oxAuth is the core component of Gluu Server 4, providing OpenID Connect Provider and OAuth Authorization Server endpoints.  oxAuth presents the login pages, keeps track of browser sessions, and implements authentication and consent web flows. You could say oxAuth is the glue of the Gluu server.

Industry Standards

Gluu is built on established industry standards that are proven and tested, supporting the security of your organization over the long-term.

OpenID Connect Provider (OP)

OpenID Connect leverages the OAuth 2.0 framework to define ways for software to verify the identity of a person based on the authentication performed by an OAuth Authorization Server.   Web, mobile, or JavaScript software clients can use different flows defined in the OpenID Connect specificiations to enable trusted exchange of information between domains without sacrificing a person’s consent. 

The OpenID Provider (OP) is the equivalent of a SAML Identity Provider (IDP). It holds end user credentials (like a username/ password) and personally identifiable information. During a single sign-on (SSO) login flow, end users are redirected to the OP for authentication.  Many OpenID Connect flows derive trust from the TLS connection between a person’s browser and the OP. Thus OpenID Connect leverages the technology most commonly available today.

Why you need it

Despite OAuth’s close association with authentication, if you want to use it for web or mobile login, you should use OpenID Connect. Both a profile and extension of OAuth, OpenID Connect defines some of the features necessary to use OAuth for federated identity.

openid connect certified

Gluu OpenID Certification

The OpenID Foundation enables deployments of OpenID Connect and the Financial-grade API (FAPI) Read/Write Profile to test against specific conformance profiles to promote interoperability among implementations. The OpenID Foundation’s certification process utilizes self-certification and conformance test suites developed by the Foundation.


OAuth 2.0 defines a mechanism for using bearer tokens to make authorized HTTP requests. Simple possession of a bearer token enables access.

For example, a long time ago in New York City, if you had a “subway token,” you inserted it into the turnstile and entered the subway station. No questions asked—presentation of the token enabled you to travel. 

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf. OAuth is a framework for authorization, not an authentication protocol.  Over the years, there have been many specifications developed by the IETF OAuth working group. So OAuth is not simply one specification, it’s a collection of technologies that often incorporates other important standards, like JSON Web Tokens (JWTs) and JSON Signing and Encryption (JOSE).

OAuth Interception Scripts of the Gluu Server

An Introspection URL implemented to the spec of RFC 7662 allows for information about an access token to be returned. This allows OAuth clients to query a token to identify if the token exists and is valid.

The Password grant type is a way to exchange a user’s credentials for an access token. Because the client application has to collect the user’s password and send it to the authorization server, it is not recommended that this grant be used at all anymore.

The Token Revocation extension defines a mechanism for clients to indicate to the authorization server that an access token is no longer needed. This is used to enable a “log out” feature in clients, allowing the authorization server to clean up any security credentials associated with the authorization.

The Refresh Token grant type is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user.

Use oxTrust to configure oxAuth

oxTrust provides both a web interace and an API for Gluu Server administration.

« »