OAuth 2.0 Provider
Stand up your own OAuth 2.0 authorization server in Delphi. Authorize, token, refresh and revoke endpoints with PKCE, signed JWT access tokens and pluggable storage.
Stand up your own OAuth 2.0 authorization server in Delphi. Authorize, token, refresh and revoke endpoints with PKCE, signed JWT access tokens and pluggable storage.
Full OAuth 2.0 authorization-server implementation: registers clients, issues authorization codes, exchanges them for access + refresh tokens, signs JWTs and supports PKCE, refresh rotation and revocation.
TsgcHTTP_OAuth2_Server_Provider
Windows, macOS, Linux, iOS, Android
Enterprise
Drop a TsgcHTTP_OAuth2_Server_Provider, register your client_ids and redirect_uris, attach to TsgcWebSocketHTTPServer — the standard endpoints (/authorize, /token, /revoke) become available.
uses
sgcWebSocket, sgcHTTP;
var
Server: TsgcWebSocketHTTPServer;
Provider: TsgcHTTP_OAuth2_Server_Provider;
begin
Provider := TsgcHTTP_OAuth2_Server_Provider.Create(nil);
Provider.ProviderOptions.AuthorizationEndpoint := '/oauth/authorize';
Provider.ProviderOptions.TokenEndpoint := '/oauth/token';
Provider.ProviderOptions.RevocationEndpoint := '/oauth/revoke';
Provider.ProviderOptions.PKCE.Required := True;
Provider.OnAuthorizeRequest := procedure(Sender: TObject;
const aRequest: TsgcOAuth2_AuthorizeRequest;
var aResponse: TsgcOAuth2_AuthorizeResponse)
begin
// validate user session, issue or deny the auth code
aResponse.Code := GenerateAuthCode(aRequest.ClientId, aRequest.UserId);
end;
Server := TsgcWebSocketHTTPServer.Create(nil);
Server.Port := 8443;
Server.SSL := True;
Server.OAuth2.Provider := Provider;
Server.Active := True;
end;// uses: sgcWebSocket, sgcHTTP
TsgcHTTP_OAuth2_Server_Provider *Provider = new TsgcHTTP_OAuth2_Server_Provider(this);
Provider->ProviderOptions->AuthorizationEndpoint = "/oauth/authorize";
Provider->ProviderOptions->TokenEndpoint = "/oauth/token";
TsgcWebSocketHTTPServer *Server = new TsgcWebSocketHTTPServer(this);
Server->OAuth2->Provider = Provider;
Server->Active = true;A self-hosted authorization server — everything from /authorize to refresh-token rotation in one Delphi component.
Handles GET /authorize requests, validates response_type, client_id and redirect_uri, then raises OnAuthorizeRequest for your user-session login UI.
POST /token issues access + refresh tokens for the authorization_code, refresh_token and client_credentials grants. PKCE code_verifier is verified per RFC 7636.
Optionally issue self-contained JWT access tokens (HS or RS / ES) so resource servers can validate without an introspection round-trip.
When ProviderOptions.RefreshToken.Rotation is enabled, every refresh issues a new refresh-token and invalidates the previous one — aligning with OAuth 2.1 best practice.
POST /revoke invalidates an access or refresh token per RFC 7009 — honours both Bearer and client_credentials revocations.
OnLookupClient, OnPersistAuthCode, OnPersistRefreshToken and friends let you back the provider with FireDAC, SQLite, Redis or your own DAL.
Authoritative sources for the standards this component implements.
Deep-link to the component reference, grab the ready-to-run demo project, and download the trial.
| Online Help — TsgcHTTP_OAuth2_Server_Provider Full property, method and event reference for this component. | Open | |
| Demo Project — Demos\20.HTTP_Protocol\08.OAuth2_ServerProvider Ready-to-run example project. Ships inside the sgcWebSockets package — download the trial below. | Open | |
| Technical Document (PDF) Features, quick start, code samples for Delphi & C++ Builder and primary-source references — this component only. | Open | |
| User Manual (PDF) Comprehensive manual covering every component in the library. | Open |