This repository contains various demonstrations for Federated Identities like OAuth 2 and OpenID Connect.
- Java 21 or later
- Bruno API Client
- JSON Web Token Toolkit v2 (JWT_Tool)
- Step CLI Tool for building, operating, and automating Public Key Infrastructure (PKI) systems and workflows
- CyberChef - The Cyber Swiss Army Knife
- Customized Spring Authorization Server
- Authorization Code Demo: Shows the OAuth 2.1 protocol flow in detail, including
- Authorization Code Grant
- PKCE
- User Info
- Introspection
- Token Exchange
- DPoP
- Backend for Frontend Pattern
- RFC 9068 Compliant Resource Server
- Token Exchange Demo
- Decoding & Validating JWTs
- Insecure API (Hacking JWT)
To test the provided APIs with OAuth2/OIDC and JWTs you may use the provided Bruno collection located in folder bruno/federated-identity-demos.
| Provider | OAuth 2.1 (Draft) | PKCE (RFC 7636) | RFC 9126 (OAuth Security BCP) | RFC 8705 (Mutual TLS) | RFC 9449 (DPoP) | RFC 8725 (JWT BCP) | RFC 9068 (JWT Profile for Access Tokens) | RFC 8693 (Token Exchange) |
|---|---|---|---|---|---|---|---|---|
| Auth0 | ✅ | ✅ | 🔶 Partial | 🔶 Enterprise Add-on | ✅ (Beta) | ✅ | 🔶 (Experimental) | 🔶 (Beta via Rules/Hooks) |
| MS Entra ID | ✅ | ✅ | ✅ | 🔶 Confidential Client + Certs | ❌ | ✅ | ❌ | 🔶 (Entra ID - Limited) |
| Google Identity | ✅ | ✅ | 🔶 Partial | ❌ | ❌ | ✅ | ❌ | ❌ |
| Okta | ✅ | ✅ | ✅ | ✅ (with Workflows) | ✅ (Preview) | ✅ | 🔶 (Preview for APIs) | 🔶 (Some API Gateways only) |
| Keycloak | ✅ | ✅ | ✅ | ✅ | ✅ (v24+) | ✅ | ✅ (via config) | ✅ (v24+) |
| ForgeRock | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Ping Identity | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Curity | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| AWS Cognito | ✅ | ✅ | 🔶 Partial | ❌ | ❌ | ✅ | ❌ | ❌ |
| Spring Authorization Server | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
- ✅ = Fully supported
- 🔶 = Partially supported / Preview / Requires configuration or specific SKU
- ❌ = Not supported or not documented