Libraries, Products, and Tools

Below is a list of libraries, products, and tools implementing current OpenID specifications and related specs. While several of these implementations have been tested, they are maintained by members of the OpenID community or vendors and are not necessarily known to work. Please review the documentation and test your own implementation thoroughly before releasing to the public.

To discuss these implementations, please consider joining the [email protected] mailing list. To participate in interop testing, also join the [email protected] mailing list.

Table of Contents

OpenID Connect 1.0

OpenID Connect is an interoperable authentication protocol based on the OAuth 2.0 family of specifications. It uses straightforward REST/JSON message flows with a design goal of “making simple things simple and complicated things possible”. It’s uniquely easy for developers to integrate, compared to any preceding Identity protocol.

C

Apache mod_auth_openidc

  • Apache Relying Party module for OpenID Connect
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: No
  • Target Environment: Apache Web Server

C#

IdentityServer3

  • IdentityServer3
  • License: Apache 2.0
  • Relying Party: No
  • Identity Provider: Yes
  • Target Environment: OWIN/Katana

IdentityServer4

  • IdentityServer4
  • License: Apache 2.0
  • Relying Party: No
  • Identity Provider: Yes
  • Target Environment: ASP.NET Core

Elixir

Shield

  • OpenID server implementation using Elixir programming language and Phoenix Framework
  • License: MIT
  • Relying Party: No
  • Identity Provider: Yes
  • Target Environment: Phoenix Framework

Erlang

oidcc

Go

OpenID2Go

  • A Golang package that implements web service middleware for authenticating identities represented by ID Tokens.
  • License: MIT
  • Relying Party: Yes
  • Identity Provider: No

dex

  • We here at CoreOS have created dex, an OpenID Connect Identity Provider, written in Go. It’s secure, flexible and fairly easy-to-deploy and integrate with.
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes

Haskell

Broch

  • An OpenID Connect Provider implemented in Haskell. Currently more a research project than production ready.
  • License: BSD3
  • Relying Party: No
  • Identity Provider: Yes

Java

Nimbus OAuth 2.0 SDK with OpenID Connect extensions

  • Nimbus OAuth 2.0 SDK with OpenID Connect extensions
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes

MITREid Connect

  • MITREid Connect is a Java implementation of OpenID Connect, developed by Mitre Corporation and maintained by MIT-KIT.
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes
  • Target Environment: Spring Framework

Google OAuth Client Library for Java

  • Written by Google, this library is a powerful and easy to use Java client library for the OAuth 2 and OAuth 1.0a standards for authorization. It is built on the Google HTTP Client Library for Java.
  • License:
  • Relying Party: Yes
  • Identity Provider: No

Gluu OpenID Connect Software

  • OX OpenID Connect Platform is a Java implementation of OpenID Connect, developed by Gluu.
  • License: MIT
  • Relying Party: Yes
  • Identity Provider: Yes

Keycloak

  • Keycloak integrated SSO for browser apps and RESTful web services
  • License:
  • Relying Party:
  • Identity Provider:

Apache Oltu

  • Apache Oltu is an OAuth protocol implementation in Java. It also covers others “OAuth family” related implementations such as JWT, JWS and OpenID Connect.
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes
  • Target Environment: Apache

JavaScript

passport-openidconnect

  • OpenID Connect authentication strategy for Passport
  • License: MIT
  • Relying Party: Yes
  • Identity Provider: No
  • Target Environment: node.js

oidc-provider

  • oidc-provider is an OpenID Provider implementation of OpenID Connect. It allows to export a complete Koa.js OpenID Provider implementation which you can mount to your existing Koa.js applications or run standalone.
  • License: MIT
  • Relying Party: No
  • Identity Provider: Yes
  • Target Environment: node.js

oidc-client

  • OIDC protocol library for JavaScript-based browser and Cordova clients
  • License: Apache 2
  • Relying Party: Yes
  • Identity Provider: No
  • Target Environment: Browser or Cordova. Available via npm and bower.

openid-client

  • openid-client is an OpenID Connect Relying Party (RP, Client) implementation for Node.js
  • License: MIT
  • Relying Party: Yes
  • Identity Provider: No
  • Target Environment: node.js

