{"id":13719956,"url":"https://github.com/kivra/oauth2","last_synced_at":"2025-10-21T18:59:25.706Z","repository":{"id":2600601,"uuid":"3583257","full_name":"kivra/oauth2","owner":"kivra","description":"Erlang Oauth2 implementation","archived":false,"fork":false,"pushed_at":"2024-12-12T11:45:00.000Z","size":1102,"stargazers_count":219,"open_issues_count":8,"forks_count":69,"subscribers_count":27,"default_branch":"master","last_synced_at":"2025-04-18T17:09:47.543Z","etag":null,"topics":["kivra-platform-team"],"latest_commit_sha":null,"homepage":"","language":"Erlang","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kivra.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-02-29T16:03:07.000Z","updated_at":"2025-02-26T11:38:13.000Z","dependencies_parsed_at":"2024-11-14T09:31:28.531Z","dependency_job_id":"26e085ef-e324-442c-baad-cac424d90087","html_url":"https://github.com/kivra/oauth2","commit_stats":{"total_commits":128,"total_committers":13,"mean_commits":9.846153846153847,"dds":0.4609375,"last_synced_commit":"c8e77e0830bc39ff44740f9f5df4a722e3573091"},"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kivra%2Foauth2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kivra%2Foauth2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kivra%2Foauth2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kivra%2Foauth2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kivra","download_url":"https://codeload.github.com/kivra/oauth2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252876278,"owners_count":21818155,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kivra-platform-team"],"created_at":"2024-08-03T01:00:58.176Z","updated_at":"2025-10-21T18:59:20.641Z","avatar_url":"https://github.com/kivra.png","language":"Erlang","funding_links":[],"categories":["Authentication","General Libraries"],"sub_categories":[],"readme":"# OAuth2 (v0.7.0)  [![BuildStatus](https://travis-ci.org/kivra/oauth2.png?branch=master)](https://travis-ci.org/kivra/oauth2)\nThis library is designed to simplify the implementation of the server side\nof OAuth2 (http://tools.ietf.org/html/rfc6749). It provides\n**no** support for developing clients. See\n[oauth2_client](https://github.com/kivra/oauth2_client) for support in\naccessing Oauth2 enabled services.\n\noauth2 is released under the terms of the [MIT](http://en.wikipedia.org/wiki/MIT_License) license\n\nCurrent stable version: [0.6.1](https://github.com/kivra/oauth2/tree/0.6.1)\n\nCurrent α alpha version: [0.7.x](https://github.com/kivra/oauth2)\n\ncopyright 2012-2015 Kivra\n\n## tl;dr\n### Examples\nCheck out the [examples](https://github.com/kivra/oauth2_example).\n\n### Related projects\nWebmachine server implementation by Oauth2 contributor\nIvan Martinez: [oauth2_webmachine](https://github.com/IvanMartinez/oauth2_webmachine).\n\nRedis backed Oauth2 [backend](https://github.com/interline/oauth2_redis_backend).\n\n## Concepts\n\n### Tokens\nA token is a (randomly generated) string provided to the client by the server\nin response to some form of authorization request.\nThere are several types of tokens:\n\n* *Access Token*: An access token identifies the origin of a request for a\nprivileged resource.\n* *Refresh Token*: A refresh token can be used to replace an expired access token.\n\n#### Expiry\nAccess tokens can (optionally) be set to expire after a certain amount of time.\nAn expired token cannot be used to gain access to resources.\n\n### Identities\nA token is associated with an *identity* -- a value that uniquely identifies\na user, client or agent within your system. Typically, this is a user identifier.\n\n### Scope\nThe scope is handled by the backend implementation. The specification outlines\nthat the scope is a space delimetered set of parameters. This library\nhas been developed with the following in mind.\n\nScope is implemented as a set and loosely modeled after the Solaris RBAC priviliges, i.e.\n`solaris.x.*` and implemented as a [MAC](http://en.wikipedia.org/wiki/Mandatory_access_control)\nwith the ability to narrow the scope but not extend it beyond the predefined scope.