WedgeAuth is a headless OAuth 2.1 / OpenID Connect authorization server built on Spring Boot 4.0.1 and Spring Authorization Server.
WedgeAuth is an authorization server, not an identity system.
You own your users. You own your data. No vendor lock-in.
WedgeAuth is designed for teams that:
- Already have their own user database
- Want OAuth 2.1 / OIDC without the complexity
- Need a secure, production-ready auth server without vendor lock-in
- Prefer configuration over code
We don't believe in locking you into our ecosystem. WedgeAuth integrates with your existing user system via HTTP, doesn't store your users, and can be replaced at any time. Your auth infrastructure should serve you, not trap you.
- User tries to log in β WedgeAuth shows a login page (or you bring your own UI)
- User submits credentials β WedgeAuth calls your HTTP user provider endpoint to validate
- Your system validates β Returns user data (username, email, roles, etc.)
- WedgeAuth issues tokens β JWT access tokens signed with your RSA keys
- Your apps verify tokens β Using the public JWKS endpoint
No user data is stored in WedgeAuth. It's a pure authorization layer that delegates authentication to your existing systems.
- β Authorization Code flow with PKCE required by default
- β OpenID Connect support
- β JWT access tokens (asymmetric RSA signing only)
- β JWKS endpoint for token verification
- β Token introspection
- β Token revocation
- β Logout with OIDC RP-Initiated Logout support
- β HTTP-based user providers β integrate with any user system via REST API
- β No local user database required
- β Custom user model mapping via YAML
- β User metadata mapped into JWT claims
- β Per-client user provider configuration
- β TOTP-based MFA (Time-based One-Time Passwords)
- β QR code generation for authenticator apps
- β MFA enrollment flow
- β MFA verification during login
- β Per-user MFA configuration
- β Redis-backed sessions (recommended for production)
- β In-memory sessions (default, for development)
- β Configurable session TTL
- β Distributed session support for multi-instance deployments
- β YAML-based client configuration (default, no database needed)
- β Database-backed clients (PostgreSQL, MySQL 8.0+, SQL Server 2012+)
- β Public and confidential clients
- β PKCE enforcement for public clients
- β Configurable redirect URIs and scopes
- β Client secret bcrypt hashing
- β Multi-tenant support (experimental)
- β Built-in Thymeleaf templates with i18n support
- β Fully customizable login UI β bring your own HTML/CSS/JS
- β Multiple pre-built themes available
- β External static file serving
- β
See
docs/CUSTOM_LOGIN_TUTORIAL.mdfor details
- β YAML or environment variable configuration
- β No database required by default
- β Configurable JWT key management (runtime or file-based)
- β Extensive environment variable support
- β
See
docs/environment-variables.mdfor all options
Status: Planned, not yet implemented
When implemented, this will:
- Allow OAuth login via Google, GitHub, Microsoft, etc.
- Be fully configurable via YAML or environment variables
- Map external provider data to your user model
- WedgeAuth will remain the token issuer (no vendor lock-in)
- β³ Audit logging for compliance
- β³ Admin UI for client/user management
- β³ Rate limiting and brute-force protection
WedgeAuth is not a complete identity platform. It deliberately does not:
- β Store or manage users (you own your users)
- β Store passwords (your user provider does that)
- β Act as a resource server
- β Support legacy flows (Implicit, Password Grant)
- β Support symmetric (HMAC) JWT signing
This is by design. WedgeAuth is a focused authorization server that integrates with your existing systems.
- No vendor lock-in β Own your auth, own your users, own your data
- Headless by design β Integrate with any frontend or user system
- Secure by default β PKCE required, asymmetric signing, bcrypt hashing
- Configuration over code β YAML-driven setup, minimal boilerplate
- Progressive complexity β Start simple (no DB), scale when needed (Redis, DB)
- Hexagonal architecture β Domain logic independent of frameworks
- Production-ready β Built on Spring Authorization Server with enterprise patterns
- Deployment Guide β Get it running easily with Docker
- Docker Compose Examples β Ready-to-use configurations
- Environment Variables β Complete configuration reference
- Custom Login Tutorial β Customize the login UI
- PKCE Testing Guide β Manual OAuth 2.1 PKCE flow testing
- RSA Key Generation β Generate production JWT signing keys
- MFA User Guide β Multi-factor authentication setup
- MFA Architecture β Technical MFA implementation details
- Logout Usage β OIDC logout flow documentation
Run first, customize later.
See docs/deployment-guide.md for complete examples with PostgreSQL, Redis, and various configuration modes.
cd infrastructure
./gradlew bootJar
java -jar build/libs/wedge-authorization-server-*.jarDefault endpoints:
- Authorization:
http://localhost:9000/oauth2/authorize - Token:
http://localhost:9000/oauth2/token - JWKS:
http://localhost:9000/oauth2/jwks - Login:
http://localhost:9000/login
- Java 25 (LTS)
- Spring Boot 4.0.1
- Spring Authorization Server
- Redis (optional, for distributed sessions)
- PostgreSQL / MySQL / SQL Server (optional, for client storage)
- Thymeleaf
- β SPA authentication (Authorization Code + PKCE)
- β Internal authentication infrastructure
- β Microservice ecosystems
- β Teams that already own user data
- β Headless-first systems
- β Organizations avoiding vendor lock-in
AGPLv3 License
This means:
- β Free to use, modify, and distribute
- β Source code must remain open if you modify and distribute
- β Network use triggers copyleft (if you run a modified version as a service, you must share your changes)
We chose AGPLv3 to prevent vendor lock-in at the license level too. Your auth should be open and auditable.
WedgeAuth authenticates users and issues tokens.
You own your users. You own your data. No lock-in.
Built with β€οΈ by the KuneiForm Team