中文文档 · Documentation · Quick start · Security
Nazo Auth Server is a self-hosted OAuth 2.x / OAuth 2.1-aligned and OpenID Connect authorization server written in Rust. It is built for same-origin deployments where the issuer, browser UI, passkeys, CORS, cookies, and protocol endpoints share one public origin.
The project includes the authorization server, a compact identity/admin surface, local signing key management, WebAuthn/passkeys, MFA, SCIM, and Rust resource-server verification libraries. Modular external-provider login is tracked in the future roadmap rather than advertised as a current default capability. It uses PostgreSQL for durable state and Valkey for short-lived protocol state.
| Item | Value |
|---|---|
| Package | nazo-oauth-server |
| Version | 0.1.0 |
| License | AGPL-3.0-or-later |
| Language | Rust 2024 |
| Runtime services | PostgreSQL, Valkey |
| Certified public issuer | https://auth.nazo.run |
| Default deployment model | same-origin |
Project quality is tracked through direct, auditable checks rather than a composite score:
| Signal | Evidence |
|---|---|
| Rust quality gate | cargo fmt --check, cargo check --workspace --all-targets --all-features --locked, cargo clippy -D warnings, migrations, and library tests in code-quality. |
| Static security analysis | CodeQL Rust analysis with security-extended and security-and-quality queries. |
| Dependency policy | GitHub dependency review, cargo audit, and cargo deny over advisories, bans, licenses, and sources. |
| Runtime security behavior | Real HTTP E2E, load/race gate, and Valkey outage injection in conformance-security. |
| Protocol conformance | OIDF/FAPI conformance workflows and archived official 21-plan matrix evidence. |
| Coverage trend | Codecov LCOV upload from the dedicated coverage workflow. |
| Release provenance | CycloneDX SBOM, Trivy image scan, Sigstore signing, and GitHub artifact attestations. |
Nazo Auth Server implements the core standards expected from a modern authorization server. Compatibility exceptions are documented instead of hidden behind discovery metadata.
IETF and RFCs:
| Standard | Implementation |
|---|---|
| RFC 7009, Token Revocation | /revoke |
| RFC 7523, JWT Client Authentication and JWT Bearer Grant | private_key_jwt and client-bound JWT bearer grant |
| RFC 7636, PKCE | S256 PKCE |
| RFC 7662, Token Introspection | /introspect |
| RFC 8252, OAuth 2.0 for Native Apps | public native-app redirect URI policy: claimed HTTPS, private-use schemes, and loopback HTTP with port variance |
| RFC 8414, Authorization Server Metadata | /.well-known/oauth-authorization-server |
| RFC 8628, Device Authorization Grant | /device_authorization, /device, and device_code token grant behind ENABLE_DEVICE_AUTHORIZATION_GRANT |
| RFC 8693, Token Exchange | bounded local access-token exchange for clients registered with urn:ietf:params:oauth:grant-type:token-exchange |
| RFC 8705, OAuth 2.0 mTLS | mTLS client auth and sender-constrained tokens |
| RFC 8707, Resource Indicators | authorization/PAR/token resource handling with JWT aud binding and refresh-token audience narrowing |
| RFC 9068, JWT Access Tokens | JWT access-token shape for resource servers |
| RFC 9101, JAR | signed request objects where enabled |
| RFC 9126, PAR | /par |
| RFC 9396, Rich Authorization Requests | behind ENABLE_AUTHORIZATION_DETAILS |
| RFC 9449, DPoP | proof validation and sender-constrained tokens |
| RFC 9700, OAuth 2.0 Security BCP | code-only authorization responses, no password or implicit grants, PKCE, redirect URI binding, bearer-token protections, and sender-constrained-token hardening |
| RFC 9701, JWT Response for OAuth Token Introspection | profile-gated signed and nested encrypted introspection responses |
| RFC 9728, Protected Resource Metadata | /.well-known/oauth-protected-resource and /.well-known/oauth-protected-resource/fapi/resource |
| OAuth 2.1 draft direction | OAuth 2.1-style defaults with explicit compatibility switches |
OpenID Foundation:
| Specification | Implementation |
|---|---|
| OpenID Connect Core 1.0 | ID Token, JSON/signed/encrypted UserInfo, claims, authorization code flow |
| OpenID Connect Discovery 1.0 | /.well-known/openid-configuration |
| OpenID Connect RP-Initiated Logout 1.0 | /logout |
| OpenID Connect Back-Channel Logout 1.0 | signed logout tokens with durable outbox delivery |
| JWT Secured Authorization Response Mode | signed JARM and optional per-client nested JWE where the request/profile selects JARM |
| FAPI 2.0 Security Profile Final | fapi2-security profile |
| FAPI 2.0 Message Signing Final | signed authorization request, JARM, and signed introspection profile support |
Other protocol surfaces:
| Standard | Implementation |
|---|---|
| SCIM 2.0 provisioning with RFC 9865 / RFC 9967 capability discovery | default-tenant user provisioning; index pagination remains the default and forward cursor pagination uses opaque 10-minute actor/query-bound cursors; RFC 9967 Security Events remain disabled |
| WebAuthn | passkey registration and login |
Emerging protocols are tracked through the M8 watchlist governance review. That review records product and conformance entry gates; it does not claim runtime support for the deferred candidates.
