An ongoing & curated collection of awesome software best practices and techniques, libraries and frameworks, E-books and videos, websites, blog posts, links to github Repositories, technical guidelines and important resources about OAuth 2.0 and OpenID Connect in Cybersecurity.

Thanks to all contributors, you're awesome and wouldn't be possible without you! Our goal is to build a categorized community-driven collection of very well-known resources.

• As an application developer, you may have heard the term OAuth 2.0 thrown around a lot. OAuth 2.0 has gained wide adoption by web service and software companies around the world, and is integral to the way these companies interact and share information.

OAuth 2.0 is a protocol that allows distinct parties to share information and resources in a secure and reliable manner.

• Developers and architects simply can’t build modern applications without running into issues of authorization and authentication.

OAuth 2.0 is an industry standard for “delegated authorization” which is the ability to provide an application or client access to data or features offered by another app or service. OAuth 2.0 focuses on authorization and is not prescriptive about authentication. OpenID Connect (OIDC) adds a standards-based authentication layer on top of OAuth 2.0.

• Introduction

• Cloud Solutions

  • Amazon Web Services (AWS)
  • Googe Cloud Platform (GCP)
  • Microsoft Azure

• Authentication

  • SSO#
  • SAML
  • Node.js
  • Python
  • Ruby

• Authorization

  • OAuth

• AWS IAM - Identity and Access Management for AWS
• AWS SSO - Centrally manage single sign-on (SSO) access to multiple AWS accounts
• Amazon Cognito - SSO for business applications
• AWS Directory Service - AD in the AWS Cloud
• AWS STS - AWS Security Token Service for temporary IAM tokens

• Identity and authentication, the Google Cloud way - Overview of Google approach to identity and access management

• Microsoft identity platform - Evolution of the Azure Active Directory

• Single sign-on - wiki page about SSO
• Central Authentication Service (CAS) - Open Source Enterprise Single Sign On
• Okta - Identity and Access Management as a service; provides broad integrations
• Auth0 - Identity and Access Management as a service
• Cloud-IAM - Keycloak IAM as a Service
• LoginRadius - Identity and Access Management as a service
• FusionAuth - Identity and Access Management, either a service or self-hosted
• PAC4J - The security library for Java
• buzzfeed/sso - A single sign-on solution for securing internal services (Go based)
• cidaas - Cloud Identity & Access Management (Identity and Access Management as a service)

• SAML - Security Assertion Markup Language wiki page
• Spring Security SAML - SAML implementation for Spring
• SAMLTest SAML Testing service
• SAMLkit Development/testing entity

• U2F and UAF spec - 2FA specifications
• Two Factor Auth - List of websites with 2FA info

• MojoAuth - Email and WebAuthN Authentication
• Sawolabs - Authentication without OTPs and Passwords

• OAuth on Wikipedia
• OAuth.net by Okta
• OAuth.com by Okta
• OAuth Articles and Posts by Alex Bilbie
• OpenID Connect

• The OAuth 2.0 Authorization Framework (RFC 6749)
• The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
• OAuth 2.0 Threat Model and Security Considerations (RFC 6819)
• OAuth 2.0 Token Revocation (RFC 7009)
• JSON Web Signature (JWS) (RFC 7515)
• JSON Web Encryption (JWE) (RFC 7516)
• JSON Web Key (JWK) (RFC 7517)
• JSON Web Algorithms (JWA) (RFC 7518)
• JSON Web Token (JWT) (RFC 7519)
• Examples of Protecting Content Using JSON Object Signing and Encryption (JOSE) (RFC 7520)
• Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521)
• SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522)
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
• OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)
• OAuth 2.0 Dynamic Client Registration Management Protocol (RFC 7592)
• Proof Key for Code Exchange by OAuth Public Clients (RFC 7636)
• OAuth 2.0 Token Introspection (RFC 7662)
• JSON Web Signature (JWS) Unencoded Payload Option (RFC 7797)
• Authentication Method Reference Values (RFC 8176)
• OAuth 2.0 for Native Apps (RFC 8252)
• OAuth 2.0 Authorization Server Metadata (RFC 8414)
• OAuth 2.0 Device Authorization Grant (RFC 8628)
• OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)
• OAuth 2.0 Token Exchange (RFC 8693)
• JSON Web Token Best Current Practices (RFC 8725)
• The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request(JAR) (RFC 9101)

• OAuth 2.0 Incremental Authorization(draft-ietf-oauth-incremental-authz-04)
• OAuth 2.0 Token Binding (draft-ietf-oauth-token-binding-08)
• OAuth 2.0 Security Best Current Practice (draft-ietf-oauth-security-topics-18)
• Reciprocal OAuth (draft-ietf-oauth-reciprocal-04)
• OAuth 2.0 for Browser-Based Apps(draft-ietf-oauth-browser-based-apps-08)
• The OAuth 2.1 Authorization Framework(draft-ietf-oauth-v2-1-04)

• OAuth 2.0 系列文 by Yucheng Chuang
  • (1) 世界觀
  • (2) Client 的註冊與認證
  • (3) Endpoints 的規格
  • (4.1) Authorization Code Grant Flow 細節
  • (4.2) Implicit Grant Flow 細節
  • (4.3) Resource Owner Credentials Grant Flow 細節
  • (4.4) Client Credentials Grant Flow 細節
  • (5) 核發與換發 Access Token
  • (6) Bearer Token 的使用方法
  • (7) 安全性問題
  • 各大網站 OAuth 2.0 實作差異
• OAuth 2 Simplified by Aaron Parecki
• 理解OAuth 2.0 by 阮一峰
• 帮你深入理解OAuth2.0协议

• OAuth 2 in Action
• Getting Started with OAuth 2.0 - Programming Clients for Secure Web API Authorization and Authentication
• Identity and Data Security for Web Development - Best Practices
• OAuth 2.0 – Getting Started in Web-API Security

• OAUTH.TOOLS

• Google OAuth 2.0 Playground

• RFC6749 - RFC with OAuth2 definition

• Spring Security OAuth - OAuth implementation for Spring

• OAuth server for PHP - OAuth server for PHP

• ORY Hydra - Go based OAuth and OIDC server

• JSON Web Tokens - All you need to know about JWT

• OAuth+JWT in microservices - Good video on how to use tokens in microservices

• OpenID Connect - Identity layer on top of OAuth

• oauth2-proxy - A reverse proxy that provides authentication with Google, Github or other providers.

• Role-based access control - wiki page about RBAC

• XACML - XML-based access control markup language

• angular-permissions authorization for AngularJS

• Keycloak - Open Source Identity and Access Management
• IdentityServer - .NET based IAM server
• ORY - Open Source Identity Infrastructure and Services (Go based)
• casbin - Go authorization library
• OpenAM - (discontinued), successor of OpenSSO
• WSO2 Identity Server - also has SSO, authZ, ...

• Step CLI - A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.
• JWT DEBUGGER - A simple JWT decoder tool, that can help to verify the JWT and with the help of signature.

• awesome-keycloak - A curated list of Keycloak related resources
• casbin/awesome-auth - other auth list
• OAuth code libraries
• OIDC code libraries

MIT License & cc license

This work is licensed under a Creative Commons Attribution 4.0 International License.

To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.