How oxd works.

In three simple steps oxd empowers you to implement strong security in your web apps.

Step 1: A user requests access to a protected resource in your application

Step 2: Your app calls oxd APIs to send the user to your preferred OpenID Connect Provider (OP) for authentication.

Step 3: After authentication, oxd returns the user with claims to your app to make an enrollment and access decision.

Why oxd?

Better Security

oxd supports the OpenID Connect Hybrid Flow which adds extra security to protect the authorization code.

Easier Maintenance

Automate security updates and version upgrades using Linux package management like yum and apt.

High Performance

In-memory or Redis caching of data improves throughput for your OpenID Connect & UMA clients.

Simple API

Simple APIs and native libraries make it easy to implement OpenID Connect and UMA in your server-side web applications.


Quickly integrate popular open source apps like Drupal and WordPress with your central authentication system.

End-to-end support

Use the Gluu Server as your OpenID Provider (OP) to offer a comprehensive single sign-on (SSO) and strong authentication service.

Multi-language Support

oxd APIs and native libraries for Php, Java, Python, Node, Ruby C#, .Net and more make it easy to implement strong security across heterogeneous application environments.

CommandClient client = null;
try {
  client = new CommandClient(host, port);

  final RegisterSiteResponse site = RegisterSiteTest.registerSite(client, opHost, redirectUrl);
  final GetTokensByCodeResponse tokens = requestTokens(client, site, userId, userSecret);

  GetUserInfoParams params = new GetUserInfoParams();

  final GetUserInfoResponse resp = client.send(new Command(CommandType.GET_USER_INFO).setParamsObject(params)).dataAsResponse(GetUserInfoResponse.class);
} finally {
require_once '../Get_user_info.php';

echo 'Get_user_info';
$get_user_info = new Get_user_info();

user = oxc.get_user_info(tokens.access_token)

# The claims can be accessed using the dot notation.
print user.username

print user._fields  # to print all the fields

# to check for a particular field and get the information
if 'website' in user._fields:
def login
  if (params[:code].present?)
    @access_token = @oxd_command.get_tokens_by_code( params[:code] )
    session.delete('oxd_access_token') if(session[:oxd_access_token].present?)
    session[:oxd_access_token] = @access_token
    session[:state] = params[:state]
    session[:session_state] = params[:session_state]
  @user = @oxd_command.get_user_info(session[:oxd_access_token])
public GetUserInfoResponse GetUserInfo(string host, int port, string accessToken)
      CommandClient client = new CommandClient(host, port);

      GetUserInfoParams param = new GetUserInfoParams();

      Command cmd = new Command(CommandType.get_user_info);

      string response = client.send(cmd);
      GetUserInfoResponse res = new GetUserInfoResponse(JsonConvert.DeserializeObject(response).data);
      return res;
    catch (Exception ex)
      return null;
          try {
  var oxd = require("oxd-node");
  oxd.Request.oxd_id = "your site id"; //REQUIRED
  oxd.Request.access_token = "access_token from OP redirect url"; //REQUIRED
} catch (err) {
  console.log("error:" + err);

Take control of your identity system

Use the Gluu Server and oxd to deliver a comprehensive single sign-on (SSO), strong authentication, and access management service for all your web applications.

oxd Simplifies Application Security

oxd is continually updated to implement the latest OAuth 2.0 security improvements
so you stay one step ahead of hackers and vulnerabilities.



oxd is free and open source software
under the Apache2 license

  •   Complete feature set
  •   Continuous updates

Get Started

Get dedicated support for your oxd usage.

Private Support Scheduled Calls
Response SLAs Advanced Security Notifications
View Support Options

Frequently Asked Questions

What is oxd?
oxd is a mediator: it provides APIs that simplify and standardize the process of performing user authentication and authorization against an OAuth 2.0 Authorization Server, like the Gluu Server.
What kind of apps can leverage my oxd server?
Server-side web applications. To integrate any other types of apps with your Gluu Server (SaaS, SPAs, native, etc.), review supported strategies in the SSO integration guide.
How do applications call my oxd service?
By default, apps call oxd over localhost. If you want applications to be able to connect to oxd over the web, enable the oxd-https-extension.
For which programming languages and frameworks are there oxd libraries?
Currently there are oxd libraries for PHP, Java, .Net, Python, Ruby, C#, Node.js, Spring, and Lua. Learn more in the oxd documentation..
How do I get SSO across several web apps?
Secure your web apps with oxd, and then configure oxd to send users to an OpenID Provider (like Google or the Gluu Server) for single sign-on.
How can I get support for oxd?
Gluu provides free community support for oxd on the Gluu support portal. Simply register and open a ticket. If you need private support and guaranteed responses, we offer a range of VIP support plans.
How is oxd priced?
the latest version of oxd 3.1.4 is open source software! If you need your license for older deployments, sign in
Where should I deploy my oxd server?
It depends. By default, the oxd-server should be deployed on the same host as the application(s) you intend to secure. If you want a central oxd service that apps can call over the web, enable the https-extension.
How do I enable social login?
Social login needs to be configured at your OP. If you are using the Gluu Server, follow the docs to configure and support social login.
Can I use Google or Microsoft Azure Active Directory as my OpenID Connect Provider?
oxd works well with Google, and in general, any standard OP implementation.
How do I enable two-factor authentication (2FA)?
Similar to social login, strong authentication needs to be configured at your OP. If you are using the Gluu Server, review the authentication guide to learn more about configuring strong authentication.