OpenID Connect is an authentication protocol and identity layer on top of OAuth 2.0 used in many SSO and adopted in many social logins.
Find this curated list of providers, services, libraries, and resources to adopt it and know more about existing specs.
- OpenID Providers (OP)
- Relying Parties (RP) Libraries
- Relying Parties (RP) Software Plugins
- Resources
OpenID Connect Providers as SaaS and Open Source solutions.
-
Microsoft Entra ID - Software component developed by Microsoft providing single sign-on access to systems and applications.
-
Auth0 - OpenID Connect and OAuth2 service that is available on the cloud or can be installed on premise.
-
Authelia - Open Source authentication, authorization server and portal fulfilling the identity and access management (IAM) role of information security in providing single sign-on (SSO).
-
Authentik - Open Source Identity Provider focused on flexibility and versatility.
-
Authlete - Set of APIs for developers to implement OAuth authorization servers and OpenID Connect identity providers.
-
AWS Cognito - Cognito by Amazon Web Services has OpenID Connect provider in addition to IAM capabilities.
-
Cloudentity - Cloud Identity and Authorization Platform with FAPI and eKYC support.
-
Connect2id - OpenID Connect SSO and IdP server for enterprise.
-
Curity Identity Server - API Security solution that brings identity and API access management together.
-
Duende IdentityServer - ASP.NET Core OpenID Connect Provider solution.
-
Duo - OpenID Connect Provider and IdP solution developed by Cisco.
-
FrontEgg - A Customer Identity solution for SaaS platform with OpenID Connect Provider capability.
-
ForgeRock Identity Platform - Standards-based OpenID Connect Provider/OAuth2 Authorization Server with an Access Management server.
-
Keycloak - Open Source project powered by RedHat which provides user federation, strong authentication, user management, fine-grained authorization, and more.
-
Gluu - OpenID Connect Provider and FAPI certified solution and integrated with IAM.
-
Gravitee.io - Open Source OpenID Connect/OAuth 2.0 provider aims to be a bridge between applications and identity providers to authenticate, authorize and getting information about user accounts.
-
LoginRadius - A SaaS CIAM that can act as an OpenID Connect provider.
-
Okta - Extensible solution that enables both customer and workforce identity with federation, single sign-on, API security and workflows for both cloud and on-prem solutions.
-
OneLogin - SaaS Employee and Customer IAM solution with OpenID Connect Provider capabilities.
-
Ory Hydra - Open Source OpenID Certified™ OpenID Connect and OAuth Provider.
-
MITREid Connect - Open Source OpenID Connect reference implementation in Java.
-
PingFederate - Federation server that provides secure single sign-on, API security and provisioning for enterprise customers, partners, and employees.
-
SiteMinder - An IAM provided by Broadcom with OpenID Connect Provider support.
-
Transmit Security - Transmit Security is a CIAM solution that supports an OpenID Connect-based integration.
-
WSO2 Identity Server - Identity Server which provides modern identity and access management capabilities that can be easily built into organization's customer experience (CX) applications.
-
Zitadel - Open Source Identity solution with OpenID Connect provider (OP) and SAMLv2 ready to use.
-
OpenID Foundation conformance suite - Test conformance suite to obtains OpenID Foundation certification which covers OpenID Connect, FAPI1-Advanced, FAPI2, FAPI-CIBA and OpenID for Identity Assurance (ekyc).
Relying Parties (RP) Libraries for implementing OpenID Connect on a client application.
- liboauth2 - Generic library to build C-based OpenID Connect Provider and Relying Party.
- mod_auth_openidc - OpenID Connect Relying Party certified implementation for Apache Server 2.x.
- ngx_oauth2_module - OpenID Connect Relying Party certified implementation for Nginx.
- IdentityModel.OidcClient - C# / .NET OpenID Connect relying party client certified library for native mobile/desktop applications.
- oidcc - Certified OpenID Connect Relying Party client library for Erlang and Elixir with FAPI support.
- coreos/go-oidc - Go OpenID Connect client.
- zitadel/oidc - OpenID Connect client and server library certified by the OpenID Foundation.
- com.google.oauth-client/google-oauth-client - OAuth Relying Party Java library written by Google for OAuth 2.0 with Android support.
- com.nimbusds/oauth2-oidc-sdk - Java SDK developed by connect2id with OpenID Connect, FAPI, Federation and eKYC / Identity Assurance extensions.
- Spring Security - Spring Security implements OAuth 2.0 and OpenID Connect for Spring based applications.
