move authentication protocol implementation to separate modules.

authentication protocol modules are loaded by SPI now.

45 files changed, 3722 insertions, 0 deletions

diff --git a/id/server/modules/moa-id-module-openID/pom.xml b/id/server/modules/moa-id-module-openID/pom.xml
new file mode 100644
index 000000000..2a953bcab
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/pom.xml
@@ -0,0 +1,86 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>MOA.id.server.modules</groupId>
+    <artifactId>moa-id-modules</artifactId>
+    <version>${moa-id-version}</version>
+  </parent>
+  
+  <groupId>MOA.id.server.modules</groupId>
+	<artifactId>moa-id-module-openID</artifactId>
+	<version>${moa-id-version}</version>
+	<packaging>jar</packaging>
+
+	<name>MOA ID-Module OpenID Connect</name>
+
+	<properties>
+		<repositoryPath>${basedir}/../../../../repository</repositoryPath>
+	</properties>
+  
+  	<dependencies>
+
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>${junit.version}</version>
+			<scope>test</scope>
+		</dependency>
+		
+		<dependency>
+			<groupId>com.google.http-client</groupId>
+			<artifactId>google-http-client-jackson2</artifactId>
+			<version>1.19.0</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>com.google.oauth-client</groupId>
+			<artifactId>google-oauth-client-jetty</artifactId>
+			<version>1.19.0</version>
+			<scope>test</scope>
+			<exclusions>
+				<exclusion>
+					<groupId>org.mortbay.jetty</groupId>
+					<artifactId>servlet-api</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+
+		<dependency>
+			<groupId>com.googlecode.jsontoken</groupId>
+			<artifactId>jsontoken</artifactId>
+			<version>1.1</version>
+			<exclusions>
+				<exclusion>
+					<groupId>javax.servlet</groupId>
+					<artifactId>servlet-api</artifactId>
+				</exclusion>
+				<exclusion>
+					<artifactId>google-collections</artifactId>
+					<groupId>com.google.collections</groupId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+
+		<dependency>
+			<groupId>com.google.guava</groupId>
+			<artifactId>guava</artifactId>
+			<version>18.0</version>
+		</dependency>
+		
+				<!-- TestNG -->
+		<dependency>
+			<groupId>org.testng</groupId>
+			<artifactId>testng</artifactId>
+			<version>6.1.1</version>
+			<scope>test</scope>
+		</dependency>
+
+	</dependencies>
+  
+</project>
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java
new file mode 100644
index 000000000..e2ac97535
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java
@@ -0,0 +1,76 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20;
+
+import java.util.Properties;
+
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.util.FileUtils;
+
+public class OAuth20Configuration {
+	
+	private static OAuth20Configuration instance;
+	
+	public static OAuth20Configuration getInstance() {
+		if (instance == null) {
+			instance = new OAuth20Configuration();
+		}
+		return instance;
+	}
+			
+	public static final String JWT_KEYSTORE = "jwt.ks.file";
+	public static final String JWT_KEYSTORE_PASSWORD = "jwt.ks.password";
+	public static final String JWT_KEY_NAME = "jwt.ks.key.name";
+	public static final String JWT_KEY_PASSWORD = "jwt.ks.key.password";
+	
+	private Properties props;
+	private String rootDir = null;
+	
+	private OAuth20Configuration() {
+		try {
+			props = AuthConfigurationProviderFactory.getInstance().getGeneralOAuth20ProperiesConfig();
+			rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir();
+		}
+		catch (ConfigurationException e) {
+			e.printStackTrace();
+		}
+	}
+	
+	public String getJWTKeyStore() {
+		return FileUtils.makeAbsoluteURL(props.getProperty(JWT_KEYSTORE), rootDir);
+	}
+	
+	public String getJWTKeyStorePassword() {
+		return props.getProperty(JWT_KEYSTORE_PASSWORD).trim();
+	}
+	
+	public String getJWTKeyName() {
+		return props.getProperty(JWT_KEY_NAME).trim();
+	}
+	
+	public String getJWTKeyPassword() {
+		return props.getProperty(JWT_KEY_PASSWORD).trim();
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
new file mode 100644
index 000000000..b0736ff2e
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Constants.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20;
+
+public final class OAuth20Constants {
+	
+	private OAuth20Constants() {
+		throw new InstantiationError();
+	}
+	
+	public static final String ERRORPAGE = "moa_errorcodes.html";
+	
+	// error parameters and error codes
+	public static final String PARAM_ERROR = "error";
+	public static final String PARAM_ERROR_DESCRIPTION = "error_description";
+	public static final String PARAM_ERROR_URI = "error_uri";
+	
+	public static final String ERROR_INVALID_REQUEST = "invalid_request";
+	public static final String ERROR_UNSUPPORTED_RESPONSE_TYPE = "unsupported_response_type";
+	public static final String ERROR_INVALID_CLIENT = "invalid_client";
+	public static final String ERROR_ACCESS_DENIED = "access_denied";
+	public static final String ERROR_SERVER_ERROR = "server_error";
+	public static final String ERROR_INVALID_GRANT = "invalid_grant";
+	public static final String ERROR_UNAUTHORIZED_CLIENT = "unauthorized_client";
+	
+	// request parameters
+	//public static final String PARAM_OA_URL = "oaURL";
+	public static final String PARAM_RESPONSE_TYPE = "response_type";
+	public static final String PARAM_REDIRECT_URI = "redirect_uri";
+	public static final String PARAM_STATE = "state";
+	public static final String PARAM_NONCE = "nonce";
+	public static final String PARAM_GRANT_TYPE = "grant_type";
+	public static final String PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE = "authorization_code";
+	public static final String PARAM_CLIENT_ID = "client_id";
+	public static final String PARAM_CLIENT_SECRET = "client_secret";
+	public static final String PARAM_SCOPE = "scope";
+	public static final String PARAM_MOA_MOD = "mod";
+	public static final String PARAM_MOA_ACTION = "action";
+
+	
+	// reponse parameters
+	public static final String RESPONSE_CODE = "code";
+	public static final String RESPONSE_TOKEN = "token";
+	public static final String RESPONSE_ACCESS_TOKEN = "access_token";
+	public static final String RESPONSE_ID_TOKEN = "id_token";
+	public static final String RESPONSE_EXPIRES_IN = "expires_in";
+	public static final String RESPONSE_TOKEN_TYPE = "token_type";
+	public static final String RESPONSE_TOKEN_TYPE_VALUE_BEARER = "Bearer";
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
new file mode 100644
index 000000000..4a33a44b7
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20SessionObject.java
@@ -0,0 +1,74 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20;
+
+import java.io.Serializable;
+import java.util.Map;
+
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
