OAuth 2.0 Server

Server-side OAuth 2.0 protector for sgcWebSockets HTTP and WebSocket servers. Verify access tokens via JWT validation or RFC 7662 introspection.

At a glance

TsgcHTTP_OAuth2_Server

Lightweight resource-server component — verifies inbound Bearer tokens via JWT signature checks or RFC 7662 token introspection, then exposes the parsed claims to your application.

Component class

TsgcHTTP_OAuth2_Server

Protocol

OAuth 2.0 (RFC 6749)

Platforms

Windows, macOS, Linux, iOS, Android

Edition

Enterprise

QuickStart

Drop, attach to your server, accept tokens

Configure JWT key (or introspection URL), then attach to TsgcWebSocketHTTPServer.OAuth2 — incoming requests get token-verified before your handler fires.

uses
  sgcWebSocket, sgcHTTP;

var
  Server: TsgcWebSocketHTTPServer;
  OAuth2: TsgcHTTP_OAuth2_Server;
begin
  OAuth2 := TsgcHTTP_OAuth2_Server.Create(nil);
  OAuth2.OAuth2Options.JWT.Algorithms.HS.Secret := 'shared-secret';

  Server := TsgcWebSocketHTTPServer.Create(nil);
  Server.Port := 8443;
  Server.SSL  := True;
  Server.Authentication.OAuth2.Enabled := True;
  Server.Authentication.OAuth2.Server  := OAuth2;

  Server.Active := True;
end;
// uses: sgcWebSocket, sgcHTTP
TsgcHTTP_OAuth2_Server *OAuth2 = new TsgcHTTP_OAuth2_Server(this);
OAuth2->OAuth2Options->JWT->Algorithms->HS->Secret = "shared-secret";

TsgcWebSocketHTTPServer *Server = new TsgcWebSocketHTTPServer(this);
Server->Authentication->OAuth2->Enabled = true;
Server->Authentication->OAuth2->Server  = OAuth2;
Server->Active = true;
Technical features

What's inside

Resource-server component that protects HTTP and WebSocket endpoints with JWT-validated or introspection-validated access tokens.

JWT validation

Built-in JWT verifier (HS / RS / ES / EdDSA) against either a static key or a JWKS endpoint — no round trip to the issuer for self-contained tokens.

Token introspection

Set OAuth2Options.IntrospectionURL per RFC 7662 — the component POSTs the inbound token to the issuer and caches the active/inactive result with a TTL.

Scope enforcement

Attach OAuth2Options.RequiredScope to limit access to tokens carrying the chosen scope. OnAuthError reports the rejection reason.

WebSocket-aware

Works with both HTTP requests and WebSocket upgrades — the upgrade Authorization header (or query token) is verified before OnConnect.

OnVerify hook

Implement OnVerify for custom claim checks (multi-tenant aud, dynamic scope mapping, account-status). Return Accept = False to short-circuit with 401.

Provider sibling

TsgcHTTP_OAuth2_Server_Provider turns this component into a full authorization server (issuer): authorize, token and revoke endpoints with persistent client/refresh-token storage.

Standards

Specifications & references

Authoritative sources for the standards this component implements.

Resources

Documentation & Demos

Deep-link to the component reference, grab the ready-to-run demo project, and download the trial.

Online Help — TsgcHTTP_OAuth2_Server Full property, method and event reference for this component. Open
Demo Project — Demos\20.HTTP_Protocol\02.OAuth2_Authentication Ready-to-run example project. Ships inside the sgcWebSockets package — download the trial below. Open
Technical Document (PDF) Features, quick start, code samples for Delphi & C++ Builder and primary-source references — this component only. Open
User Manual (PDF) Comprehensive manual covering every component in the library. Open

Ready to Protect APIs with OAuth 2.0?

Download the free trial and add OAuth 2.0 token validation to your Delphi servers.

Download Free Trial View Pricing