networknt/light-oauth2 networknt/light-oauth2

  • This repository has been archived on 20/Jan/2024
  • Stars
    star
    312
  • Rank 134,133 (Top 3 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created about 8 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
networknt/light-oauth2
github

networknt

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A fast, light and cloud native OAuth 2.0 authorization microservices based on light-4j

A fast, light weight and cloud native OAuth 2.0 Server based on microservices architecture built on top of light-4j and light-rest-4j frameworks.

Stack Overflow | Google Group | Gitter Chat | Subreddit | Youtube Channel | Documentation | Contribution Guide |

Build Status

Light platform follows security first design and we have provided an OAuth 2.0 provider light-oauth2 which is based on light-4j and light-rest-4j frameworks with 7 microservices. Some of the services implement the OAuth 2.0 specifications and others implement some extensions to make OAuth more suitable to protect service to service communication, other styles of services like GraphQL, RPC and Event Driven, Key management and distribution, service registration, token scope calculation and token exchange.

Why this OAuth 2.0 Authorization Server

Fast and small memory footprint to lower production cost.

It can support 60000 user login and get authorization code redirect and can generate 700 access tokens per second on my laptop.

It has 7 microservices connected with in-memory data grid and each service can be scaled individually.

More secure than other implementations

OAuth 2.0 is just a specification and a lot of details are in the individual implementation. Our implementation has a lot of extensions and enhancements for additional security and prevent users making mistakes. For example, we have added an additional client type called "trusted" and only this type of client can issue resource owner password credentials grant type.

More deployment options

You can deploy all services or just deploy the services for your use cases. You can deploy token and code service to DMZ and all others internal for maximum security. You can have several token services or deploy token service as sidecar pattern in each node. You can start more instance of key service on the day that your public key certificate for signature verification is changed and shutdown all of the but one the next day. You can take the full advantages of microservices deployment.

Seamlessly integration with Light-Java framework

  • Built on top of light-4j and light-rest-4j
  • Light-4j Client and Security modules manages most of the communications with OAuth2
  • Support service on-boarding from light-portal
  • Support client on-boarding from light-portal
  • Support user management from light-portal
  • Open sourced OpenAPI specifications for all microserivces

Easy to integrate with your APIs or services

The OAuth2 services can be started in a docker-compose for your local development and can be managed by Kubernetes on official test and production environment. It exposes RESTful APIs and can be access from all languages and applications.

Support multiple databases and can be extended and customized easily

Out of the box, it supports Mysql, Postgres and Oracle XE and H2 for unit tests. Other databases can be easily added with configuration change in service.yml.

Public key certificate distribution

With distributed security verification, JWT signature public key certificates must but distributed to all resource servers. The traditional push approach is not working with microservices architecture and pull approach is adopted. There is a key service with endpoint to retrieve public key certificate from microservices during runtime based on the key_id from JWT header.

Two tokens to support microservices architecture

Each service in a microservices application needs a subject token which identifies the original caller (the person who logged in the original client) and an access token which identifies the immediate caller (might be another microservices). Both tokens will be verified with scopes to the API endpoint level. Additional claims in these tokens will be used for fine-grained authorization which happens within the business context.

Token exchange for high security

Even with two tokens, we can only verify who is the original calller and which client is the immediate caller. For some highly protected service like payment or fund transfer, we need to ensure that the call is routed through some known services. light-oauth2 token service support token exchange and chaining so that a service can verify the entire call tree to authorize if the call is authorized or not.

Service registration for scope calculation

light-oauth2 has a service registration to allow all service to be registered with service id and all endpoints as well as scopes for the endpoint. During client registration, you can link a client to services/endpoints and the scope of the client can be calculated and updated in client table. This avoids developers to pass in scopes when getting access token as there might be hundreds of them for a client that accesses dozens of microservices.

All activities are audited

A database audit handler has been wired into all light-oauth2 services to log each activity across services with sensitive info masked. In the future we will put these logs into AI stream processing to identify abnormal behaviors just like normal service log processing.

OAuth2 server, portal and light-4j to form ecosystem

light-java to build API

light-oauth2 to control API access

light-portal to manage clients and APIs

Introduction

This introduction document contains all the basic concept of OAuth 2.0 specification and how it work in general.

Getting started

The easiest way to start using light-oauth2 in your development environment is through docker-compose in light-docker repository. Please refer to getting started for more information.

Architecture

There are some key decision points that are documented in architecture section.

Documentation

The detailed service document help users to understand how each individual service works and the specification for each services. It also contains information on which scenarios will trigger what kind of errors.

Tutorial

There are tutorials for each service that shows how to use the most common use cases with examples.

Reference

There are vast amount of information about OAuth 2.0 specifications and implementations. Here are some important references that can help you to understand OAuth 2.0 Authorization.

More Repositories

1

light-4j

A fast, lightweight and more productive microservices framework
Java
3,608
star
2

json-schema-validator

A fast Java JSON schema validator that supports draft V4, V6, V7, V2019-09 and V2020-12
Java
821
star
3

microservices-framework-benchmark

Raw benchmarks on throughput, latency and transfer of Hello World on popular microservices frameworks
C++
702
star
4

react-schema-form

react form based on json schema for form generation and validation
JavaScript
358
star
5

light-example-4j

Example APIs or services to demo all feature of the light-4j framework
Java
149
star
6

light-rest-4j

A RESTful framework built on top of light-4j with both Swagger 2.0 and OpenAPI 3.0 supports
Java
119
star
7

light-eventuate-4j

An eventual consistency framework based on Event Sourcing and CQRS on top of light-4j and Kafka
Java
59
star
8

light-codegen

A code generator based on rocker that can be used as an utility or web service
Java
40
star
9