+
+public class OAuth20SessionObject implements Serializable {
+	
+	/**
+	 * 
+	 */
+	private static final long serialVersionUID = 1L;
+	
+	private String scope;
+	
+	private String code;
+	
+	private Map<String, Object> authDataSession;
+	
+	public String getScope() {
+		return scope;
+	}
+	
+	public void setScope(String scope) {
+		this.scope = scope;
+	}
+	
+	/**
+	 * @return the code
+	 */
+	public String getCode() {
+		return code;
+	}
+	
+	/**
+	 * @param code
+	 *            the code to set
+	 */
+	public void setCode(String code) {
+		this.code = code;
+	}
+	
+	public Map<String, Object> getAuthDataSession() {
+		return authDataSession;
+	}
+	
+	public void setAuthDataSession(Map<String, Object> idToken) {
+		this.authDataSession = idToken;
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java
new file mode 100644
index 000000000..912060949
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Util.java
@@ -0,0 +1,111 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.lang.StringUtils;
+
+import com.google.gson.JsonObject;
+
+public final class OAuth20Util {
+	
+	public static final String REGEX_HTTPS = "^(https?)://[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]";
+	public static final String REGEX_FILE = "^(file):/.[-a-zA-Z0-9+&@#/%?=~_|!:,.;]*[-a-zA-Z0-9+&@#/%=~_|]";
+	
+	private OAuth20Util() {
+		throw new InstantiationError();
+	}
+	
+	/**
+	 * Simple helper function to add parameter to a url
+	 * 
+	 * @param url
+	 * @param name
+	 * @param value
+	 * @throws UnsupportedEncodingException
+	 */
+	public static void addParameterToURL(final StringBuilder url, final String name, final String value)
+			throws UnsupportedEncodingException {
+		if (url.indexOf("?") < 0) {
+			url.append("?");
+		} else {
+			url.append("&");
+		}
+		// URLEncoder.encode(value, "UTF-8")
+		url.append(name).append("=").append(value);
+	}
+	
+	public static boolean isUrl(final String url) {
+		Pattern urlPattern;
+		if (url.startsWith("file")) {
+			urlPattern = Pattern.compile(REGEX_FILE, Pattern.CASE_INSENSITIVE);
+		} else {
+			urlPattern = Pattern.compile(REGEX_HTTPS, Pattern.CASE_INSENSITIVE);
+		}
+		
+		Matcher matcher = urlPattern.matcher(url);
+		return matcher.find();
+	}
+	
+	public static boolean isValidStateValue(String state) {
+		Pattern urlPattern = Pattern.compile("javascript|<|>|&|;", Pattern.CASE_INSENSITIVE);
+		Matcher matcher = urlPattern.matcher(state);
+		return !matcher.find();
+	}
+	
+	public static void addProperytiesToJsonObject(JsonObject jsonObject, Map<String, Object> params) {
+		for (Map.Entry<String, Object> param : params.entrySet()) {
+			
+			if (!StringUtils.isEmpty(param.getKey()) && param.getValue() != null) {
+				
+				// check for integer
+				try {
+					int i = Integer.parseInt(String.valueOf(param.getValue()));
+					jsonObject.addProperty(param.getKey(), i);
+					continue;
+				}
+				catch (NumberFormatException e) {
+				}
+				
+				// check for long
+				try {
+					long l = Long.parseLong(String.valueOf(param.getValue()));
+					jsonObject.addProperty(param.getKey(), l);
+					continue;
+				}
+				catch (NumberFormatException e) {
+				}
+				
+				// string
+				if (param.getValue() instanceof String) {
+					jsonObject.addProperty(param.getKey(), String.valueOf(param.getValue()));
+				}
+			}
+		}
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/Pair.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/Pair.java
new file mode 100644
index 000000000..eb3cfcccb
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/Pair.java
@@ -0,0 +1,45 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20;
+
+public class Pair<P1, P2> {
+	private final P1 first;
+	private final P2 second;
+	
+	private Pair(final P1 newFirst, final P2 newSecond) {
+		this.first = newFirst;
+		this.second = newSecond;
+	}
+	
+	public P1 getFirst() {
+		return this.first;
+	}
+	
+	public P2 getSecond() {
+		return this.second;
+	}
+	
+	public static <P1, P2> Pair<P1, P2> newInstance(final P1 newFirst, final P2 newSecond) {
+		return new Pair<P1, P2>(newFirst, newSecond);
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
new file mode 100644
index 000000000..439d08e0b
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java
@@ -0,0 +1,267 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.commons.lang.StringUtils;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
+import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.BPKAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDAuthBlock;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCcsURL;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDCitizenQAALevelAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIdentityLinkBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDIssuingNationAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSTORKTOKEN;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSectorForIDAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSignerCertificate;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSourcePIN;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.EIDSourcePINType;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateLegalPersonFullNameAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateLegalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateLegalPersonSourcePinTypeAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonBPKAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonBirthDateAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonFamilyNameAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonGivenNameAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonSourcePinAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateNaturalPersonSourcePinTypeAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateProfRepDescAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateProfRepOIDAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateReferenceValueAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.MandateTypeAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKAdoptedFamilyNameAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKAgeAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKCanonicalResidenceAddressAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKCountryCodeOfBirthAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKFiscalNumberAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKGenderAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKInhertedFamilyNameAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKIsAgeOverAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKMaritalStatusAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKNationalityCodeAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKPseudonymAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKResidencePermitAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKTextResidenceAddressAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.STORKTitleAttributBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.logging.Logger;
