Nimbus OAuth 2.0 SDK with OpenID Connect extensions
- Comprehensive library for developing OAuth 2.0, OpenID Connect and Federation applications
- Standards compliant, robust and extensible
- Open source (Apache 2.0 licence)
The Nimbus OAuth 2.0 SDK helps Java developers build standards-compliant and interoperable OAuth 2.0 / 2.1, OpenID Connect and OpenID Federation applications. It provides ready-to-use classes for protocol messages, tokens and related data structures, independent of any web application framework.
Extension points enable support for application-specific and industry-specific profiles of OAuth 2.0 and OpenID Connect.
Specifications
Implemented standards and drafts:
-
The OAuth 2.0 Authorization Framework (RFC 6749)
-
The OAuth 2.1 Authorization Framework (IETF draft)
-
The OAuth 2.0 Authorization Framework: Bearer Token Usage (RFC 6750)
-
OAuth 2.0 Token Introspection (RFC 7662)
-
OAuth 2.0 Token Revocation (RFC 7009)
-
OAuth 2.0 Authorization Server Metadata (RFC 8414)
-
OAuth 2.0 Dynamic Client Registration Management Protocol (RFC 7592)
-
Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7521)
-
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7523)
-
SAML 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants (RFC 7522)
-
Proof Key for Code Exchange by OAuth Public Clients (RFC 7636)
-
Authentication Method Reference Values (RFC 8176)
-
OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)
-
Resource Indicators for OAuth 2.0 (RFC 8707)
-
OAuth 2.0 Device Authorization Grant (RFC 8628)
-
OAuth 2.0 Token Exchange (RFC 8693)
-
OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) (RFC 9449)
-
OAuth 2.0 Incremental Authorization (IETF draft)
-
The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) (RFC 9101)
-
OAuth 2.0 Pushed Authorization Requests (RFC 9126)
-
OAuth 2.0 Authorization Server Issuer Identification (RFC 9207)
-
OAuth 2.0 Rich Authorization Requests (RFC 9396)
-
OAuth 2.0 Step Up Authentication Challenge Protocol (RFC 9470)
-
OpenID Connect Extended Authentication Profile (EAP) ACR Values 1.0 (draft)
-
Financial-grade API: Read-Only API Security Profile 1.0 – Final
-
Financial-grade API: Read and Write API Security Profile 1.0 – Final
-
Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
-
OpenID Connect Client-Initiated Backchannel Authentication (CIBA) Core 1.0
Additional features
-
Process plain, signed and encrypted JSON Web Tokens (JWTs) with help of the Nimbus JOSE + JWT library.
-
Full OpenID Connect UserInfo i10n and l10n support with help of the Nimbus Language Tags library.
Java
- Java 8+
JavaDocs
The SDK code comes with excellent JavaDocs. These are available from Maven Central just as the code JARs are. You can also browse them online.
Licensing
This library is free and made available under the terms of the open source Apache 2.0 license.
Acknowledgements
- Julian Krautwald, Vladislav Mladenov and Christian Mainka, security researchers at Horst Görtz Institute for IT-Security / Chair for Network and Data Security.
- Tim McClean for his security audit of the Java library for AES SIV-mode encryption, created and maintained by Crytomator.
- Emond Papegaaij and Topicus KeyHub for the Device Code grant implementation.
- Wei Huang for the Token Exchange (RFC 8693) implementation.
- The members of the OpenID Connect and OAuth working groups.
- Other contributors of bug reports, fixes, patches and suggestions.