Overview

Auth Server provides the federated identity functionality of the Janssen Platform. The server is a fork of oxAuth, the engine of Gluu Server 4. The design goal of Auth Server was speed, scalability and flexibility for large scale enterprise deployments. It is based on the Java Weld framework, a stable platform that provides many features out of the box.

Auth Server is a fairly comprehensive implementation of OpenID Connect, which itself is built on top of OAuth 2.0. See the latest OpenID certifications for OpenID Providers, FAPI OpenID Providers, and FAPI-CIBA OpenID Providers for the latest results.

Supported Standards

OpenID

• OpenID Connect Core 1.0
• OpenID Connect Discovery 1.0
• OpenID Connect Dynamic Registration
• OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Financial-grade API Security Profile 1.0 - Part 1: Baseline
• Financial-grade API Security Profile 1.0 - Part 2: Advanced
• OpenIDConnect Front-Channel Logout 1.0
• OpenID Connect Back-Channel Logout 1.0
• OpenID Connect Session Management
• Draft - JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
• Draft - Financial-grade API: Client Initiated Backchannel Authentication Profile
• Draft - OpenID Connect Native SSO for Mobile Apps 1.0
• Initiating User Registration via OpenID Connect 1.0

OAuth

• RFC 6749 The OAuth 2.0 Authorization Framework
• OAuth 2.0 Multiple Response Type Encoding Practices
• OAuth 2.0 Form Post Response Mode
• RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage
• RFC 7009 OAuth 2.0 Token Revocation
• RFC 7519 JSON Web Token (JWT)
• RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol
• RFC 7592 OAuth 2.0 Dynamic Client Registration Management Protocol
• RFC 7636 Proof Key for Code Exchange by OAuth Public Clients
• RFC 7662 OAuth 2.0 Token Introspection
• RFC 8252 OAuth 2.0 for Native Apps
• RFC 8414 OAuth 2.0 Authorization Server Metadata
• RFC 8628 OAuth 2.0 Device Authorization Grant
• RFC 8693 OAuth 2.0 Token Exchange
• RFC 8705 OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
• RFC 9068 JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
• RFC 9126 OAuth 2.0 Pushed Authorization Requests
• Draft - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)
• Draft - JWT Response for OAuth Token Introspection
• OAuth 2.0 Rich Authorization Requests

User Managed Access (UMA)

• Federated Authorization for User-Managed Access (UMA) 2.0
• User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization

For the above specifications, Auth Server implements many features--all of the MUST's, but also many of the SHOULD's and MAY's. If you find any discrepancies, please raise an issue.

---

Last update: 2024-03-26
Created: 2022-09-02