+
+import com.google.gson.JsonObject;
+import com.google.gson.JsonPrimitive;
+
+public final class OAuth20AttributeBuilder {
+	
+	private OAuth20AttributeBuilder() {
+		throw new InstantiationError();
+	}
+	
+	private static IAttributeGenerator<Pair<String, JsonPrimitive>> generator = new IAttributeGenerator<Pair<String, JsonPrimitive>>() {
+		
+		public Pair<String, JsonPrimitive> buildStringAttribute(final String friendlyName, final String name, final String value) {
+			return Pair.newInstance(friendlyName, new JsonPrimitive(value));
+		}
+		
+		public Pair<String, JsonPrimitive> buildIntegerAttribute(final String friendlyName, final String name, final int value) {
+			return Pair.newInstance(friendlyName, new JsonPrimitive(value));
+		}
+		
+		public Pair<String, JsonPrimitive> buildLongAttribute(final String friendlyName, final String name, final long value) {
+			return Pair.newInstance(friendlyName, new JsonPrimitive(value));
+		}
+		
+		public Pair<String, JsonPrimitive> buildEmptyAttribute(final String friendlyName, final String name) {
+			return Pair.newInstance(friendlyName, new JsonPrimitive(""));
+		}
+		
+	};
+	
+	private static final List<IAttributeBuilder> buildersOpenId = new ArrayList<IAttributeBuilder>();
+	private static final List<IAttributeBuilder> buildersProfile = new ArrayList<IAttributeBuilder>();
+	private static final List<IAttributeBuilder> buildersEID = new ArrayList<IAttributeBuilder>();
+	private static final List<IAttributeBuilder> buildersEIDGov = new ArrayList<IAttributeBuilder>();
+	private static final List<IAttributeBuilder> buildersMandate = new ArrayList<IAttributeBuilder>();
+	private static final List<IAttributeBuilder> buildersSTORK = new ArrayList<IAttributeBuilder>();
+	static {
+		// openId
+		buildersOpenId.add(new OpenIdIssuerAttribute());
+		buildersOpenId.add(new OpenIdSubjectIdentifierAttribute());
+		buildersOpenId.add(new OpenIdExpirationTimeAttribute());
+		buildersOpenId.add(new OpenIdIssueInstantAttribute());
+		buildersOpenId.add(new OpenIdAuthenticationTimeAttribute());
+		buildersOpenId.add(new OpenIdAudiencesAttribute());
+		buildersOpenId.add(new OpenIdNonceAttribute());
+		
+		// profile
+		buildersProfile.add(new ProfileGivenNameAttribute());
+		buildersProfile.add(new ProfileFamilyNameAttribute());
+		buildersProfile.add(new ProfileDateOfBirthAttribute());
+		
+		// EID
+		buildersEID.add(new EIDCcsURL());
+		buildersEID.add(new EIDCitizenQAALevelAttributeBuilder());
+		buildersEID.add(new EIDIssuingNationAttributeBuilder());
+		buildersEID.add(new EIDSectorForIDAttributeBuilder());
+		buildersEID.add(new EIDAuthBlock());
+		buildersEID.add(new EIDSignerCertificate());
+		buildersEID.add(new BPKAttributeBuilder());
+		
+		// eID_gov
+		buildersEIDGov.add(new EIDSourcePIN());
+		buildersEIDGov.add(new EIDSourcePINType());
+		buildersEIDGov.add(new EIDIdentityLinkBuilder());
+		
+		// mandate
+		buildersMandate.add(new MandateTypeAttributeBuilder());
+		buildersMandate.add(new MandateReferenceValueAttributeBuilder());
+		
+		buildersMandate.add(new MandateNaturalPersonSourcePinAttributeBuilder());
+		buildersMandate.add(new MandateNaturalPersonSourcePinTypeAttributeBuilder());
+		buildersMandate.add(new MandateNaturalPersonBPKAttributeBuilder());
+		buildersMandate.add(new MandateNaturalPersonFamilyNameAttributeBuilder());
+		buildersMandate.add(new MandateNaturalPersonGivenNameAttributeBuilder());
+		buildersMandate.add(new MandateNaturalPersonBirthDateAttributeBuilder());
+		
+		buildersMandate.add(new MandateLegalPersonSourcePinAttributeBuilder());
+		buildersMandate.add(new MandateLegalPersonSourcePinTypeAttributeBuilder());
+		buildersMandate.add(new MandateLegalPersonFullNameAttributeBuilder());
+		
+		buildersMandate.add(new MandateProfRepOIDAttributeBuilder());
+		buildersMandate.add(new MandateProfRepDescAttributeBuilder());
+				
+		// STORK
+		buildersSTORK.add(new EIDSTORKTOKEN());
+		buildersSTORK.add(new STORKAdoptedFamilyNameAttributBuilder());
+		buildersSTORK.add(new STORKAgeAttributBuilder());
+		buildersSTORK.add(new STORKCanonicalResidenceAddressAttributBuilder());
+		buildersSTORK.add(new STORKCountryCodeOfBirthAttributBuilder());
+		buildersSTORK.add(new STORKFiscalNumberAttributBuilder());
+		buildersSTORK.add(new STORKGenderAttributBuilder());
+		buildersSTORK.add(new STORKInhertedFamilyNameAttributBuilder());
+		buildersSTORK.add(new STORKIsAgeOverAttributBuilder());
+		buildersSTORK.add(new STORKMaritalStatusAttributBuilder());
+		buildersSTORK.add(new STORKNationalityCodeAttributBuilder());
+		buildersSTORK.add(new STORKPseudonymAttributBuilder());
+		buildersSTORK.add(new STORKResidencePermitAttributBuilder());
+		buildersSTORK.add(new STORKTextResidenceAddressAttributBuilder());
+		buildersSTORK.add(new STORKTitleAttributBuilder());
+	}
+	
+	private static void addAttibutes(final List<IAttributeBuilder> builders, final JsonObject jsonObject,
+			final OAAuthParameter oaParam, final IAuthData authData, OAuth20AuthRequest oAuthRequest) {
+		for (IAttributeBuilder b : builders) {
+			try {
+				//TODO: better solution requires more refactoring :(
+				Pair<String, JsonPrimitive> attribute = null;
+				if (b instanceof OpenIdNonceAttribute) {
+					OpenIdNonceAttribute nonceBuilder = (OpenIdNonceAttribute) b;
+					attribute = nonceBuilder.build(oaParam, authData, oAuthRequest, generator);
+					
+				} else				
+					attribute = b.build(oaParam, authData, generator);
+					
+				if (attribute != null && !StringUtils.isEmpty(attribute.getSecond().getAsString())) {
+					jsonObject.add(attribute.getFirst(), attribute.getSecond());
+				}
+			}
+			catch (AttributeException e) {
+				Logger.info("Cannot add attribute " + b.getName());
+			}
+		}
+	}
+	
+	public static void addScopeOpenId(final JsonObject jsonObject,
+			final OAAuthParameter oaParam, final IAuthData authData, 
+			final OAuth20AuthRequest oAuthRequest) {
+		addAttibutes(buildersOpenId, jsonObject, oaParam, authData, oAuthRequest);
+	}
+	
+	public static void addScopeProfile(final JsonObject jsonObject,
+			final OAAuthParameter oaParam, final IAuthData authData) {
+		addAttibutes(buildersProfile, jsonObject, oaParam, authData, null);
+	}
+	
+	public static void addScopeEID(final JsonObject jsonObject,
+			final OAAuthParameter oaParam, final IAuthData authData) {
+		addAttibutes(buildersEID, jsonObject, oaParam, authData, null);