Lua

NGINX lua-resty-openidc

  • NGINX Relying Party module for OpenID Connect
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: No
  • Target Environment: NGINX Web Server

Perl

LemonLDAP::NG

  • Our last version (1.9.0) implements OpenID Connect as Relying Party and OpenID Provider.
  • License: GPL
  • Relying Party: Yes
  • Identity Provider: Yes
  • Target Environment: Perl

PHP

phpOIDC

  • phpOIDC is a PHP implementation of OpenID Connect, developed by Nomura Research Institute. It also includes the JWT, JWS, and JWE support.
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes
  • Target Environment: Apache, nginx

OpenID-Connect-PHP

  • A minimalist library supporting basic client authentication. Aims to make it simple enough for a developer with little knowledge of the OpenID Connect protocol to setup authentication.
  • License: Apache License, Version 2.0
  • Relying Party: Yes
  • Identity Provider: No
  • Target Environment: PHP, Apache, Nginx, etc.

oauth2-server-php

  • A library for implementing an OAuth2 Server in PHP. Has been extended to support OpenID Connect identity provider functionality.
  • License: MIT License
  • Relying Party: No
  • Identity Provider: Yes
  • Target Environment: PHP

Drupal OpenID Connect Plugin

  • Authentication to Drupal with OpenID Connect
  • License: GPL, version 2
  • Relying Party: Yes
  • Identity Provider: No
  • Target Environment: Drupal

Python

pyoidc

  • pyoidc was developed as a test harness for OpenID Connect. Developed by Roland Hedberg.
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes

Django OIDC Provider

  • Provides you out of the box all the endpoints, data and logic needed to add OIDC capabilities to your Django projects. Developed by Juan Ignacio Fiorentino.
  • License: MIT
  • Relying Party: No
  • Identity Provider: Yes

Ruby

Ruby OpenID Connect

  • Ruby OpenID Connect is a ruby gem that implemented OpenID Connect server and client, developed by Nov Matake.
  • License: MIT
  • Relying Party: Yes
  • Identity Provider: Yes

Products

Amazon Web Services

  • Amazon Web Services supports OpenID Connect
  • License: Commercial
  • Relying Party: Yes
  • Identity Provider: No

Auth0

  • Auth0 (cloud and non-cloud) version includes OpenID Connect Identity Provider support
  • License: Commercial
  • Relying Party: Yes
  • Identity Provider: Yes

Axway API Gateway

  • Axway API Gateway includes identity provider and relying party support, with samples for both, including acting as relying party for Google.
  • License: Commercial
  • Relying Party: Yes
  • Identity Provider: Yes

Azure Active Directory

  • Microsoft Azure Active Directory includes OpenID Connect identity provider support.
  • License: Commercial
  • Relying Party: No
  • Identity Provider: Yes

CA API Gateway

  • CA API Gateway supports OAuth, OpenID Connect and JWT.
  • License: Commercial
  • Relying Party: Yes
  • Identity Provider: Yes

Gluu Server

  • License: Free Open Source
  • Relying Party: Yes
  • Identity Provider: Yes

OpenAM (Open Access Manager)

  • ForgeRock OpenAM is the all-in-one, highly scalable access management solution that supports OpenID Connect Identity Provider and Relying Party.
  • License: Commercial (Binary); Open Source (CDDL)
  • Relying Party: Yes
  • Identity Provider: Yes

OpenIG (Open Identity Gateway)

  • ForgeRock OpenIG is an application and API gateway that leverages SAML 2.0, OpenAM SSO, OAuth 2.0 and OpenID Connect. It supports OpenID Connect Relying Party.
  • License: Commercial (Binary); Open Source (CDDL)
  • Relying Party: Yes
  • Identity Provider: No

PingFederate

  • Ping Identity’s PingFederate includes OpenID Connect identity provider support.
  • License: Commercial
  • Relying Party: No
  • Identity Provider: Yes

Uni-iD

  • NRI Uni-iD includes OpenID Connect identity provider and relying party support.
  • License: Commercial
  • Relying Party: Yes
  • Identity Provider: Yes

WSO2 Identity Server

  • WSO2 Identity Server includes identity provider and sample relying party support.
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes

JWT/JWS/JWE/JWK/JWA Implementations

OpenID Connect uses the JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications. Libraries implementing JWTs and the JOSE specs JWS, JWE, JWK, and JWA are listed here.