light-graphql-4j

GraphQL implementation based on light-4j
JavaScript
31
star
10

light

A lightning fast light weight Omni-Channel Application framework based on Angularjs, Undertow, RuleEngine and Orientdb
Java
31
star
11

light-saga-4j

A saga implementation to manage distributed transaction across multiple microservices
Java
22
star
12

light-workflow-4j

A state machine based light-weight workflow engine for microservices orchrestration
Java
20
star
13

light-proxy

A fast reverse proxy with an embedded gateway to wrap third-party APIs and bring them to the ecosystem of light platform
Java
16
star
14

light-rule

A rule engine or rule as a service based on Kotlin DSL
Kotlin
15
star
15

light-docker

Dockerfile and compose to bring everything up together with your APIs
TSQL
13
star
16

light-spring-boot

Spring Boot customizers that allow light-4j middleware handlers to be injected in Undertow core
Java
13
star
17

model-config

A repository contains all model definition and light-codegen config for different frameworks
Shell
11
star
18

react-schema-form-rc-select

An add-on of react-schema-form that support multiple select and a demo for extending react-schema-form with new components.
JavaScript
11
star
19

light-email

An email sender based on Kafka Streams for Event Sourcing
Java
11
star
20

json-schema-validator-perftest

A performance test project that compares networknt, fge and everit json-schema-validator
Java
10
star
21

openapi-bundler

A utility that merges multiple OpenAPI specification files into a single file with all external references resolved to local reference.
Java
10
star
22

light-hybrid-4j

A hybrid between monolithic and microservices to take advantages of both
Java
10
star
23

light-doc

The hugo documents and templates repo that will be built to https://doc.networknt.com
CSS
10
star
24

light-session-4j

Distributed session managers (Redis, Hazelcast, JDBC) that support web server cluster for light-4j framework
Java
8
star
25

openapi-parser

A light-weight, fast OpenAPI 3.0 parser and validator with minimum third party dependencies
Java
8
star
26

jsontoken

google jsontoken with gson, joda and google collection removed. Work with java8 only.
Java
8
star
27

light-bot

A microservice based DevOps agent that handles multiple repositories and dependencies
Java
7
star
28

light-scheduler

a scalable event scheduler based on transactional Kafka streams and interactive queries
Java
7
star
29

http2client-benchmark

HTTP/2 client raw benchmark against light-4j server
Java
6
star
30

light-router

A client side service mesh router designed for legacy system that cannot leverage client module
Java
5
star
31

light-config-test

Default config files of light-4j for test environment on light-config-server
JavaScript
4
star
32

light-spa-4j

Middleware handlers for Single Page Application
Java
4
star
33

light-kafka

Components that help with light-4j and Kafka integration
Java
4
star
34

light-eventuate-example

Example projects based on light-eventuate framework
Java
4
star
35

light-tram-4j

Transactional Messaging framework for message/event/command driven interaction style
Java
4
star
36

light-aws-lambda

Aws lambda extensions for cross-cutting concerns
Java
3
star
37

light-consumer-4j

Light 4J Client Framework Dependency Module
Java
3
star
38

react-file-manager

A react remote file manager with Light Framework as back end file system. This is one of the admin tools that our customers manage their static files on shared host.
3
star
39

light-gateway

A standalone gateway combined both light-router and light-proxy
Java
3
star
40

taiji-blockchain

light block chain end user and merchant components
Java
3
star
41

light-lambda-native

A Lambda native gateway with cross-cutting concerns implemented in Java
Java
3
star
42

light-example-graal

Native Java Applications with GraalVM
Java
2
star
43

light-cms

Undertow and Angularjs based light weight CMS
JavaScript
2
star
44

swagger-bundler

A utility that merges multiple swagger files into a single file with all external references resolved to local reference.
Java
2
star
45

http-sidecar

HTTP sidecar of light-mesh to provide cross-cutting concerns for Kubernetes service
Java
2
star
46

light-mesh

A service mesh implementation based on the light-proxy and light-router with SMI support
2
star
47

kafka-sidecar

Kafka sidecar of light-mesh to provide cross-cutting concerns for Kubernetes service to interact with Kafka
Java
2
star
48

lambda-market

A demo market api consists several Lambda functions
Java
2
star
49

light-tram-kafka

light-tram-4j with Kafka transactional producer and consumer only
Java
1
star
50

light-workflow

A workflow engine or workflow as a service based on Kotlin DSL
1
star
51

light-supergloo

Middleware handlers that integrate with Solo.io SuperGloo ecosystem
1
star
52

light-hash

A command line utiltity that hashes the key or password with PBKDF2WithHmacSHA1
Java
1
star
53

yaml-rule-plugin

A repo that contains all the plugins for the light-gateway request and repsonse transformer
Java
1
star
54

http-client

An HTTP client based on JDK 11 http-client to invoke APIs with client-side cross-cutting concerns addressed
Java
1
star
55

light-example-kotlin

Light-4j example services implemented in Kotlin
Kotlin
1
star
56

light-commerce

An E-Commerce plugin on top of Light Framework to give users omni-experience for online shopping
JavaScript
1
star
57

portal-view

A react light-portal UI as a template for single page applications that interact with back end APIs
JavaScript
1
star
58

maven-plugin

plugins to load rule, form and page from file system through REST APIs
Java
1
star
59

doc.maproot.net

Document site for the maproot.net application based on Hugo
CSS
1
star
60

light-rfcs

Generic request for comments related to light platform
1
star
61

light-test

Testing rules
Java
1
star
62

json-overlay

A fork of RepreZen JsonOverlay with all dependencies and code generation removed
Java
1
star
63

yaml-rule

A simple rule engine with rules defined in YAML or JSON
Java
1
star
64

lambda-petstore

A petstore demo api consists of sever Lambda functions
Java
1
star