+	}
+	
+	public static void addScopeEIDGov(final JsonObject jsonObject,
+			final OAAuthParameter oaParam, final IAuthData authData) {
+		addAttibutes(buildersEIDGov, jsonObject, oaParam, authData, null);
+	}
+	
+	public static void addScopeMandate(final JsonObject jsonObject,
+			final OAAuthParameter oaParam, final IAuthData authData) {
+		addAttibutes(buildersMandate, jsonObject, oaParam, authData, null);
+	}
+	
+	public static void addScopeSTORK(final JsonObject jsonObject,
+			final OAAuthParameter oaParam, final IAuthData authData) {
+		addAttibutes(buildersSTORK, jsonObject, oaParam, authData, null);
+	}
+
+	/**
+	 * @return the buildersprofile
+	 */
+	public static List<IAttributeBuilder> getBuildersprofile() {
+		return buildersProfile;
+	}
+
+	/**
+	 * @return the builderseid
+	 */
+	public static List<IAttributeBuilder> getBuilderseid() {
+		return buildersEID;
+	}
+
+	/**
+	 * @return the builderseidgov
+	 */
+	public static List<IAttributeBuilder> getBuilderseidgov() {
+		return buildersEIDGov;
+	}
+
+	/**
+	 * @return the buildersmandate
+	 */
+	public static List<IAttributeBuilder> getBuildersmandate() {
+		return buildersMandate;
+	}
+
+	/**
+	 * @return the buildersstork
+	 */
+	public static List<IAttributeBuilder> getBuildersstork() {
+		return buildersSTORK;
+	}
+	
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java
new file mode 100644
index 000000000..404eb1b44
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java
@@ -0,0 +1,47 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class OpenIdAudiencesAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "aud";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException { 
+		return g.buildStringAttribute(this.getName(), "", oaParam.getPublicURLPrefix());
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
+
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java
new file mode 100644
index 000000000..121648499
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class OpenIdAuthenticationTimeAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "auth_time";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildLongAttribute(this.getName(), "", ((long) (authData.getIssueInstant().getTime() / 1000)));
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java
new file mode 100644
index 000000000..9230c0105
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java
@@ -0,0 +1,50 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import java.util.Date;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class OpenIdExpirationTimeAttribute implements IAttributeBuilder {
+	
+	public static final int expirationTime = 5 * 60; // in seconds
+	
+	public String getName() {
+		return "exp";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000 + expirationTime));
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java
new file mode 100644
index 000000000..3bdda5c2a
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java
@@ -0,0 +1,48 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import java.util.Date;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class OpenIdIssueInstantAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "iat";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildLongAttribute(this.getName(), "", (long) (new Date().getTime() / 1000));
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java
new file mode 100644
index 000000000..85c46d5b2
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class OpenIdIssuerAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "iss";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildStringAttribute(this.getName(), "", authData.getIssuer());
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java
new file mode 100644
index 000000000..6baa69b1e
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java
@@ -0,0 +1,57 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+public class OpenIdNonceAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "nonce";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException { 
+		return g.buildStringAttribute(this.getName(), "", null);
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData, OAuth20AuthRequest oAuthRequest,
+			IAttributeGenerator<ATT> g) throws AttributeException { 
+		if (MiscUtil.isNotEmpty(oAuthRequest.getNonce()))
+			return g.buildStringAttribute(this.getName(), "", oAuthRequest.getNonce());
+		else
+			return null;
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
+
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java
new file mode 100644
index 000000000..d5bda0dba
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class OpenIdSubjectIdentifierAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "sub";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildStringAttribute(this.getName(), "", authData.getBPK());
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java
new file mode 100644
index 000000000..dd84536ed
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class ProfileDateOfBirthAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "birthdate";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildStringAttribute(this.getName(), "", authData.getFormatedDateOfBirth());
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java
new file mode 100644
index 000000000..02cc66e4b
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class ProfileFamilyNameAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "family_name";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildStringAttribute(this.getName(), "", authData.getFamilyName());
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java
new file mode 100644
index 000000000..302ce8105
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java
@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.attributes;
+
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeGenerator;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException;
+
+public class ProfileGivenNameAttribute implements IAttributeBuilder {
+	
+	public String getName() {
+		return "given_name";
+	}
+	
+	public <ATT> ATT build(OAAuthParameter oaParam, IAuthData authData,
+			IAttributeGenerator<ATT> g) throws AttributeException {
+		return g.buildStringAttribute(this.getName(), "", authData.getGivenName());
+	}
+	
+	public <ATT> ATT buildEmpty(IAttributeGenerator<ATT> g) {
+		return g.buildEmptyAttribute(this.getName(), "");
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java
new file mode 100644
index 000000000..25a30bfcf
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20AccessDeniedException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20AccessDeniedException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20AccessDeniedException() {
