It supports: - Authorization Code Flow (with PKCE) - Client Credentials, Resource Owner Password - Token refresh, revocation, and introspection - Dynamic client registration - OIDC Discovery, JWKS, and UserInfo endpoints - Audit logging
Everything is configurable: token lifetimes, rate limits, password policies, SMTP, throttling, HTTPS enforcement, etc.
Vigilo passes the OpenID Foundation's Basic and Comprehensive Authorization Server tests (test logs included in the repo). Not officially certified yet, but working on it.
This was my senior project in university, and I’m continuing to build it out with features like RBAC, TOTP, social login, realm support, and an admin UI. The internal code could use some refactoring, so I’m very open to feedback, suggestions, and contributions.