\n\nBut since the scope is opaque to this Oauth2 implementation you can use the\nscoping strategy that best suit your workflow.\n\nThere is a utility module to work with scope. The recommendation is to pass\na Scope as a list of binaries, i.e. `[\u003c\u003c\"root.a.c.b\"\u003e\u003e, \u003c\u003c\"root.x.y.z\"\u003e\u003e]`\nyou can then validate these against another set like:\n\n``` erlang\n\u003e oauth2_priv_set:is_subset(oauth2_priv_set:new([\u003c\u003c\"root.a.b\"\u003e\u003e, \u003c\u003c\"root.x.y\"\u003e\u003e]),\n                            oauth2_priv_set:new([\u003c\u003c\"root.*\"\u003e\u003e])).\ntrue\n\u003e oauth2_priv_set:is_subset(oauth2_priv_set:new([\u003c\u003c\"root.a.b\"\u003e\u003e, \u003c\u003c\"root.x.y\"\u003e\u003e]),\n                            oauth2_priv_set:new([\u003c\u003c\"root.x.y\"\u003e\u003e])).\nfalse\n\u003e oauth2_priv_set:is_subset(oauth2_priv_set:new([\u003c\u003c\"root.a.b\"\u003e\u003e, \u003c\u003c\"root.x.y\"\u003e\u003e]),\n                            oauth2_priv_set:new([\u003c\u003c\"root.a.*\"\u003e\u003e, \u003c\u003c\"root.x.y\"\u003e\u003e])).\ntrue\n```\n\n### Clients\nIf you have many diverse clients connecting to your service -- for instance,\na web client and an iPhone app -- it's desirable to be able to distinguish\nthem from one another and to be able to grant or revoke privileges based\non the type the client issuing a request. As described in the OAuth2 specification,\nclients come in two flavors:\n\n* *Confidential* clients, which can be expected to keep their credentials\nfrom being disclosed. For instance, a web site owned and operated by you\ncould be regarded as confidential.\n* *Public* clients, whose credentials are assumed to be compromised the\nmoment the client software is released to the public.\n\nClients are distinguished by their identifiers, and can (optionally) be\nauthenticated using a secret key shared between the client and server.\n\n## Testing\nIf you want to run the EUnit test cases, you can do so with:\n\n    $ make ct\n\n## Customization\nThe library makes no assumptions as to how you want to implement\nauthentication and persistence of users, clients and tokens. Instead, it\nprovides a behavior (`oauth2_backend`) with functions that needs to be\nimplemented. To direct calls to a different backend module, simply set\n`{backend, your_backend_module}` in the `oauth2` section of your app.config.\n\nLook at [oauth2_mock_backend](test/oauth2_mock_backend.erl) for how a backend\ncan be implemented.\n\nThe following example demonstrates a basic app.config section for oauth2.\n\n``` erlang\n[\n    {oauth2, [\n        %% Default expiry_time for access_tokens unless\n        %% overridden per flow\n        {expiry_time, 3600}\n        ,{backend, backend_goes_here}\n\n        %% Optional expiry_time override per flow\n        ,{password_credentials, [\n            {expiry_time, 7200}\n        ]}\n        ,{client_credentials, [\n            {expiry_time, 86400}\n        ]}\n        ,{refresh_token, [\n            {expiry_time, 2592000} %% 30 Days\n        ]}\n        ,{code_grant, [\n            %% Recommended absolute expiry time from the spec\n            {expiry_time, 600}\n        ]}\n    ]}\n].\n```\n\nA complete list of functions that your backend must provide is available by looking\nat `oauth2_backend.erl`, which contains documentation and function specifications.\n\nTo implement a custom token generation backend you can change your\napp.config as such:\n\n``` erlang\n[\n    {oauth2, [\n        {token_generation, YOUR_TOKEN_GENERATOR}\n    ]}\n].\n```\n\nThe default token generator is called oauth2_token. To implement your\nown you should create your own module implementing the\noauth2_token_generation behavior exporting one function\ngenerate/0.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkivra%2Foauth2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkivra%2Foauth2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkivra%2Foauth2/lists"}