+		super(OAuth20Constants.ERROR_ACCESS_DENIED, "oauth20.05", new Object[] {});
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java
new file mode 100644
index 000000000..a938d1544
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20CertificateErrorException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20CertificateErrorException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20CertificateErrorException(final String name) {
+		super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.09", new Object[] { name });
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java
new file mode 100644
index 000000000..307615fbd
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java
@@ -0,0 +1,71 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.util.MOAIDMessageProvider;
+
+public class OAuth20Exception extends RuntimeException {
+	
+	private static final long serialVersionUID = 1L;
+	
+	private String messageId;
+	
+	private String errorCode;
+	
+	public OAuth20Exception(final String errorCode, final String messageId, final Object[] parameters) {
+		super(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters));
+		this.errorCode = errorCode;
+		this.messageId = messageId;
+	}
+	
+	/**
+	 * @return the messageId
+	 */
+	public String getMessageId() {
+		return messageId;
+	}
+	
+	/**
+	 * @param messageId
+	 *            the messageId to set
+	 */
+	public void setMessageId(String messageId) {
+		this.messageId = messageId;
+	}
+	
+	/**
+	 * @return the errorCode
+	 */
+	public String getErrorCode() {
+		return errorCode;
+	}
+	
+	/**
+	 * @param errorCode
+	 *            the errorCode to set
+	 */
+	public void setErrorCode(String errorCode) {
+		this.errorCode = errorCode;
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java
new file mode 100644
index 000000000..9c2875cef
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidClientException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20InvalidClientException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20InvalidClientException() {
+		super(OAuth20Constants.ERROR_INVALID_CLIENT, "oauth20.05", new Object[] {});
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java
new file mode 100644
index 000000000..c0f03c735
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidGrantException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20InvalidGrantException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20InvalidGrantException() {
+		super(OAuth20Constants.ERROR_INVALID_GRANT, "oauth20.07", new Object[] {});
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java
new file mode 100644
index 000000000..b980840c2
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20InvalidRequestException.java
@@ -0,0 +1,35 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20InvalidRequestException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20InvalidRequestException() {
+		super(OAuth20Constants.ERROR_INVALID_REQUEST, "oauth20.04", new Object[] {});
+		
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java
new file mode 100644
index 000000000..0edeb89bc
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20OANotSupportedException.java
@@ -0,0 +1,44 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+/**
+ * @author tlenz
+ *
+ */
+public class OAuth20OANotSupportedException extends OAuth20Exception {
+
+	private static final long serialVersionUID = -8713091674236329339L;
+
+	/**
+	 * @param errorCode
+	 * @param messageId
+	 * @param parameters
+	 */
+	public OAuth20OANotSupportedException() {
+		super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.06", new Object[] {});
+	}
+
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java
new file mode 100644
index 000000000..8de854821
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ResponseTypeException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20ResponseTypeException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20ResponseTypeException() {
+		super(OAuth20Constants.ERROR_UNSUPPORTED_RESPONSE_TYPE, "oauth20.03", new Object[] {});
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java
new file mode 100644
index 000000000..470507f08
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20ServerErrorException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20ServerErrorException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20ServerErrorException() {
+		super(OAuth20Constants.ERROR_SERVER_ERROR, "oauth20.10", new Object[] {});
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java
new file mode 100644
index 000000000..ee7b4d7d6
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20UnauthorizedClientException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20UnauthorizedClientException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20UnauthorizedClientException() {
+		super(OAuth20Constants.ERROR_UNAUTHORIZED_CLIENT, "oauth20.08", new Object[] {});
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java
new file mode 100644
index 000000000..48267d88c
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20WrongParameterException.java
@@ -0,0 +1,34 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.exceptions;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+
+public class OAuth20WrongParameterException extends OAuth20Exception {
+	private static final long serialVersionUID = 1L;
+	
+	public OAuth20WrongParameterException(final String name) {
+		super(OAuth20Constants.ERROR_INVALID_REQUEST, "oauth20.02", new Object[] { name });
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Signer.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Signer.java
new file mode 100644
index 000000000..50e57bdc1
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Signer.java
@@ -0,0 +1,121 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ * 
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ * 
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ ******************************************************************************/
+/**
+ * Copyright 2010 Google Inc.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * 
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ * 
+ */
+package at.gv.egovernment.moa.id.protocols.oauth20.json;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.Signature;
+import java.security.SignatureException;
+
+import net.oauth.jsontoken.crypto.AbstractSigner;
+import net.oauth.jsontoken.crypto.RsaSHA256Signer;
+import net.oauth.jsontoken.crypto.SignatureAlgorithm;
+
+/**
+ * Signer that can sign byte arrays using a {@link PrivateKey} and SHA-256. <br/>
+ * This is something like a copy of the {@link RsaSHA256Signer}.
