Skip to content

KuneiFormApp/wedge-authorization-server

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

7 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

image

πŸ” WedgeAuth

WedgeAuth is a headless OAuth 2.1 / OpenID Connect authorization server built on Spring Boot 4.0.1 and Spring Authorization Server.

WedgeAuth is an authorization server, not an identity system.
You own your users. You own your data. No vendor lock-in.


🎯 What is WedgeAuth?

WedgeAuth is designed for teams that:

  • Already have their own user database
  • Want OAuth 2.1 / OIDC without the complexity
  • Need a secure, production-ready auth server without vendor lock-in
  • Prefer configuration over code

We don't believe in locking you into our ecosystem. WedgeAuth integrates with your existing user system via HTTP, doesn't store your users, and can be replaced at any time. Your auth infrastructure should serve you, not trap you.


πŸš€ How It Works

  1. User tries to log in β†’ WedgeAuth shows a login page (or you bring your own UI)
  2. User submits credentials β†’ WedgeAuth calls your HTTP user provider endpoint to validate
  3. Your system validates β†’ Returns user data (username, email, roles, etc.)
  4. WedgeAuth issues tokens β†’ JWT access tokens signed with your RSA keys
  5. Your apps verify tokens β†’ Using the public JWKS endpoint

No user data is stored in WedgeAuth. It's a pure authorization layer that delegates authentication to your existing systems.


✨ What WedgeAuth Does (Now)

πŸ”‘ Core OAuth 2.1 / OpenID Connect

  • βœ… Authorization Code flow with PKCE required by default
  • βœ… OpenID Connect support
  • βœ… JWT access tokens (asymmetric RSA signing only)
  • βœ… JWKS endpoint for token verification
  • βœ… Token introspection
  • βœ… Token revocation
  • βœ… Logout with OIDC RP-Initiated Logout support

πŸ‘€ Headless User Authentication

  • βœ… HTTP-based user providers β€” integrate with any user system via REST API
  • βœ… No local user database required
  • βœ… Custom user model mapping via YAML
  • βœ… User metadata mapped into JWT claims
  • βœ… Per-client user provider configuration

πŸ” Multi-Factor Authentication (MFA)

  • βœ… TOTP-based MFA (Time-based One-Time Passwords)
  • βœ… QR code generation for authenticator apps
  • βœ… MFA enrollment flow
  • βœ… MFA verification during login
  • βœ… Per-user MFA configuration

🧠 Session Management

  • βœ… Redis-backed sessions (recommended for production)
  • βœ… In-memory sessions (default, for development)
  • βœ… Configurable session TTL
  • βœ… Distributed session support for multi-instance deployments

🧩 OAuth Client Management

  • βœ… YAML-based client configuration (default, no database needed)
  • βœ… Database-backed clients (PostgreSQL, MySQL 8.0+, SQL Server 2012+)
  • βœ… Public and confidential clients
  • βœ… PKCE enforcement for public clients
  • βœ… Configurable redirect URIs and scopes
  • βœ… Client secret bcrypt hashing
  • βœ… Multi-tenant support (experimental)

πŸ–₯️ Customizable Login UI

  • βœ… Built-in Thymeleaf templates with i18n support
  • βœ… Fully customizable login UI β€” bring your own HTML/CSS/JS
  • βœ… Multiple pre-built themes available
  • βœ… External static file serving
  • βœ… See docs/CUSTOM_LOGIN_TUTORIAL.md for details

βš™οΈ Configuration-First Design

  • βœ… YAML or environment variable configuration
  • βœ… No database required by default
  • βœ… Configurable JWT key management (runtime or file-based)
  • βœ… Extensive environment variable support
  • βœ… See docs/environment-variables.md for all options

🚧 What's In Progress

🌐 Social Login

Status: Planned, not yet implemented

When implemented, this will:

  • Allow OAuth login via Google, GitHub, Microsoft, etc.
  • Be fully configurable via YAML or environment variables
  • Map external provider data to your user model
  • WedgeAuth will remain the token issuer (no vendor lock-in)

πŸ›‘οΈ Additional Features (Planned)

  • ⏳ Audit logging for compliance
  • ⏳ Admin UI for client/user management
  • ⏳ Rate limiting and brute-force protection

🚫 What WedgeAuth Does NOT Do

WedgeAuth is not a complete identity platform. It deliberately does not:

  • ❌ Store or manage users (you own your users)
  • ❌ Store passwords (your user provider does that)
  • ❌ Act as a resource server
  • ❌ Support legacy flows (Implicit, Password Grant)
  • ❌ Support symmetric (HMAC) JWT signing

This is by design. WedgeAuth is a focused authorization server that integrates with your existing systems.


🎯 Design Principles

  • No vendor lock-in β€” Own your auth, own your users, own your data
  • Headless by design β€” Integrate with any frontend or user system
  • Secure by default β€” PKCE required, asymmetric signing, bcrypt hashing
  • Configuration over code β€” YAML-driven setup, minimal boilerplate
  • Progressive complexity β€” Start simple (no DB), scale when needed (Redis, DB)
  • Hexagonal architecture β€” Domain logic independent of frameworks
  • Production-ready β€” Built on Spring Authorization Server with enterprise patterns

πŸ“š Documentation


πŸš€ Quick Start

Run first, customize later.

Option 1: Docker (Recommended)

See docs/deployment-guide.md for complete examples with PostgreSQL, Redis, and various configuration modes.

Option 2: Build from Source

cd infrastructure
./gradlew bootJar
java -jar build/libs/wedge-authorization-server-*.jar

Default endpoints:

  • Authorization: http://localhost:9000/oauth2/authorize
  • Token: http://localhost:9000/oauth2/token
  • JWKS: http://localhost:9000/oauth2/jwks
  • Login: http://localhost:9000/login

πŸ“¦ Technology Stack

  • Java 25 (LTS)
  • Spring Boot 4.0.1
  • Spring Authorization Server
  • Redis (optional, for distributed sessions)
  • PostgreSQL / MySQL / SQL Server (optional, for client storage)
  • Thymeleaf

πŸ§ͺ Ideal Use Cases

  • βœ… SPA authentication (Authorization Code + PKCE)
  • βœ… Internal authentication infrastructure
  • βœ… Microservice ecosystems
  • βœ… Teams that already own user data
  • βœ… Headless-first systems
  • βœ… Organizations avoiding vendor lock-in

πŸ“„ License

AGPLv3 License

This means:

  • βœ… Free to use, modify, and distribute
  • βœ… Source code must remain open if you modify and distribute
  • βœ… Network use triggers copyleft (if you run a modified version as a service, you must share your changes)

We chose AGPLv3 to prevent vendor lock-in at the license level too. Your auth should be open and auditable.


🧠 TL;DR

WedgeAuth authenticates users and issues tokens.
You own your users. You own your data. No lock-in.


Built with ❀️ by the KuneiForm Team

GitHub

About

Headless OAuth 2.1 / OpenID Connect authorization server

Resources

License

Stars

Watchers

Forks

Packages

 
 
 

Contributors