Ballerina library

oauth2

Module oauth2

Overview

API

ClientOAuth2ProviderListenerOAuth2Provider

Declarations

INFER_REFRESH_CONFIG

CredentialBearer
HttpVersion

Definitions

CertKey
ClientConfiguration
ClientCredentialsGrantConfig
IntrospectionConfig
IntrospectionResponse
JwtBearerGrantConfig
PasswordGrantConfig
RefreshConfig
RefreshTokenGrantConfig
SecureSocket

Error

ClientAuth
GrantConfig

ballerina/oauth2 Ballerina library

2.13.0

Overview

This module provides a framework for interacting with OAuth2 authorization servers as specified in the RFC 6749 and RFC 7662.

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service or by allowing the third-party application to obtain access on its own behalf.

The Ballerina oauth2 module facilitates auth providers that are to be used by the clients and listeners of different protocol connectors.

Listener OAuth2 provider

Represents the listener OAuth2 provider, which is used to validate the received credential (access token) by calling the configured OAuth2 introspection endpoint.

Client OAuth2 provider

Represents the client OAuth2 provider, which is used to generate OAuth2 access tokens using the configured OAuth2 token endpoint configurations. This supports the client credentials grant type, password grant type, and refresh token grant type.

Classes

oauth2: ClientOAuth2Provider

Isolated

Represents the client OAuth2 provider, which is used to generate OAuth2 access tokens using the configured OAuth2 token endpoint configurations. This supports the client credentials grant type, password grant type, refresh token grant type, and the JWT bearer grant type.

  1. Client Credentials Grant Type
Copy
oauth2:ClientOAuth2Provider provider = new({
    tokenUrl: "https://localhost:9445/oauth2/token",
    clientId: "3MVG9YDQS5WtC11paU2WcQjBB3L",
    clientSecret: "9205371918321623741",
    scopes: ["token-scope1", "token-scope2"]
});
  1. Password Grant Type
Copy
oauth2:ClientOAuth2Provider provider = new({
    tokenUrl: "https://localhost:9445/oauth2/token",
    username: "johndoe",
    password: "A3ddj3w",
    clientId: "3MVG9YDQS5WtC11paU2WcQjBB3L",
    clientSecret: "9205371918321623741",
    scopes: ["token-scope1", "token-scope2"]
});
  1. Refresh Token Grant Type
Copy
oauth2:ClientOAuth2Provider provider = new({
    refreshUrl: "https://localhost:9445/oauth2/token",
    refreshToken: "XlfBs91yquexJqDaKEMzVg==",
    clientId: "3MVG9YDQS5WtC11paU2WcQjBB3L",
    clientSecret: "9205371918321623741",
    scopes: ["token-scope1", "token-scope2"]
});

Constructor

Provides authorization based on the provided OAuth2 configurations.

init (GrantConfig grantConfig)
  • grantConfig GrantConfig OAuth2 grant type configurations

generateToken

Isolated Function
function generateToken() returns string|Error

Get an OAuth2 access token from the token endpoint.

Copy
string token = check provider.generateToken();
Return Type
  • string|ErrorReceived OAuth2 access token or else an oauth2:Error if an error occurred

oauth2: ListenerOAuth2Provider

Isolated

Represents the listener OAuth2 provider, which is used to validate the received credential (access token) by calling the configured introspection endpoint.

Copy
oauth2:IntrospectionConfig config = {
    url: "https://localhost:9196/oauth2/token/introspect"
};
oauth2:ListenerOAuth2Provider provider = new(config);

Constructor

Provides authorization based on the provided introspection configurations.

init (IntrospectionConfig introspectionConfig)

authorize

Isolated Function
function authorize(string credential, map<string>? optionalParams) returns IntrospectionResponse|Error

Validates the provided OAuth2 acess token against the introspection endpoint.

Copy
boolean result = check provider.authorize("<credential>");
Parameters
  • credential stringOAuth2 access token to be validated
  • optionalParams map<string>? (default ())Map of the optional parameters used for the introspection endpoint
Return Type
  • IntrospectionResponse|ErrorAn oauth2:IntrospectionResponse if the validation is successful or else an oauth2:Error if an error occurred

Constants

oauth2: INFER_REFRESH_CONFIG

string "INFER_REFRESH_CONFIG"

Constant used to infer the values of refreshConfig from values provided for PasswordGrantConfig.