C/C++

cjose

  • C JOSE library
  • License: MIT
  • Supports: JWS, JWE, and JWK
  • Target Environment: C/C++

C#

JsonWebToken DelegatingHandler for ASP.NET WebAPI

  • description:
  • License: MIT
  • Supports: JWS, JWT
  • Target Environment: ASP.NET WebAPI

JSON Web Token Handler For the Microsoft .Net Framework 4.5

  • This package provides an assembly containing classes which extend the .NET Framework 4.5 with the necessary logic to process the JSON Web Token (JWT) format.
  • License: Microsoft Software License
  • Supports: JWS, JWT
  • Target Environment: .Net Framework 4.5

JWT (JSON Web Token) implementation for .NET 3.5+

Microsoft.Owin.Security.Jwt

  • Middleware that enables an application to protect and validate JSON Web Tokens.
  • License: Microsoft Software License
  • Supports: JWS, JWT
  • Target Environment: OWIN

OWIN Authentication Middleware for Auth0 JWT Bearer Token

  • License:
  • Supports: JWS, JWT
  • Target Environment: OWIN

Haskell

Haskell jose-jwt package

Java

jose4j

  • Open source implementation of JWT and the full JOSE suite. Developed by Brian Campbell.
  • License: Apache 2.0
  • Supports: JWT, JWS, JWE and JWK.
  • Target Environment: Java 7 or 8

Nimbus JOSE+JWT

  • Nimbus JOSE+JWT is an open source (Apache 2.0) Java library that implements the Javascript Object Signing and Encryption (JOSE) spec suite and the closely related JSON Web Token (JWT) spec. Developed by Connect2id.
  • License: Apache 2.0
    Supports: JWS, JWE, JWT
    Target Environment: Java 6, 7 or 8

Java JWT

  • a simple project to decode JSON Web Tokens in Java
  • License:
  • Supports: JWS, JWT
  • Target Environment:

Resteasy

  • description:
  • License:
  • Supports:
  • Target Environment: JBOSS

Apache Oltu – JOSE

  • Apache Oltu is an OAuth protocol implementation in Java. It also covers others “OAuth family” related implementations such as JWT, JWS and OpenID Connect.
  • License: Apache 2.0
  • Supports: JWS, JWT
  • Target Environment: Apache

Apache CXF

  • Apache CXF is a Java JAX-WS and JAX-RS 2.0 services framework. It also provides a complete JOSE implementation.
  • License: Apache 2.0
  • Supports: JWA, JWK, JWS, JWE, JWT
  • Target Environment: Apache

Javascript

jsjws

  • The ‘jsjws'(JSON Web Signature JavaScript Library) is a pure open source free JavaScript implementation of JWS. Furthermore, ‘jsjws’ provides JSON Web Signature JSON Serialization (JWS-JS) which is a kind of parallel or independent signature format by multiple signers. Created by Kenji Urushima (@kjur)
  • License: MIT
  • Supports: JWS, JWS-JS
  • Target Environment: generic

node-jsonwebtoken

  • node-jsonwebtoken is a JWS library for node.js.
  • License: MIT
  • Supports: JWS, JWT
  • Target Environment: node.js

Ruby

PHP

phpOIDC

  • phpOIDC is a PHP implementation of OpenID Connect, developed by Nomura Research Institute. It also includes the JWT, JWS, and JWE support.
  • License: Apache 2.0
  • Relying Party: Yes
  • Identity Provider: Yes
  • Target Environment: Apache, nginx

Python

Tools

http://jwt.io/ JWT debugger

  • Description: Interactive JWT debugger

json-web-key-generator

  • Description: a command-line Java app to generate JWKs and JWK sets

Obsolete Specifications

Libraries for Obsolete Specifications, such as OpenID 2.0, are listed separately.

Additions

Did we miss something? Drop us a note at the [email protected] mailing list or the [email protected] mailing list.