+ * 
+ */
+public class OAuth20SHA256Signer extends AbstractSigner implements OAuthSigner {
+	
+	private final Signature signature;
+	private final PrivateKey signingKey;
+	private final OAuthSignatureAlgorithm algorithm;
+	
+	/**
+	 * Public constructor.
+	 * 
+	 * @param issuer
+	 *            The id of this signer, to be included in the JSON Token's envelope.
+	 * @param keyId
+	 *            The id of the key used by this signer, to be included in the JSON Token's
+	 *            envelope.
+	 * @param key
+	 *            the private key to be used for signing.
+	 * @throws InvalidKeyException
+	 *             if the key is unsuitable for RSA signing.
+	 */
+	public OAuth20SHA256Signer(final String issuer, final String keyId, final PrivateKey key) throws InvalidKeyException {
+		super(issuer, keyId);
+		
+		this.signingKey = key;
+		this.algorithm = OAuth20SignatureUtil.findSignature(key);
+		
+		try {
+			this.signature = this.algorithm.getSignatureInstance();
+			this.signature.initSign(signingKey);
+		}
+		catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Cannot get algorithm for the given private key", e);
+		}
+		catch (NoSuchProviderException e) {
+			throw new IllegalStateException("Cannot get algorithm for the given private key", e);
+		}
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see net.oauth.jsontoken.crypto.Signer#getSignatureAlgorithm()
+	 */
+	public SignatureAlgorithm getSignatureAlgorithm() {
+		// it is fine to return RS256 because we overwrite the JsonToken for the algorithm name. But
+		// we need the internal SHA256 which is used.
+		return SignatureAlgorithm.RS256;
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see net.oauth.jsontoken.crypto.Signer#sign(byte[])
+	 */
+	public byte[] sign(byte[] source) throws SignatureException {
+		try {
+			signature.initSign(signingKey);
+		}
+		catch (InvalidKeyException e) {
+			throw new RuntimeException("key somehow became invalid since calling the constructor");
+		}
+		signature.update(source);
+		return signature.sign();
+	}
+	
+	public OAuthSignatureAlgorithm getOAuthSignatureAlgorithm() {
+		return this.algorithm;
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java
new file mode 100644
index 000000000..374320a5a
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SHA256Verifier.java
@@ -0,0 +1,84 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.json;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+
+import net.oauth.jsontoken.crypto.RsaSHA256Verifier;
+import net.oauth.jsontoken.crypto.Verifier;
+
+/**
+ * A verifier that can verify signatures on byte arrays using a {@link PublicKey} and SHA-256. <br/>
+ * This is something like a copy of the {@link RsaSHA256Verifier}.
+ */
+public class OAuth20SHA256Verifier implements Verifier {
+	
+	private final PublicKey verificationKey;
+	private final Signature signer;
+	
+	/**
+	 * Public Constructor.
+	 * 
+	 * @param verificationKey
+	 *            the key used to verify the signature.
