Introduction

OAuth 2.0 and OpenID Connect authorization server documentation for Gembok Secure Systems.

Gembok (Javanese: induk kunci — master key/padlock) is the Identity and Access Management server of the PandeLab ecosystem. It implements the OAuth 2.0 authorization framework and OpenID Connect (OIDC) on top of it, so your applications can authenticate users and obtain access tokens without ever handling their credentials.

This site documents Gembok as an authorization server: the protocol endpoints, the supported flows, and the discovery metadata your client needs to integrate. It is written against the running server — every endpoint and value listed here reflects the actual implementation.

The account management API (creating clients, managing sessions from your own backend) is not part of this reference yet. For now, OAuth clients are provisioned through your Gembok account. This documentation covers the public OAuth/OIDC protocol surface only.

What Gembok provides

  • Authorization Code flow with PKCE — the recommended flow for web apps, SPAs, and mobile clients.
  • Refresh tokens via the offline_access scope for long-lived sessions.
  • OpenID Connect — ID tokens and a UserInfo endpoint for user profile claims.
  • JWT access tokens signed with keys published at a JWKS endpoint, so resource servers can verify them offline.
  • Token revocation and introspection (RFC 7009 / RFC 7662).
  • Discovery documents (OIDC Discovery and RFC 8414) for automatic configuration.

Endpoints at a glance

All paths are relative to the issuer (base URL) of your environment.

PurposeMethodPath
AuthorizationGET / POST/oauth/authorize
TokenPOST/oauth/token
UserInfoGET / POST/oauth/userinfo
Token revocationPOST/oauth/revoke
Token introspectionPOST/oauth/introspect
JWKS (public keys)GET/.well-known/jwks.json
OIDC discoveryGET/.well-known/openid-configuration
OAuth AS metadataGET/.well-known/oauth-authorization-server
Protected-resource metadataGET/.well-known/oauth-protected-resource

Base URLs

EnvironmentIssuer URL
Productionhttps://auth.pandelab.ahyalfan.dev
Local developmenthttp://localhost:8080

Always start by fetching the discovery document — it lists the exact endpoint URLs, supported scopes, grant types, and signing algorithms for the environment you are targeting.

Core concepts

Client
application
Your application, identified by a client_id. Confidential clients (with a server backend) hold a client_secret; public clients (SPAs, mobile) hold no secret and must use PKCE.
Scope
string
A space-separated list of permissions requested from the user, e.g. openid profile email. See supported scopes.
Access token
JWT
A signed, short-lived token the client sends to resource servers. Verify it with the JWKS public keys.
ID token
JWT
An OpenID Connect token asserting the user's identity, returned when the openid scope is requested.
Refresh token
opaque
A long-lived credential used to obtain new access tokens without user interaction. Issued only when offline_access is granted.

Next steps