Choice List: https://oauth.net/code/java/
Option 1: MITREid Connect
Good:
- based on Java, Spring, and Spring Security
- Supports basic OpenID Connect features
- Active Community
- so and so documentation
- RESTful API for managing clients, scopes, whitelists, blacklists, approvals, and tokens
- OpenID Connect certified
- Star: 1.3k, Fork: 743
Bad:
- xml based server configuration
- No OpenID Connect Session Management Feature
Verdict: no (lack of back channel logout feature)
Option 2: light-oauth2
Good:
- Fast and small memory footprint
- Huge Documentation
Bad:
- based on light-4j and light-rest-4j frameworks
- No OpenID Connect Session Management Feature
- Star: 261, Fork: 68
Verdict: no (lack of back channel logout feature)
Option 3: PAC4j
Good:
- Has Documentation
Bad:
- Documentation not very friendly
- No OpenId Connect Provider
Option 4: Apache CXF
Verdict: seems very old, so skipped it
Option 5: KeyCloak
Good:
- Lot of functionalities
- Advanced Usage, Customizaion
- Create Realms, Clients, Scopes, Users, Roles
- Highly Detailed Documentation
- User Account Management UI
- Login flows - optional user self-registration, recover password, verify email, require password update, etc.
- Custom Session Management (not OpenID Connect)
- Star: 9.8k, Fork: 3.8k
Bad:
- It is big, needs a lot of learning curve
- need to invest time, to customize UI and extending
- BackChannel Logout is only possible for clients implementing Keycloak OIDC client adapter
- Lot of customizations makes it complex to configure
Verdict: Maybe but only if no other choice
Option 6: Nimbus
Good:
- Very well written documentation
- simple to use, easy to understand
- nice OpenId Connect client features
Cons:
- Need to buy Provider Support
Verdict: No