+	 */
+	public OAuth20SHA256Verifier(final PublicKey verificationKey) {
+		this.verificationKey = verificationKey;
+		
+		try {
+			this.signer = OAuth20SignatureUtil.findSignature(verificationKey).getSignatureInstance();
+			this.signer.initVerify(verificationKey);
+		}
+		catch (InvalidKeyException e) {
+			throw new IllegalStateException("key is invalid", e);
+		}
+		catch (NoSuchAlgorithmException e) {
+			throw new IllegalStateException("Cannot get algorithm for the given private key", e);
+		}
+		catch (NoSuchProviderException e) {
+			throw new IllegalStateException("Cannot get algorithm for the given private key", e);
+		}
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see net.oauth.jsontoken.crypto.Verifier#verifySignature(byte[], byte[])
+	 */
+	public void verifySignature(byte[] source, byte[] signature) throws SignatureException {
+		try {
+			signer.initVerify(verificationKey);
+		}
+		catch (InvalidKeyException e) {
+			throw new RuntimeException("key someone become invalid since calling the constructor");
+		}
+		signer.update(source);
+		if (!signer.verify(signature)) {
+			throw new SignatureException("signature did not verify");
+		}
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SignatureUtil.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SignatureUtil.java
new file mode 100644
index 000000000..9f20ee956
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuth20SignatureUtil.java
@@ -0,0 +1,116 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.json;
+
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+
+import org.apache.commons.lang.StringUtils;
+import org.opensaml.xml.security.x509.BasicX509Credential;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Configuration;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20CertificateErrorException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+
+public final class OAuth20SignatureUtil {
+	
+	private OAuth20SignatureUtil() {
+		throw new InstantiationError();
+	}
+	
+	static OAuthSignatureAlgorithm findSignature(final PrivateKey key) {
+		Logger.debug("OAuth - Looking for signature for key " + key.getClass());
+		if (key instanceof RSAPrivateKey) {
+			Logger.debug("OAuth - going to uses SHA256withRSA signature");
+			return OAuthSignatureAlgorithm.RS256;
+		} else if (key instanceof ECPrivateKey) {
+			Logger.debug("OAuth - going to uses SHA256withECDSA signature");
+			return OAuthSignatureAlgorithm.ECDSA256;
+		} else if (key instanceof iaik.security.ecc.ecdsa.ECPrivateKey) {
+			Logger.debug("OAuth - going to uses SHA256withECDSA signature with iaik");
+			return OAuthSignatureAlgorithm.ECDSA256_IAKIK;
+		} else {
+			throw new IllegalStateException("Cannot find an alorithm for the given private key");
+		}
+	}
+	
+	static OAuthSignatureAlgorithm findSignature(final PublicKey key) {
+		if (key instanceof RSAPublicKey) {
+			Logger.debug("OAuth - going to uses SHA256withRSA signature");
+			return OAuthSignatureAlgorithm.RS256;
+		} else if (key instanceof ECPublicKey) {
+			Logger.debug("OAuth - going to uses SHA256withECDSA signature");
+			return OAuthSignatureAlgorithm.ECDSA256;
+		} else if (key instanceof iaik.security.ecc.ecdsa.ECPublicKey) {
+			Logger.debug("OAuth - going to uses SHA256withECDSA signature with iaik");
+			return OAuthSignatureAlgorithm.ECDSA256_IAKIK;
+		} else {
+			throw new IllegalStateException("Cannot find an alorithm for the given private key");
+		}
+	}
+	
+	public static OAuthSigner loadSigner(String issuer) throws OAuth20Exception {
+		OAuth20Configuration globalConfig = OAuth20Configuration.getInstance();
+		
+		if (StringUtils.isEmpty(globalConfig.getJWTKeyStore())) {
+			throw new OAuth20CertificateErrorException("keystore");
+		}
+		
+		if (StringUtils.isEmpty(globalConfig.getJWTKeyName())) {
+			throw new OAuth20CertificateErrorException("key name");
+		}
+		
+		try {
+			KeyStore ks = KeyStoreUtils.loadKeyStore(globalConfig.getJWTKeyStore(), globalConfig.getJWTKeyStorePassword());
+			
+			X509Certificate certificate = (X509Certificate) ks.getCertificate(globalConfig.getJWTKeyName());
+			
+			PrivateKey privateKey = (PrivateKey) ks.getKey(globalConfig.getJWTKeyName(), globalConfig.getJWTKeyPassword()
+					.toCharArray());
+			BasicX509Credential credential = new BasicX509Credential();
+			credential.setEntityCertificate(certificate);
+			credential.setPrivateKey(privateKey);
+			
+			// Logger.debug("Going to use X509Certificate:");
+			// Logger.debug(certificate);
+			// Logger.debug("Going to use private key:");
+			// Logger.debug(privateKey);
+			
+			return new OAuth20SHA256Signer(issuer, globalConfig.getJWTKeyName(), credential.getPrivateKey());
+			
+		}
+		catch (Exception e) {
+			Logger.error(e.getMessage(), e);
+			throw new OAuth20CertificateErrorException("keystore");
+		}
+		
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthJsonToken.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthJsonToken.java
new file mode 100644
index 000000000..af17825fd
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthJsonToken.java
@@ -0,0 +1,49 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.json;
+
+import net.oauth.jsontoken.JsonToken;
+
+import com.google.gson.JsonObject;
+
+public class OAuthJsonToken extends JsonToken {
+	
+	private final OAuthSigner signer;
+	
+	public OAuthJsonToken(OAuthSigner signer) {
+		super(signer);
+		this.signer = signer;
+	}
+	
+	@Override
+	public JsonObject getHeader() {
+		JsonObject header = new JsonObject();
+		header.addProperty(ALGORITHM_HEADER, signer.getOAuthSignatureAlgorithm().getAlgorithm());
+		String keyId = getKeyId();
+		if (keyId != null) {
+			header.addProperty(KEY_ID_HEADER, keyId);
+		}
+		return header;
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
new file mode 100644
index 000000000..db15516e7
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSignatureAlgorithm.java
@@ -0,0 +1,63 @@
+package at.gv.egovernment.moa.id.protocols.oauth20.json;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Signature;
+
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * Enum of the signature algorithms supported by this package.
+ */
+public enum OAuthSignatureAlgorithm {
+	ECDSA256("SHA256withECDSA", "ECDSA256", null), RS256("SHA256withRSA", "RS256", null), ECDSA256_IAKIK("SHA1withECDSA", "ECDSA256",
+			"IAIK_ECC");
+	
+	private final String signatureName;
+	private final String algorithm;
+	private final String providerName;
+	
+	private OAuthSignatureAlgorithm(final String signatureName, final String hashAlg, final String providerName) {
+		this.signatureName = signatureName;
+		this.algorithm = hashAlg;
+		this.providerName = providerName;
+	}
+	
+	/**
+	 * What the signature algorithm is named in the "alg" parameter in a JSON Token's envelope.