Nazo Auth Server is listed by the OpenID Foundation as
Nazo Auth Server 0.1.0, dated 09-Jun-2026.
- OpenID Connect Certified providers
- Certified OpenID Provider profiles
- Certified FAPI 2.0 OP Security Profile Final and Message Signing Final
OpenID Foundation Conformance Suite result URLs:
| Result | URL |
|---|---|
| OIDC Basic OP | https://www.certification.openid.net/plan-detail.html?plan=Srk6iaVDVcqO5 |
| OIDC Config OP | https://www.certification.openid.net/plan-detail.html?plan=fGiz8QZYR1LVy |
| Latest 21-plan official matrix | docs/conformance/2026-07-11-m7-official-encrypted-responses-oidf-results.md |
| OIDF matrix scope | docs/conformance/oidf-full-matrix.md |
| Latest private full-matrix regression | docs/conformance/2026-07-01-tp-ps-full-matrix.md |
The latest official full matrix tested https://auth.nazo.run from workflow
head SHA 371b4f6e61674c4d1bd9ace7ba5b518314c8ff0f. It ran the 21-plan matrix in
the 19+2 parallel-isolated layout and exported 640 modules: 632 passed, 6
expected review states, 2 expected skips, and no failed module, condition
failure, or warning. It is therefore not zero-SKIPPED evidence.
The latest private full-matrix regression tested runtime commit 31e8f9f, ran
all 16 plans and 578 modules, and reported 0 failures and 0 warnings.
- Authorization code + PKCE, refresh tokens, client credentials, bounded JWT bearer grant, bounded Token Exchange, revocation, introspection, signed/encrypted introspection, discovery, protected resource metadata, JWKS, JSON/signed/encrypted UserInfo, signed/encrypted JARM, PAR, JAR, DPoP, and mTLS.
- Runtime profiles:
oauth2-baseline,fapi2-security,fapi2-message-signing-authz-request,fapi2-message-signing-jarm, andfapi2-message-signing-introspection. - Local users, profiles, OAuth clients, grants, access requests, TOTP MFA, backup codes, remembered MFA, WebAuthn/passkeys, and SCIM provisioning.
- Local signing key lifecycle with prepublish, active, grace, and retired states. External-command signing is available for KMS/HSM integrations.
- Rust resource-server verifier with Actix Web, Axum/Tower, and tonic adapters.
- Release security workflows for CodeQL, dependency review, cargo audit, cargo deny, SBOM generation, Trivy image scanning, keyless signing, and provenance attestations.