- openid-client - OpenID Certified™ Relying Party (OpenID Connect/OAuth 2.0 Client) implementation for Node.js.
- oauth4webapi - OAuth 2/OpenID Connect library for JavaScript Runtimes.
- oidc-client-ts - TypeScript OpenID Client and OAuth 2.0 client for browser-based applications.
Libraries layer focused on specific framework integration
- NextAuth.js - Open Source authentication solution for Next.js applications including using OpenID Connect.
- nuxt-auth for Nuxt 2 - Zero-boilerplate authentication support for Nuxt.js 2.
- nuxt-auth for Nuxt3 - Nuxt 3 user authentication and sessions library. nuxt-auth wraps NextAuth.js.
- angular-auth-oidc-client - Angular certified library with OAuth 2.0 and OpenID Connect flows, and Angular schematics.
- angular-oauth2-oidc - Library which bring support for OAuth 2.0 and OpenID Connect (OIDC) in Angular.
- ocaml-oidc - Certified OpenID Connect Relying Party implementation in OCaml.
- thephpleague/oauth2-client - Integration with OAuth 2.0 service providers for PHP.
- mozilla-django-oidc - A Django OpenID Connect relying party library maintained by Mozilla.
- openid_connect - Ruby OpenID Connect Relying party (RP) and Provider (OP) library.
- omniauth_openid_connect - OpenID Connect Strategy for Ruby OmniAuth library.
- openidconnect - OpenID Connect Relying party (RP) library for Rust.
- MiniOrange OAuth SSO - Wordpress OAuth and OpenID Connect plugin developed and actively maintained by MiniOrange.
Where to discover learning resources about OpenID Connect.
- authorization_code - OAuth 2.0 Authorization Code Grant Type which fit well public client authorization like web apps.
- refresh_token - OAuth 2.0 Refresh Token Grant Type used to exchange a refresh token against a short life access token and sometime a new refresh token as well.
- client_credentials - OAuth 2.0 Client Credentials Grant providing a way to get token without user interaction which fit well machine to machine communications.
- urn:ietf:params:oauth:grant-type:device_code - OAuth 2.0 Device Authorization Grant focused on interaction with user outside of a browser context like smart TVs.
- urn:ietf:params:oauth:grant-type:jwt-bearer - JSON Web Token (JWT) Profile for OAuth 2.0 used to authorize a client to get an access token with another JWT issued by a trusted provider.
- urn:ietf:params:oauth:grant-type:token-exchange - OAuth 2.0 Token Exchange is a Grant Type which provides a way to get tokens from another token and give the ability to add an actor claim.
- Proof Key for Code Exchange (PKCE) Extension - Extension of the Authorization Code flow adding security layer against code interception attack.
- OpenID Connect Core 1.0 - Defines the core OpenID Connect functionality: authentication built on top of OAuth 2.0 and the use of Claims to communicate information about the End-User. It also describes the security and privacy considerations for using OpenID Connect.
- The OAuth 2.0 Authorization Framework - Underlying OAuth 2.0 protocol OpenID Connect is based on.
- JSON Web Token (JWT) - JWT specifications used for different tokens mentioned in OAuth 2.0 and OpenID Connect specifications.
- JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens - JWT format and validation specifications in the context of OAuth 2.0.
- JSON Web Key (JWK) - JavaScript Object Notation (JSON) data structure that represents a cryptographic key provided by OpenID Connect Provider.
- JSON Web Encryption (JWE) - Specifications for JWE which represents encrypted content using JSON-based data structures.
- JSON Web Signature (JWS) - Specifications for JWS which represents content secured with digital signatures.
- OAuth 2.0 Threat Model and Security Considerations - Known threats using OAuth 2.0 / OpenID Connect and countermeasures.
- OAuth 2.0 Authentication Method Reference Values - List authentication method values for the AMR token claim.
- OAuth 2.0 Authorization Framework: Bearer Token Usage - Describes how to use bearer tokens in HTTP requests to access OAuth 2.0 protected resources.
- OAuth 2.0 for Native Apps - Security and usability best practice for OAuth usage in Native apps.
- OAuth 2.0 Pushed Authorization Requests - Pushed authorization request (PAR) allows clients to push the payload of an OAuth 2.0 authorization request to the authorization server via a direct request.
- OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens - Standardizes enhanced security options for OAuth 2.0 utilizing client-certificate-based mutual TLS (mTLS).
