{"id":28112915,"url":"https://github.com/networknt/light-oauth2","last_synced_at":"2025-05-14T05:05:24.028Z","repository":{"id":37286590,"uuid":"67836913","full_name":"networknt/light-oauth2","owner":"networknt","description":"A fast, light and cloud native OAuth 2.0 authorization microservices based on light-4j","archived":true,"fork":false,"pushed_at":"2024-01-18T18:39:29.000Z","size":4192,"stargazers_count":314,"open_issues_count":28,"forks_count":75,"subscribers_count":44,"default_branch":"master","last_synced_at":"2025-04-23T13:58:40.542Z","etag":null,"topics":["cloud","docker","microservices-architecture","oauth2","oauth2-provider","oauth2-server"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/networknt.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2016-09-09T22:34:31.000Z","updated_at":"2025-04-07T11:28:15.000Z","dependencies_parsed_at":"2023-02-19T12:31:16.032Z","dependency_job_id":"b9314cae-6799-4b46-8488-02f64e437bb6","html_url":"https://github.com/networknt/light-oauth2","commit_stats":null,"previous_names":[],"tags_count":128,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networknt%2Flight-oauth2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networknt%2Flight-oauth2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networknt%2Flight-oauth2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/networknt%2Flight-oauth2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/networknt","download_url":"https://codeload.github.com/networknt/light-oauth2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254076849,"owners_count":22010611,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud","docker","microservices-architecture","oauth2","oauth2-provider","oauth2-server"],"created_at":"2025-05-14T05:01:25.256Z","updated_at":"2025-05-14T05:05:24.009Z","avatar_url":"https://github.com/networknt.png","language":"Java","funding_links":[],"categories":["Capabilities","安全"],"sub_categories":["Security"],"readme":"A fast, light weight and cloud native OAuth 2.0 Server based on microservices architecture \nbuilt on top of light-4j and light-rest-4j frameworks. \n\n[Stack Overflow](https://stackoverflow.com/questions/tagged/light-4j) |\n[Google Group](https://groups.google.com/forum/#!forum/light-4j) |\n[Gitter Chat](https://gitter.im/networknt/light-oauth2) |\n[Subreddit](https://www.reddit.com/r/lightapi/) |\n[Youtube Channel](https://www.youtube.com/channel/UCHCRMWJVXw8iB7zKxF55Byw) |\n[Documentation](https://doc.networknt.com/service/oauth/) |\n[Contribution Guide](https://doc.networknt.com/contribute/) |\n\n[![Build Status](https://travis-ci.org/networknt/light-oauth2.svg?branch=master)](https://travis-ci.org/networknt/light-oauth2)\n\nLight platform follows security first design and we have provided an OAuth 2.0 provider\nlight-oauth2 which is based on light-4j and light-rest-4j frameworks with 7 microservices.\nSome of the services implement the OAuth 2.0 specifications and others implement some\nextensions to make OAuth more suitable to protect service to service communication, other \nstyles of services like GraphQL, RPC and Event Driven, Key management and distribution,\nservice registration, token scope calculation and token exchange.    \n\n## Why this OAuth 2.0 Authorization Server\n\n### Fast and small memory footprint to lower production cost.\n\nIt can support 60000 user login and get authorization code redirect and can generate \n700 access tokens per second on my laptop. \n\nIt has 7 microservices connected with in-memory data grid and each service can be\nscaled individually.\n\n\n### More secure than other implementations\n\nOAuth 2.0 is just a specification and a lot of details are in the individual\nimplementation. Our implementation has a lot of extensions and enhancements \nfor additional security and prevent users making mistakes. For example, we\nhave added an additional client type called \"trusted\" and only this type of\nclient can issue resource owner password credentials grant type. \n\n### More deployment options\n\nYou can deploy all services or just deploy the services for your use cases. You can\ndeploy token and code service to DMZ and all others internal for maximum security.\nYou can have several token services or deploy token service as sidecar pattern in\neach node. You can start more instance of key service on the day that your public\nkey certificate for signature verification is changed and shutdown all of the but\none the next day. You can take the full advantages of microservices deployment.  \n\n### Seamlessly integration with Light-Java framework\n\n* Built on top of light-4j and light-rest-4j\n* Light-4j Client and Security modules manages most of the communications with OAuth2\n* Support service on-boarding from light-portal\n* Support client on-boarding from light-portal\n* Support user management from light-portal\n* Open sourced OpenAPI specifications for all microserivces\n\n### Easy to integrate with your APIs or services\n\nThe OAuth2 services can be started in a docker-compose for your local development and \ncan be managed by Kubernetes on official test and production environment. It exposes\nRESTful APIs and can be access from all languages and applications. \n\n### Support multiple databases and can be extended and customized easily\n\nOut of the box, it supports Mysql, Postgres and Oracle XE and H2 for unit tests. Other\ndatabases can be easily added with configuration change in service.yml.\n\n\n### Public key certificate distribution\n\nWith distributed security verification, JWT signature public key certificates must\nbut distributed to all resource servers. The traditional push approach is not\nworking with microservices architecture and pull approach is adopted. There is a \nkey service with endpoint to retrieve public key certificate from microservices \nduring runtime based on the key_id from JWT header.  \n\n### Two tokens to support microservices architecture\n\nEach service in a microservices application needs a subject token which identifies the\noriginal caller (the person who logged in the original client) and an access token\nwhich identifies the immediate caller (might be another microservices). Both tokens\nwill be verified with scopes to the API endpoint level. Additional claims in these\ntokens will be used for fine-grained authorization which happens within the business\ncontext. \n\n### Token exchange for high security\n\nEven with two tokens, we can only verify who is the original calller and which client is\nthe immediate caller. For some highly protected service like payment or fund transfer,\nwe need to ensure that the call is routed through some known services. light-oauth2\ntoken service support token exchange and chaining so that a service can verify the\nentire call tree to authorize if the call is authorized or not. \n\n### Service registration for scope calculation\n\nlight-oauth2 has a service registration to allow all service to be registered with service\nid and all endpoints as well as scopes for the endpoint. During client registration, you\ncan link a client to services/endpoints and the scope of the client can be calculated\nand updated in client table. This avoids developers to pass in scopes when getting\naccess token as there might be hundreds of them for a client that accesses dozens of\nmicroservices. \n\n### All activities are audited \n\nA database audit handler has been wired into all light-oauth2 services to log each\nactivity across services with sensitive info masked. In the future we will put these\nlogs into AI stream processing to identify abnormal behaviors just like normal service\nlog processing.  \n\n### OAuth2 server, portal and light-4j to form ecosystem\n\n[light-java](https://github.com/networknt/light-java) to build API\n\n[light-oauth2](https://github.com/networknt/light-oauth2) to control API access\n\n[light-portal](https://github.com/networknt/light-portal) to manage clients and APIs\n\n## Introduction\n\nThis [introduction](https://doc.networknt.com/service/oauth/introduction/) document contains all the basic concept of OAuth 2.0 specification and how it work in general. \n\n## Getting started\n\nThe easiest way to start using light-oauth2 in your development environment is through\ndocker-compose in light-docker repository. Please refer to [getting started](https://doc.networknt.com/getting-started/light-oauth2/) for more information. \n\n## Architecture\n\nThere are some key decision points that are documented in [architecture](https://doc.networknt.com/service/oauth/architecture/) section.\n\n## Documentation\n\nThe detailed [service document](https://doc.networknt.com/service/oauth/service/) help users to understand how each individual service\nworks and the specification for each services. It also contains information on which scenarios will trigger what kind of errors. \n\n## Tutorial\n\nThere are [tutorials](https://doc.networknt.com/tutorial/oauth/) for each service that shows how to use the most common use cases with examples. \n\n## Reference\n\nThere are vast amount of information about OAuth 2.0 specifications and implementations. \nHere are some important [references](https://doc.networknt.com/service/oauth/reference/) that can help you to understand OAuth 2.0 Authorization.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetworknt%2Flight-oauth2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnetworknt%2Flight-oauth2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnetworknt%2Flight-oauth2/lists"}