Requirements:
- Rust toolchain compatible with edition 2024
- PostgreSQL 18 or a compatible PostgreSQL server
- Valkey 8 or a compatible Redis protocol server
- Docker or Podman for the local integration stack
Run with Docker Compose:
cp .env.yaml.example .env.yaml
docker compose up -d nazo_oauth_server
curl -fsS http://127.0.0.1:8000/health
curl -fsS http://127.0.0.1:8000/.well-known/openid-configurationRun directly on the host after pointing .env.yaml at reachable PostgreSQL and
Valkey services:
cargo run --bin nazo-oauth-migrate
cargo run --bin nazo-oauth-serverConfiguration is intentionally small for new deployments:
BIND: "0.0.0.0:8000"
PUBLIC_BASE_URL: "https://auth.example.com"
DATABASE_URL: "postgresql://nazo_oauth:<password>@postgres:5432/oauth"
VALKEY_URL: "redis://valkey:6379/0"
DATA_DIR: "/var/lib/nazo_oauth"
AUTHORIZATION_SERVER_PROFILE: "oauth2-baseline"
RUST_LOG: "info"PUBLIC_BASE_URL drives the same-origin defaults:
| Value | Default rule |
|---|---|
ISSUER |
PUBLIC_BASE_URL |
FRONTEND_BASE_URL |
PUBLIC_BASE_URL + "/ui/" |
CORS_ALLOWED_ORIGINS |
origin of PUBLIC_BASE_URL |
COOKIE_SECURE |
true for HTTPS issuers |
PASSKEY_ORIGIN and PASSKEY_RP_ID |
derived from issuer |
PROTECTED_RESOURCE_IDENTIFIER |
ISSUER + "/fapi/resource" |
DATA_DIR drives persistent local file paths:
| Value | Default rule |
|---|---|
JWK_KEYS_DIR |
DATA_DIR + "/keys" |
AVATAR_STORAGE_DIR |
DATA_DIR + "/avatars" |
Advanced settings still exist for compatibility and specialized deployments. They are documented in docs/operations/configuration.md.
The following capabilities are outside the default authorization-server surface and are not advertised unless implemented, tested, and explicitly enabled:
- Dynamic Client Registration / RFC 7591 and Client Configuration Management
/ RFC 7592 unless
ENABLE_DYNAMIC_CLIENT_REGISTRATION=true; public registration deployments should protect/registerwith an initial access token. - Device Authorization Grant / RFC 8628 unless
ENABLE_DEVICE_AUTHORIZATION_GRANT=true. - External-token, refresh-token, or ID-token Token Exchange profiles.
- Modular third-party login providers such as QQ, WeChat, Google, Microsoft, or enterprise SAML; these are roadmap items until provider-specific adapters, configuration gates, account linking, and E2E/negative tests exist.
- Request-level dynamic tenant or issuer routing.
- RFC 9701 encrypted introspection responses outside the signed-introspection profile, or without per-client JWE response metadata.
- UserInfo or JARM encryption without supported per-client JWE metadata and a unique matching public encryption key.
See docs/project/roadmap.md for the current scope record.
| Topic | Link |
|---|---|
| Documentation index | docs/README.md |
| Configuration | docs/operations/configuration.md |
| Deployment | docs/operations/deployment.md |
| Chinese deployment guide | docs/operations/deployment.zh-CN.md |
| Conformance records | docs/conformance |
| Performance benchmarks | docs/performance/performance-capacity-curve.md |
| OAuth/OIDC/FAPI best-practice matrix | docs/protocol/rfc-compliance-matrix.md |
| OAuth/OIDC/FAPI future roadmap | docs/protocol/oauth-best-practice-implementation-plan.zh-CN.md |
| Profile matrix | docs/protocol/profile-matrix.md |
| Ecosystem client onboarding | docs/features/ecosystem-onboarding.md |
| Threat model | docs/security/threat-model.md |
| Release security | docs/operations/release-security.md |
| PostgreSQL and Valkey operations | docs/operations/ha-operations.md |
| Resource server verifier | docs/features/resource-server-verifier.md |
| SCIM | docs/features/scim.md |
| Federation | docs/features/federation.md |
| Passkeys | docs/features/passkeys.md |
| MFA | docs/features/mfa.md |
| Security policy | SECURITY.md |
| Changelog | CHANGELOG.md |
cargo fmt --check
cargo check
cargo clippy -- -D warnings
cargo test --lockedHTTP and concurrency checks:
python scripts/full_real_request_e2e.py
python scripts/full_real_request_load.pyWindows coverage runs are documented in docs/coverage/codecov-docker-runbook.md.
AGPL-3.0-or-later. See LICENSE.