- OAuth 2.0 JWT-Secured Authorization Request (JAR) - Allows to send request parameters in a JSON Web Token (JWT), which can be signed with JSON Web Signature (JWS) and encrypted with JSON Web Encryption (JWE) so that the integrity, source authentication, and confidentiality properties of the authorization request are attained.
- OpenID Connect Discovery 1.0 - Mechanism for an OpenID Connect Relying Party to discover the End-User's OpenID Provider and obtain information needed to interact with it.
- OpenID Connect Front-Channel Logout - Logout mechanism that uses front-channel communication via the User Agent between the OpenID Connect provider (OP) and Relying Parties (RPs) being logged out that does not need an OpenID Provider iframe on Relying Party pages.
- OpenID Connect Back-Channel Logout - Logout mechanism that uses direct back-channel communication between the OpenID Connect provider (OP) and Relying Parties (RPs) being logged out.
- OAuth 2.0 Authorization Server Metadata - A metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server.
- OAuth 2.0 Token Revocation - Endpoint for OAuth authorization servers which allows clients to notify the authorization server that a previously obtained refresh or access token is no longer needed.
- OAuth 2.0 Dynamic Client Registration Protocol - Defines how an OAuth 2.0 Relying Party (RP) can dynamically register with the OAuth 2.0 server provider.
- OpenID Connect Dynamic Client Registration - Defines how an OpenID Connect Relying Party (RP) can dynamically register with the End-User's OpenID Provider (OP).
- OAuth 2.0 Token Introspection - Method for a protected resource to query an OAuth 2.0 authorization server to determine the active state of an OAuth 2.0 token and to determine meta-information about this token.
- Financial-grade API Security Profile 1.0 - Part 1: Baseline - Baseline security profile of OAuth that is suitable for protecting APIs with a moderate inherent risk in the context of Financial-grade APIs.
- Financial-grade API Security Profile 1.0 - Part 2: Advanced - Advanced security profile of OAuth that is suitable to be used for protecting APIs with high inherent risk in the context of Financial-grade APIs.
- JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) - JWT-based mode to encode OAuth authorization response parameters with additional claims used to further protect the transmission.
- OpenID Connect Session Management - Specifications about OpenID Connect session management.
- OAuth 2.0 Dynamic Client Registration Management Protocol - Endpoints for management of OAuth 2.0 dynamic client registrations.
- OAuth 2.0 Security Best Current Practice - Best security practice when using OAuth 2.0 and OpenID Connect.
- OpenID Connect Federation 1.0 - Draft specifications for putting in place bilateral federations between to organizations.
- Financial-grade API: Client Initiated Backchannel Authentication Profile - Financial services profile specifications for Client Initiated Backchannel Authentication (aka CIBA).
- OAuth 2.0 for Browser-Based Apps - Security and usability best practice for OAuth usage in Browser-based apps.
- Selective Disclosure for JWTs (SD-JWT) - Specification for selective disclosure of JWT elements.
- OpenID - OpenID Connect official website.
- OAuth - OAuth website maintained by Aaron Parecki which list different resources about the protocol.
- ByteByteGo - Oauth 2.0 explains using visual and simple terms.
- Aaron Parecki - Aaron Parecki OAuth WG Member blog posts about OAuth 2.0.
- Alex Bilbie - Alex Bilbie blog posts about OAuth topic.
- CerberAuth - A blog talking about OpenID Connect and OAuth2.
- Curity Resources - Curity solution resources articles about OpenID Connect.
- Okta Blog - Okta blog posts about OAuth2 and OpenID Connect.
- Medium OAuth2 - Medium blog talking about OAuth2.
- OAuth.com Playground - OAuth 2.0 / OpenID Connect Playground with authorization flows and step by step of the process of obtaining an access token.
- Curity Playground - Tools for exploring and testing OAuth and OpenID Connect flows.
- The Little Book of OAuth 2.0 RFCs by Aaron Parecki
- OAuth 2.0 Simplified by Aaron Parecki
- Getting Started with OAuth 2.0 by Ryan Boyd
- Solving Identity Management in Modern Applications: Demystifying OAuth 2, OpenID Connect, and SAML 2 by Yvonne Wilson
- Keycloak - Identity and Access Management for Modern Applications: Harness the power of Keycloak, OpenID Connect, and OAuth 2.0 protocols to secure applications by Stian Thorgersen and Pedro Igor Silva
Your contributions are always welcome! Please take a look at the contribution guidelines first.