Enums

oauth2: CredentialBearer

Represents the credential-bearing methods.

Members

AUTH_HEADER_BEARER
POST_BODY_BEARER

oauth2: HttpVersion

Represents the HTTP versions.

Members

HTTP_1_1
HTTP_2

Records

oauth2: CertKey

Closed record

Represents the combination of the certificate file path, private key file path, and private key password if encrypted.

Fields
  • certFile string - A file containing the certificate
  • keyFile string - A file containing the private key
  • keyPassword? string - Password of the private key (if encrypted)

oauth2: ClientConfiguration

Closed record

Represents the configurations of the client used to call the introspection endpoint.

Fields
  • httpVersion HttpVersion(default HTTP_1_1) - The HTTP version of the client
  • customHeaders? map<string> - The list of custom HTTP headers
  • customPayload? string - The list of custom HTTP payload parameters

oauth2: ClientCredentialsGrantConfig

Closed record

Represents the data structure, which is used to configure the OAuth2 client credentials grant type.

Fields
  • tokenUrl string - Token URL of the token endpoint
  • clientId string - Client ID of the client authentication
  • clientSecret string - Client secret of the client authentication
  • defaultTokenExpTime decimal(default 3600) - Expiration time (in seconds) of the tokens if the token endpoint response does not contain an expires_in field
  • clockSkew decimal(default 0) - Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems
  • optionalParams? map<string> - Map of the optional parameters used for the token endpoint
  • credentialBearer CredentialBearer(default AUTH_HEADER_BEARER) - Bearer of the authentication credentials, which is sent to the token endpoint
  • clientConfig ClientConfiguration(default {}) - HTTP client configurations, which are used to call the token endpoint

oauth2: IntrospectionConfig

Represents the introspection endpoint configurations.

Fields
  • url string - URL of the introspection endpoint
  • tokenTypeHint? string - A hint about the type of the token submitted for introspection
  • optionalParams? map<string> - Map of the optional parameters used for the introspection endpoint
  • cacheConfig? CacheConfig - Configurations for the cache used to store the OAuth2 access token and other related information
  • defaultTokenExpTime decimal(default 3600) - Expiration time (in seconds) of the tokens if the introspection response does not contain an exp field
  • clientConfig ClientConfiguration(default {}) - HTTP client configurations, which call the introspection endpoint

oauth2: IntrospectionResponse

Represents the introspection endpoint response.

Fields
  • active boolean - Boolean indicator of whether or not the presented token is currently active
  • scope? string - A JSON string containing a space-separated list of scopes associated with this token
  • clientId? string - Client identifier for the OAuth 2.0 client, which requested this token
  • username? string - Resource owner who authorized this token
  • tokenType? string - Type of the token
  • exp? int - Expiry time (seconds since the Epoch)
  • iat? int - Time when the token was issued originally (seconds since the Epoch)
  • nbf? int - Token is not to be used before this time (seconds since the Epoch)
  • sub? string - Subject of the token
  • aud? string - Intended audience of the token
  • iss? string - Issuer of the token
  • jti? string - String identifier for the token

oauth2: JwtBearerGrantConfig

Closed record

Represents the data structure, which is used to configure the OAuth2 JWT bearer grant type.

Fields
  • tokenUrl string - Token URL of the token endpoint
  • assertion string - A single JWT for the JWT bearer grant type
  • clientId? string - Client ID of the client authentication
  • clientSecret? string - Client secret of the client authentication
  • defaultTokenExpTime decimal(default 3600) - Expiration time (in seconds) of the tokens if the token endpoint response does not contain an expires_in field
  • clockSkew decimal(default 0) - Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems
  • optionalParams? map<string> - Map of the optional parameters used for the token endpoint
  • credentialBearer CredentialBearer(default AUTH_HEADER_BEARER) - Bearer of the authentication credentials, which is sent to the token endpoint
  • clientConfig ClientConfiguration(default {}) - HTTP client configurations, which are used to call the token endpoint

oauth2: PasswordGrantConfig

Closed record

Represents the data structure, which is used to configure the OAuth2 password grant type.

