Abstrauth is a lightweight OAuth 2.0 Authorization Server and OpenID Connect Provider with federated identity support, designed to serve multiple client applications using the Backend For Frontend (BFF) pattern.
Abstrauth functions as:
- OAuth 2.0 Authorization Server - Implements Authorization Code Flow with PKCE (RFC 6749, RFC 7636) for confidential clients only
- OpenID Connect Provider - Issues JWT tokens with OpenID Connect claims (
openid,profile,emailscopes) - Identity Provider (IdP) - Provides native username/password authentication
- Identity Broker - Federates authentication with external IdPs (Google, Microsoft, GitHub)
- Identity and Access Management (IAM) - Manages user accounts, roles, and client applications
- Backend For Frontend (BFF) Architecture - All clients MUST be confidential clients using a backend to handle OAuth flows
- JWT-based authentication - Tokens signed with PS256 using public/private key pairs for stateless verification
- HTTP-only encrypted cookies - Tokens never exposed to JavaScript for maximum security
- Federated login - Users can authenticate via Google OAuth or native credentials
- Multi-tenancy - Single server instance serves multiple client applications with role-based access control (RBAC)
- Self-hosted admin UI - Angular-based management interface secured by Abstrauth itself using BFF pattern
- Security hardened - PKCE required, confidential clients only, HTTP-only cookies, CSRF protection, rate limiting, CSP headers
Security Architecture:
- Tokens are stored in encrypted HTTP-only cookies (never accessible to JavaScript)
- PKCE is REQUIRED for all authorization requests
- Only confidential clients are supported (public clients are rejected)
- Compliant with OAuth 2.0 for Browser-Based Apps
Abstrauth uses itself as an authorization server for users signing into the admin UI, demonstrating the BFF pattern in practice.
🔒 Found a security vulnerability? Please read our Security Policy for responsible disclosure guidelines.
For information about the security implementation and features, see SECURITY_DESIGN.md.
- User Guide
- OAuth 2.0 Authorization Flows
- Federated Login
- Database
- Native Image Build
- Why do I need to implement a BFF?
See User Guide
See TODO.md
https://favicon.io/favicon-generator/ - text based
Text: a Background: rounded Font Family: Leckerli One Font Variant: Regular 400 Normal Font Size: 110 Font Color: #FFFFFF Background Color: #5c6bc0