That's flexible, but not fully compatible implementation of FAPI, OAuth2.1 and OpenID Connect specifications. It supports:
- Grant Management for OAuth2.0
- OAuth 2.0 Rich Authorization Requests in modified version, will explain later
- OAuth 2.0 Pushed Authorization Requests
- OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)
- OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
- Authorization endpoint
- Token endpoint
- Token revocation endpoint
- Token introspection endpoint
- User info endpoint
- Discovery endpoint
https://blazkaro.github.io/FAPIServerDocumentation/
- It uses PASETO instead of JWT, and PASERK instead of JWK. Every token like access token, authorization response and DPoP uses PASETO.
- It doesn't support mTLS, only private_key_paseto (private_key_jwt that uses PASETO) as authentication method
- Currently, it doesn't support server-provided nonce defined in FAPI 2.0 Security Profile
- Support for CIBA
- Support for application-level request signing between client and authorization server by using
client_assertionandDPoPmechanism, or by request objects. (milestone) - Support for signing userinfo, token introspection and grant querying responses
- Support for DPoP revocation after use (the same mechanism as with
client_assertion) - Add better documentation for project
- Add unit tests
If you see security issues, please contact me by email, blazkaro.programmer@protonmail.com