oxAuth is the core component of Gluu Server 4, providing OpenID Connect Provider and OAuth Authorization Server endpoints. oxAuth presents the login pages, keeps track of browser sessions, and implements authentication and consent web flows. You could say oxAuth is the glue of the Gluu server.
Industry Standards
Gluu is built on established industry standards that are proven and tested, supporting the security of your organization over the long-term.
Specification | Purpose of Standard |
|---|---|
Core | Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of Claims to communicate information about the End-User |
Dynamic Client Registration | (Optional) Defines how clients dynamically register with OpenID Providers |
Discovery | (Optional) Defines how Clients dynamically discover information about OpenID Providers |
Logout | (Optional) Defines how a Relying Party requests that an OpenID Provider log out the End-User |
FAPI Part 1 | It specifies a baseline security profile of OAuth that is suitable for protecting APIs with a moderate inherent risk. Importantly, this profile does not provide non-repudiation (signing of authorization requests and responses) and sender-constrained access tokens. |
FAPI Part 2 | Specifies the Financial-grade API and it provides a profile of OAuth that is suitable to be used in write access to financial data (also known as transaction access) and other similar higher risk access. |
JARM | Defines a new response mode ( response_mode ) where all parameters are packaged into a JWT that is signed by the OpenID Provider / Authorization Server. This naturally also includes the parameters of error responses and any present and future OAuth 2.0 and OpenID Connect extensions. |
CIBA | Client-Initiated Backchannel Authentication (CIBA) is a new authentication flow in which RPs, that can obtain a valid identifier for the user they want to authenticate, will be able to initiate an interaction flow to authenticate their users without having end-user interaction from the consumption device. |
RFC / Spec | Name | Abstract |
|---|---|---|
RFC-6749 | The OAuth 2.0 Authorization Framework | The base specification for OAuth 2.0. This encapsulates the four basic flows of OAuth: The Code Flow, The Implicit Flow, the Client Credentials Flow and the Resource Owner Password Credentials Flow |
RFC-9126 | Pushed Authorization Requests (PAR) | This specification ensures that only authenticated clients can start an authorization flow. It is used together with JAR to provide a method to save authorization data at the authorization server, relay a reference to that data via a browser, and complete the user authorization without negatively impacting the Quality of Service (QoS) of the authorization server. |
RFC7800 | Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs) | This specification describes how to declare in a JSON Web Token (JWT) that the presenter of the JWT possesses a particular proof-of- possession key and how the recipient can cryptographically confirm proof of possession of the key by the presenter. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. |
RFC 8252 | OAuth 2.0 for Native Apps | OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user’s browser. This specification details the security and usability reasons why this is the case and how native apps and authorization servers can implement this best practice. |
RFC 8705 | OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens | OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. OAuth clients are provided a mechanism for authentication to the authorization server using mutual TLS, based on either self-signed certificates or public key infrastructure (PKI). OAuth authorization servers are provided a mechanism for binding access tokens to a client’s mutual-TLS certificate, and OAuth protected resources are provided a method for ensuring that such an access token presented to it was issued to the client presenting the token |
RFC 7591 | OAuth 2.0 Dynamic Client Registration Protocol | This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration. |
RFC 8414 | OAuth 2.0 Authorization Server Metadata | This specification defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. |
RFC 8628 | OAuth 2.0 Device Authorization Grant | The OAuth 2.0 device authorization grant is designed for Internet- connected devices that either lack a browser to perform a user-agent- based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device. |
RFC 9068 | JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens | This specification defines a profile for issuing OAuth 2.0 access tokens in JSON Web Token (JWT) format. Authorization servers and resource servers from different vendors can leverage this profile to issue and consume access tokens in an interoperable manner. |
RFC7662 | OAuth 2.0 Token Introspection | This specification defines a method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token. OAuth 2.0 deployments can use this method to convey information about the authorization context of the token from the authorization server to the protected resource. |
Draft DPOP | Internet-Draft OAuth DPoP | This document outlines an application-level sender-constraining for access and refresh tokens that can be used in cases where neither mTLS nor OAuth Token Binding are available. |
Draft | Draft: OAuth 2.0 Rich Authorization Requests | The Rich Authorization Requests extension provides a way for OAuth clients to request fine-grained permissions during an authorization request. For example, an app may specify a request such as “let me make a payment of 45 Euros” or “please give me read access to folder X and write access to folder Y”. |
Specification | Abstract | |
|---|---|---|
User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization | The base specification for OAuth 2.0. This encapsulates the four basic flows of OAuth: The Code Flow, The Implicit Flow, the Client Credentials Flow and the Resource Owner Password Credentials Flow.https://gluu.co/uma-grantgluu.co |
|
Specification |
Abstract |
|
|---|---|---|
User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization |
The base specification for OAuth 2.0. This encapsulates the four basic flows of OAuth: The Code Flow, The Implicit Flow, the Client Credentials Flow and the Resource Owner Password Credentials Flow.https://gluu.co/uma-grantgluu.co |
OpenID Connect Provider (OP)
OpenID Connect leverages the OAuth 2.0 framework to define ways for software to verify the identity of a person based on the authentication performed by an OAuth Authorization Server. Web, mobile, or JavaScript software clients can use different flows defined in the OpenID Connect specificiations to enable trusted exchange of information between domains without sacrificing a person’s consent.
The OpenID Provider (OP) is the equivalent of a SAML Identity Provider (IDP). It holds end user credentials (like a username/ password) and personally identifiable information. During a single sign-on (SSO) login flow, end users are redirected to the OP for authentication. Many OpenID Connect flows derive trust from the TLS connection between a person’s browser and the OP. Thus OpenID Connect leverages the technology most commonly available today.
