OAuth 2.0 access management

Secure your APIs with access tokens

The Connect2id server can act as a fully fledged OAuth 2.0 server, for securing web APIs and other protected resources with access tokens.

All standard OAuth 2.0 grants, or flows, for obtaining access tokens are supported:

Authorisation code

For traditional web apps as well as mobile / native clients


For browser-based applications coded in JavaScript

Resource owner password

For highly trusted clients or if other grant types are unavailable

Client credentials

For clients that act on their own behalf

JWT assertion

For bridging two security domains

SAML 2.0 assertion

For SAML clients that need to obtain OAuth tokens

Bring your own policies

Security architects enjoy plenty of freedom with the Connect2id server:

  • Apply arbitrary rules and security policies to each OAuth 2.0 grant. These may be implemented in any programming language, and are applied to the Connect2id server via its APIs (web or native).
  • Authorisations can be short-lived (transient) or long-lived (persisted). The latter enable end-user consent to be remembered across token requests and login sessions.
  • The issued access tokens can be self-contained (encoded as a signed or signed + encrypted JWT) or identifier-based (the authorisation is stored in a database and queried remotely by a key).
  • Selected token scope values can be assigned implicitly.
  • The lifetime of the issued ID, access and refresh tokens can be controlled for each individual application and end-user.
  • Tokens may carry additional data.

Advanced scenarios

Version 4 of the Connect2id server added support for special scenarios:

  • Impersonation — enables a privileged user to log into a client application under a different identity. May also extend to accessing protected protected resources (web APIs) as the impersonated identity and using their permissions.

  • Delegation — enables one user to act on behalf of another.

Token management

The Connect2id server provides web-based endpoints to manage the entire life cycle of a token:

  • Token issue
  • Token inspection
  • Update of the associated scope and other details (for long-lived authorisations / refresh tokens)
  • Token revocation
  • Query long-lived authorisations per client or end-user

Support for distributed apps

Applications that are distributed within and across data centres are easily catered for by the Connect2id server. This is accomplished with self-contained access tokens (JWT) which take only a fraction of a millisecond to verify and clear the request.

Applications with limited / unreliable connectivity can also benefit from this approach.