Fields
  • tokenUrl string - Token URL of the token endpoint
  • username string - Username for the password grant type
  • password string - Password for the password grant type
  • clientId? string - Client ID of the client authentication
  • clientSecret? string - Client secret of the client authentication
  • defaultTokenExpTime decimal(default 3600) - Expiration time (in seconds) of the tokens if the token endpoint response does not contain an expires_in field
  • clockSkew decimal(default 0) - Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems
  • optionalParams? map<string> - Map of the optional parameters used for the token endpoint
  • credentialBearer CredentialBearer(default AUTH_HEADER_BEARER) - Bearer of the authentication credentials, which is sent to the token endpoint
  • clientConfig ClientConfiguration(default {}) - HTTP client configurations, which are used to call the token endpoint

oauth2: RefreshConfig

Closed record

Represents the data structure, which is used for refresh configuration of the OAuth2 password grant type.

Fields
  • refreshUrl string - Refresh token URL of the token endpoint
  • scopes? string|string[] - Scope(s) of the referesh token request
  • optionalParams? map<string> - Map of the optional parameters used for the token endpoint
  • credentialBearer CredentialBearer(default AUTH_HEADER_BEARER) - Bearer of the authentication credential, which is sent to the token endpoint
  • clientConfig ClientConfiguration(default {}) - HTTP client configuration, which is used to call the refresh token endpoint

oauth2: RefreshTokenGrantConfig

Closed record

Represents the data structure, which is used to configure the OAuth2 refresh token grant type.

Fields
  • refreshUrl string - Refresh token URL of the token endpoint
  • refreshToken string - Refresh token for the token endpoint
  • clientId string - Client ID of the client authentication
  • clientSecret string - Client secret of the client authentication
  • defaultTokenExpTime decimal(default 3600) - Expiration time (in seconds) of the tokens if the token endpoint response does not contain an expires_in field
  • clockSkew decimal(default 0) - Clock skew (in seconds) that can be used to avoid token validation failures due to clock synchronization problems
  • optionalParams? map<string> - Map of the optional parameters used for the token endpoint
  • credentialBearer CredentialBearer(default AUTH_HEADER_BEARER) - Bearer of the authentication credentials, which is sent to the token endpoint
  • clientConfig ClientConfiguration(default {}) - HTTP client configurations, which are used to call the token endpoint

oauth2: SecureSocket

Closed record

Represents the SSL/TLS configurations.

Fields
  • disable boolean(default false) - Disable SSL validation
  • cert? TrustStore|string - Configurations associated with the crypto:TrustStore or single certificate file that the client trusts
  • key? KeyStore|CertKey - Configurations associated with the crypto:KeyStore or combination of certificate and private key of the client

Errors

oauth2: Error

Distinct

Represents the error type of the module. This will be returned if an error occurred while the listener OAuth2 provider tries to validate the received credentials and the client OAuth2 provider tries to generate the token.

Union types

oauth2: ClientAuth

ClientCredentialsGrantConfig|PasswordGrantConfig|RefreshTokenGrantConfig

ClientAuth

Represents the the authentication configuration types for the HTTP client used for token introspection.

oauth2: GrantConfig

ClientCredentialsGrantConfig|PasswordGrantConfig|RefreshTokenGrantConfig|JwtBearerGrantConfig

GrantConfig

Represents the grant type configurations supported for OAuth2.

Import

import ballerina/oauth2;Copy

Metadata

Released date: 14 days ago

Version: 2.13.0

License: Apache-2.0

Compatibility

Platform: java21

Ballerina version: 2201.11.0

GraalVM compatible: Yes

Pull count

Total: 671119

Current verison: 525

Weekly downloads

Source repository

Keywords

security

authorization

introspection

Contributors

Other versions

2.13.0

2.12.02.11.02.10.02.9.0
See more...

Dependencies

ballerina/time/2.6.0ballerina/url/2.5.0ballerina/crypto/2.8.0
See more...

Dependents

ballerina/http/2.13.0ballerina/websocket/2.13.0ballerina/grpc/1.13.0
See more...

Terms of service

Privacy policy

Cookie policy

Delete policy

© 2025 WSO2 LLC