[![downloads](https://img.shields.io/hexpm/dt/boruta)](https://hex.pm/packages/boruta)
![continuous integration](https://github.com/malach-it/boruta_auth/actions/workflows/elixir.yml/badge.svg)
[![coverage Status](https://coveralls.io/repos/malach-it/boruta_auth/badge.svg?branch=master)](https://coveralls.io/r/malach-it/boruta_auth?branch=master)
![Logo](https://github.com/malach-it/boruta_auth/raw/master/images/logo-yellow.png)
# Boruta OAuth/OpenID Connect provider core
Boruta is the core of an OAuth 2.0 and OpenID Connect provider implementing according business rules. This library also provides a generator to create phoenix controllers, views and templates to have a basic provider up and running.
As it, a provider implemented using Boruta aim to follow RFCs:
- [RFC 6749 - The OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
- [RFC 7662 - OAuth 2.0 Token Introspection](https://tools.ietf.org/html/rfc7662)
- [RFC 7009 - OAuth 2.0 Token Revocation](https://tools.ietf.org/html/rfc7009)
- [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients](https://tools.ietf.org/html/rfc7636)
- [RFC 7521 - Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants](https://www.rfc-editor.org/rfc/rfc7521)
- [RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants](https://tools.ietf.org/html/rfc7523)
- [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop)
- [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://datatracker.ietf.org/doc/html/rfc9126)
And specification from OpenID Foundation:
- [OpenID Connect core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)
- [OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-registration-1_0.html)
- [OpenID for Verifiable Credential Issuance - draft 11/13](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html)
- [Self-Issued OpenID Provider v2 - draft 13](https://openid.net/specs/openid-connect-self-issued-v2-1_0.html)
- [OpenID for Verifiable Presentations - draft 21](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html)
This package is meant to help to bring authorization into Elixir applications. With it, you can perform part or all of authorization code, implicit, hybrid, client credentials, or resource owner password credentials grants flows. It also helps introspecting and revoking tokens.
## Documentation
Master branch documentation can be found [here](https://github.com/malach-it/boruta_auth/blob/master/README.md)
Stable documentation is hosted on [hexdocs.pm](https://hexdocs.pm/boruta/api-reference.html)
## Integration example
An example of integration can be found [here](https://github.com/patatoid/boruta_example), it followed the integration steps described in below guides section.
## OpenID Certification
This package has successfully passed basic, implicit and hybrid OpenID Profiles certifications as of May 7th, 2022 for its version [2.1.2](https://hex.pm/packages/boruta/2.1.2). This certification was performed with the above sample server.
![OpenID Certification watermark](https://github.com/malach-it/boruta_auth/raw/master/images/oid-certification-mark.png)
## Guides
Here are some guides helping the integration of OAuth/OpenID Connect in your systems:
- [Basic OAuth/OpenID Connect provider integration](guides/provider_integration.md)
- [How to create an OAuth client](guides/create_client.md)
- [Client request authorization](guides/authorize_requests.md)
- [Notes about confidential clients](guides/confidential_clients.md)
- [Notes about pkce](guides/pkce.md)
## Feedback
It is a work in progress, all feedbacks / feature requests / improvements are welcome
## Code of Conduct
This product community follows the code of conduct available [here](https://io.malach.it/code-of-conduct.html)
## License
This code is released under the [MIT](LICENSE.md) license.