven ve Spring Boot Konularına Giriş Yapıyoruz.

Spring Tutorial for Beginners File Directory Apache Tomcat Apache Tomcat - Eclipse Bağlantısı Spring Paketlerinin İndirilmesi ve Projeye Entegrasyonu

Apr 11, 2022

A light-weight and dynamic dependency injection framework

⚠️ This project is now part of the EE4J initiative. This repository has been archived as all activities are now happening in the corresponding Eclipse

Dec 23, 2022

Education from zero to advanced

Java And React Boot Camp This repo consists of the codes written in the course and the project assignments given. Lectures Lecture 1 intro Lecture 2 o

Sep 19, 2022

Esse repositório disponibiliza uma versão zero de uma API de cadastro de usuários (Users) a ser melhorada com desafios ☕️ 🇧🇷

java-training-api Esse repositório disponibiliza uma versão zero de uma API de cadastro de usuários (Users) na pasta SRC a ser melhorada. DESAFIOS Os

Dec 22, 2022

Version-agnostic and package-agnostic interfaces used in Constellar. Zero strict dependencies, works as a submodule.

bridge Version-agnostic and package-agnostic interfaces used in Constellar. Zero strict dependencies, works as a submodule. Used for cross-compatibili

Feb 23, 2022

This repository contains Java programs to become zero to hero in Java. Programs related to each and every concep are present from easy to intermidiate level.

Learn Java Programming In this repository you will find topic wise programs of java from basics to intermediate. This follows topic wise approach that

Oct 9, 2022

A small and easy-to-use one-time password generator library for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).

OTP-Java A small and easy-to-use one-time password generator for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP). Table of Contents Features Ins

Dec 30, 2022

A small and easy-to-use one-time password generator library for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP).

OTP-Java A small and easy-to-use one-time password generator for Java according to RFC 4226 (HOTP) and RFC 6238 (TOTP). Table of Contents Features Ins

Dec 30, 2022

Time-Based One-Time Password (RFC 6238) and HMAC-Based One-Time Password (RFC 4226) reference implementations and more.

Crypto Time-Based One-Time Password (RFC 6238) and HMAC-Based One-Time Password (RFC 4226) reference implementations and more. Getting Started TOTP ge

May 12, 2022

Security engine for Java (authentication, authorization, multi frameworks): OAuth, CAS, SAML, OpenID Connect, LDAP, JWT...

pac4j is an easy and powerful security engine for Java to authenticate users, get their profiles and manage authorizations in order to secure web appl

Dec 30, 2022

A fast, light and cloud native OAuth 2.0 authorization microservices based on light-4j

A fast, light weight and cloud native OAuth 2.0 Server based on microservices architecture built on top of light-4j and light-rest-4j frameworks. Stac

Dec 17, 2022

Zero-dependency Reactive Streams publishers library

⚡️ Mutiny Zero: a zero-dependency Reactive Streams publishers library for Java Mutiny Zero is a minimal API for creating reactive-streams compliant pu

Dec 14, 2022

JSON Web Token implementation for Java according to RFC 7519. Easily create, parse and validate JSON Web Tokens using a fluent API.

JWT-Java JSON Web Token library for Java according to RFC 7519. Table of Contents What are JSON Web Tokens? Header Payload Signature Features Supporte

Jul 10, 2022

An authorization library that supports access control models like ACL, RBAC, ABAC in Java

jCasbin News: still worry about how to write the correct jCasbin policy? Casbin online editor is coming to help! Try it at: http://casbin.org/editor/

Dec 30, 2022

Authentication and authorization for application, api and user

多树AUTH / MT-AUTH 用户，应用，API管理中心 MT-AUTH是一款基于Spring Boot, OAuth2与事件驱动的角色的权限管理(RBAC)系统，通过集成Spring Cloud Gateway实现了API鉴权，缓存，跨域，CSRF防护，特殊字符过滤等常用功能项目特点基于事

Dec 14, 2022

Squadio-App is a Users-Accounts financial system. exposes Rest APIs with JWT authentication/Authorization process .