Why you need it
Despite OAuth’s close association with authentication, if you want to use it for web or mobile login, you should use OpenID Connect. Both a profile and extension of OAuth, OpenID Connect defines some of the features necessary to use OAuth for federated identity.
Gluu OpenID Certification
The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to test against specific conformance profiles to promote interoperability among implementations. The OpenID Foundation’s certification process utilizes self-certification and conformance test suites developed by the Foundation.
Implementation | Basic OP | Implicit OP | Hybrid OP | Config OP | Dynamic OP | Form Post OP | 3rd Party-Init OP |
|---|---|---|---|---|---|---|---|
Gluu Server 4.2 | 28-Aug-2020 | 28-Aug-2020 | 28-Aug-2020 | 28-Aug-2020 | 28-Aug-2020 | 28-Aug-2020 | 28-Aug-2020 |
Gluu Server 4.0.0 | 15-Oct-2019 | 15-Oct-2019 | 15-Oct-2019 | 15-Oct-2019 | 15-Oct-2019 | 15-Oct-2019 | 15-Oct-2019 |
Gluu Server 3.1.3 | 18-Jul-2018 | 18-Jul-2018 | 18-Jul-2018 | 18-Jul-2018 | 18-Jul-2018 | 18-Jul-2018 | |
Gluu Server 3.1.1 | 16-Oct-2017 | 16-Oct-2017 | 16-Oct-2017 | 16-Oct-2017 | 16-Oct-2017 | 06-Jul-2018 | |
Gluu Server 2.3 | 02-Jul-2015 | 02-Jul-2015 | 02-Jul-2015 | 02-Jul-2015 | 02-Jul-2015 |
Implementation |
Basic OP |
Implicit OP |
Hybrid OP |
Config OP |
Dynamic OP |
Form Post OP |
3rd Party-Init OP |
|---|---|---|---|---|---|---|---|
Gluu oxd Client API 4.2 |
29-Oct-2020 |
29-Oct-2020 |
29-Oct-2020 |
29-Oct-2020 |
29-Oct-2020 |
23-Nov-2020 |
23-Nov-2020 |
Implementation |
FAPI Adv. OP w/ MTLS |
FAPI Adv. OP w/ MTLS, PAR |
FAPI Adv. OP w/ Private Key |
FAPI Adv. OP w/ Private Key, PAR |
FAPI Adv. OP w/ MTLS, JARM |
FAPI Adv. OP w/ Private Key, JARM |
FAPI Adv. OP w/ MTLS, PAR, JARMFAPI Adv. OP w/ Private Key, PAR, JARM |
|---|---|---|---|---|---|---|---|
Gluu Open Banking Identity Platform 1.0 |
30-Mar-2022 |
30-Mar-2022 |
30-Mar-2022 |
30-Mar-2022h5> |
30-Mar-2022 |
30-Mar-2022 |
30-Mar-2022 |
Implementation |
FAPI-CIBA OP poll w/ MTLS |
FAPI-CIBA OP poll w/ Private Key |
FAPI-CIBA OP Ping w/ MTLS |
FAPI-CIBA OP Ping w/ Private Key |
|---|---|---|---|---|
Gluu Server 4.2 |
22-Jun-2020 |
22-Jun-2020 |
22-Jun-2020 |
22-Jun-2020 |
Implementation |
FAPI R/W RP w/ MTLS |
FAPI R/W RP w/ Private Key |
|---|---|---|
Gluu oxd Client API 4.2 |
17-Sep-2020 |
17-Sep-2020 |
OAuth
OAuth 2.0 defines a mechanism for using bearer tokens to make authorized HTTP requests. Simple possession of a bearer token enables access.
For example, a long time ago in New York City, if you had a “subway token,” you inserted it into the turnstile and entered the subway station. No questions asked—presentation of the token enabled you to travel.
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf. OAuth is a framework for authorization, not an authentication protocol. Over the years, there have been many specifications developed by the IETF OAuth working group. So OAuth is not simply one specification, it’s a collection of technologies that often incorporates other important standards, like JSON Web Tokens (JWTs) and JSON Signing and Encryption (JOSE).
OAuth Interception Scripts of the Gluu Server
An Introspection URL implemented to the spec of RFC 7662 allows for information about an access token to be returned. This allows OAuth clients to query a token to identify if the token exists and is valid.
The Password grant type is a way to exchange a user’s credentials for an access token. Because the client application has to collect the user’s password and send it to the authorization server, it is not recommended that this grant be used at all anymore.
The Token Revocation extension defines a mechanism for clients to indicate to the authorization server that an access token is no longer needed. This is used to enable a “log out” feature in clients, allowing the authorization server to clean up any security credentials associated with the authorization.
The Refresh Token grant type is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user.
Use oxTrust to configure oxAuth
oxTrust provides both a web interace and an API for Gluu Server administration.
API for user, group and FIDO device management
Another core component, this server provides the enrollment and authentication endpoints which enable people to use USB, bluetooth or platform FIDO credentials.
The heart of the Janssen Project, this is the server that provides the OpenID Connect and OAuth endpoints.
The configuration API is required to configure Jans Auth Server
Self-service web portal for end-users to manage devices and other multi-factor authentication.
Interface to simplify the management and configuration of Jans Auth Server
The Command Line Interface provides an interactive menu-driven mode for admins who don’t want to struggle with lengthy curl commands.
API for user, group and FIDO device management
Open Provider / OAuth Authorization Server
oxTrust is a single-point of administration for all components of Gluu 4.x servers.
Another core component, this server provides the enrollment and authentication endpoints which enable people to use USB, bluetooth or platform FIDO credentials.
Enables social login.
SAML IDP
Self-service web portal for end-users to manage devices and other multi-factor authentication.
OAuth / OpenID client middleware service