This library is the Authelia OAuth 2.0 Framework which is internally used to deliver OAuth 2.0 and OpenID Connect 1.0 Flows to its users.
In an effort to assist users who wish to use this library we aim to maintain the following list of differences:
- Module path changed from
github.com/ory/fosite
toauthelia.com/provider/oauth2
. - Documentation:
- Add spec support documentation
- Overhaul testing:
- Ensure all tests and subtests are well named
- Ensure all tests are simplified where possible
- Restore/Implement conformance tests
- Rename interfaces and implementations:
-
OAuth2Provider
toProvider
. -
Fosite
toTBA
.
-
- Minimum dependency is go version 1.21
- Replace string values with constants where applicable commit
- Simplify the internal JWT logic to leverage
github.com/golang-jwt/jwt/v5
or other such libraries - Implement internal JWKS logic
- Higher Debug error information visibility (Debug Field includes the complete RFC6749 error with debug information if available)
- Fixes:
-
Basic Scheme Rejects Special Characterscommit - RFC9068 must condition ignored commit
- Arguments are treated as case-insensitive commit
- Refresh Flow:
- PKCE Flow:
- OpenID Flows:
- Absence of Redirect URI does not result in an error commit
- Decode id_token_hint with correct signer
- Write Revocation Response does not correctly error commit
Invalid Token base 64 error not mapped to RFC- Auth Request omitted Response Mode not validated
- Refresh Grant if Token Invalid/Expired status is not 400 commit
- Access Token iat and nbf in JWT Profile always original claims commit
-
- Features:
- Requested Audience Policy (many clients do not support the parameter)
- PAR Flow:
- Per-Client Enforcement Policy
- PKCE Flow:
- Per-Client Enforcement Policy
- CoreStrategy:
- Customizable Token Prefix commit
- Automatic NewCoreStrategy which provides either:
- JWT Profile Core Strategy (if a jwt.Signer is provided)
- HMAC-based Core Strategy
- JWT Profile Per Client
- Introspection JWT Responses
- Introspection Client Authentication
- Custom Form Post Response Writer
- UserInfo support
- RFC8628: OAuth 2.0 Device Authorization Grant support commit
- RFC8693: OAuth 2.0 Token Exchange support commit
- RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens support
- RFC9449: OAuth 2.0 Demonstrating Proof of Possession (DPoP) support
- RFC9396: OAuth 2.0 Rich Authorization Requests support
- RFC9101: OAuth 2.0 JWT-Secured Authorization Requests
- OpenID Connect Dynamic Client Registration 1.0 support
- Response Mode Rework:
- JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) support commit
- RFC9207: OAuth 2.0 Authorization Server Issuer Identification support commit
- Response Type None commit
- Revocation Flow per policy can decide to revoke Refresh Tokens on request commit
- Client Authentication Rework:
- General Refactor
- Prevent Multiple Client Authentication Methods
- Client Secret Validation Interface
- JWE support for Client Authentication and Issuance
- Testing Package (mocks, etc)
- Clock Drift Support
- Key Management
- Injectable Clock Configurator
- Support
s_hash
commit
- Removal of the following dependencies:
-
go.opentelemetry.io/otel/trace
-
github.com/ecordell/optgen
-
github.com/asaskevich/govalidator
-
github.com/gorilla/websocket
-
github.com/magiconair/properties
-
github.com/mattn/goveralls
-
github.com/oleiade/reflections
-
github.com/ory/go-acc
-
github.com/ory/go-convenience
-
github.com/ory/x
-
github.com/gorilla/sessions
-
github.com/gobuffalo/packr
-
github.com/form3tech-oss/jwt-go
-
github.com/dgrijalva/jwt-go
-
- Migration of the following dependencies:
-
github.com/go-jose/go-jose/v3
=>github.com/go-jose/go-jose/v4
-
github.com/golang/mock
=>github.com/uber-go/mock
-
github.com/cristalhq/jwt/v4
=>github.com/golang-jwt/jwt/v5
-
This is a hard fork of ORY Fosite under the Apache 2.0 License for the purpose of performing self-maintenance of this critical Authelia dependency.
We however:
- Acknowledge the amazing hard work of the ORY developers in making such an amazing framework that we can do this with.
- Plan to continue to contribute back to te ORY fosite and related projects.
- Have ensured the licensing is unchanged in this fork of the library.
- Do not have a formal affiliation with ORY and individuals utilizing this library should not allow their usage to be a reflection on ORY as this library is not maintained by them.