squadio-app Description Squadio-App is a Users-Accounts financial system. exposes Rest APIs with JWT authentication/Authorization process . How to Run

Jan 29, 2022

A powerful flow control component enabling reliability, resilience and monitoring for microservices. (面向云原生微服务的高可用流控防护组件)

Sentinel: The Sentinel of Your Microservices Introduction As distributed systems become increasingly popular, the reliability between services is beco

Dec 31, 2022

Flow Visualization Library for JavaFX and VRL-Studio

VWorkflows Interactive flow/graph visualization for building domain specific visual programming environments. Provides UI bindings for JavaFX. See htt

Dec 29, 2022

Abstract the use of amazon lex / google dialog flow, while also support complex conditional flows

amazon-lex-gcp-diaglogflow-abstraction on simply put: ALGDA :) In this project I try to abstract the use of amazon lex first, but then also google's d

Apr 19, 2021

Comments

Refactored API

Changed fluent API to allow customization before making the actual calls to the token endpoint, reducing the number of parameters per function.

New public API looks like this:

// static configuration params:
var clientId = "my-client-id";
var authEndpoint = URI.create("https://login.example.com");
var tokenEndpoint = URI.create("https://example.com/oauth2/token");

// what browser to open the authorization page in:
Consumer<URI> browser = uri -> { System.out.println("please login on " + uri) };

// making an auth request:
var tokenResponse = TinyOAuth2
	.client(clientId)
	.withTokenEndpoint(tokenEndpoint)
	.authFlow(authEndpoint)
	.authorize(browser, "offline_access", "some_additional_scope", ...);
	
// customize auth request:
var tokenResponse = TinyOAuth2
	.client(clientId)
	.withTokenEndpoint(tokenEndpoint)
	.authFlow(authEndpoint)
	.setRedirectPorts(8080, 8081, 8082)
	.setRedirectPath("/callback")
	.setSuccessResponse(Response..html(Status.OK, "<html><body>Logged in!</body></html>"))
	.authorize(browser, "offline_access", "some_additional_scope", ...);
	
// refresh token:
var refreshToken = "r3fr35h70k3n";
var tokenResponse = TinyOAuth2
	.client(clientId)
	.withTokenEndpoint(tokenEndpoint)
	.refresh(refreshToken);

opened by overheadhunter 1

"scope" query param set even if no scopes defined

In an authorization flow started with AuthFlow.authorize( browser, ... scopes) the lib consumer can define the scopes for access token. If no scope is given, according to RFC 6749 BNF definition, the scope parameter must be ommitted.

This is not the case, hence, auth attempts are respondend with errors.
bug

opened by infeo 0

Releases(0.5.1)

0.5.1(Jul 4, 2022)
#2 omit scope http request parameter, if no particular scope is requested

Source code(tar.gz)
Source code(zip)
0.5.0(May 3, 2022)
return HttpResponse<String> instead of just String

added nonblocking authorizeAsync and refreshAsync methods, returning a CompletableFuture

Source code(tar.gz)
Source code(zip)
0.4.0(Apr 30, 2022)
Refactored API, see #1

Source code(tar.gz)
Source code(zip)
0.3.0(Apr 29, 2022)
added refresh(...) method consuming a refresh token

marked API as experimental

Source code(tar.gz)
Source code(zip)
0.2.0(Apr 28, 2022)
Allow modifying HTTP response delivered when visiting redirect_uri:

.withSuccessHtml(...)/ .withErrorHtml(...) show HTML response

.withSuccessRedirect(...)/.withErrorRedirect(...) redirect browser to given URI

Source code(tar.gz)
Source code(zip)
0.1.1(Apr 25, 2022)
Renamed base package to io.github.coffeelibs.tinyoauth2client

Source code(tar.gz)
Source code(zip)
0.1.0(Apr 25, 2022)

First pre-release version intended for integration tests in downstream projects. Not ready for production use yet.
Source code(tar.gz)
Source code(zip)