+	 */
+	public String getAlgorithm() {
+		return this.algorithm;
+	}
+	
+	/**
+	 * 
+	 * @return the signature name like SHA256withECDSA or SHA256withRSA
+	 */
+	public String getSignatureName() {
+		return this.signatureName;
+	}
+	
+	/**
+	 * Calls {@link Signature#getInstance(String)} with the defined signature name
+	 * 
+	 * @return
+	 * @throws NoSuchAlgorithmException
+	 * @throws NoSuchProviderException
+	 */
+	public Signature getSignatureInstance() throws NoSuchAlgorithmException, NoSuchProviderException {
+		if (!StringUtils.isEmpty(this.providerName)) {
+			//return Signature.getInstance(this.signatureName, this.providerName);
+			return Signature.getInstance(this.signatureName, this.providerName);
+		} else {
+			return Signature.getInstance(this.signatureName);
+		}
+	}
+	
+	/**
+	 * Given the name of the algorithm in the envelope, returns the corresponding enum instance.
+	 */
+	public static OAuthSignatureAlgorithm getFromJsonName(String name) {
+		return OAuthSignatureAlgorithm.valueOf(name);
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSigner.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSigner.java
new file mode 100644
index 000000000..3904f8cef
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/json/OAuthSigner.java
@@ -0,0 +1,29 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.json;
+
+import net.oauth.jsontoken.crypto.Signer;
+
+public interface OAuthSigner extends Signer {
+	public abstract OAuthSignatureAlgorithm getOAuthSignatureAlgorithm();
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
new file mode 100644
index 000000000..d90df51e7
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java
@@ -0,0 +1,213 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+
+import java.security.SignatureException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.UUID;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.SLOInformationImpl;
+import at.gv.egovernment.moa.id.data.SLOInformationInterface;
+import at.gv.egovernment.moa.id.moduls.IAction;
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
+import at.gv.egovernment.moa.id.protocols.oauth20.Pair;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SignatureUtil;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthJsonToken;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuthSigner;
+import at.gv.egovernment.moa.id.storage.AssertionStorage;
+import at.gv.egovernment.moa.id.util.Random;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+class OAuth20AuthAction implements IAction {
+	
+	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp,
+			IAuthData authData) throws MOAIDException {
+		
+		OAuth20AuthRequest oAuthRequest = (OAuth20AuthRequest) req;		
+		String responseType = oAuthRequest.getResponseType();
+		
+		MOAReversionLogger.getInstance().logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_AUTHREQUEST);
+		
+		String code = Random.nextRandom();		
+				
+		try {
+			
+			String accessToken = UUID.randomUUID().toString();
+			
+			Logger.debug("Stored session with id: " + code);
+			OAuth20SessionObject o = new OAuth20SessionObject();
+			if (responseType.equals(OAuth20Constants.RESPONSE_CODE)) {
+				o.setScope(oAuthRequest.getScope());
+				o.setCode(code);
+				
+				//generate idToken from MOASession
+				Map<String, Object> idToken = generateIDToken(o, oAuthRequest, authData, accessToken);
+				o.setAuthDataSession(idToken);
+				
+			} else if (responseType.equals(OAuth20Constants.RESPONSE_TOKEN)) {
+				throw new OAuth20ResponseTypeException();
+			}
+			
+			// store data in oath session			
+			AssertionStorage.getInstance().put(code, o);
+			
+			Logger.debug("Saved OAuth20SessionObject in session with id: " + code);
+			
+			// add code and state to redirect url
+			httpResp.setStatus(HttpServletResponse.SC_FOUND);
+			String redirectURI = oAuthRequest.getRedirectUri();
+			String state = oAuthRequest.getState();
+			
+			redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.RESPONSE_CODE, code);
+			redirectURI = this.addURLParameter(redirectURI, OAuth20Constants.PARAM_STATE, state);
+			
+			String finalUrl = redirectURI;
+			httpResp.addHeader("Location", finalUrl);
+			Logger.debug("REDIRECT TO: " + finalUrl.toString());
+			
+			
+			//TODO: maybe add bPK / wbPK to SLO information
+			SLOInformationInterface sloInformation = new SLOInformationImpl(accessToken, null, null, req.requestedModule());
+			
+			return sloInformation;
+		}
+		catch (Exception e) {
+
+			//remove OAuthSessionObject if it already exists
+			if (AssertionStorage.getInstance().containsKey(code)) {
+				AssertionStorage.getInstance().remove(code);
+			}
+			
+			if (e instanceof OAuth20Exception) {
+				throw (OAuth20Exception) e;
+			}
+			throw new OAuth20ServerErrorException();
+		}
+		
+	}
+	
+	private Map<String, Object> generateIDToken(OAuth20SessionObject auth20SessionObject, 
+			OAuth20AuthRequest oAuthRequest, IAuthData authData, String accessToken) throws SignatureException, MOAIDException {
+		
+		// create response
+		Map<String, Object> params = new HashMap<String, Object>();
+		params.put(OAuth20Constants.RESPONSE_ACCESS_TOKEN, accessToken);
+		params.put(OAuth20Constants.RESPONSE_TOKEN_TYPE, OAuth20Constants.RESPONSE_TOKEN_TYPE_VALUE_BEARER);
+		params.put(OAuth20Constants.RESPONSE_EXPIRES_IN, OpenIdExpirationTimeAttribute.expirationTime);		
+		// build id token and scope
+		Pair<String, String> pair = buildIdToken(auth20SessionObject.getScope(), oAuthRequest,
+				authData);
+		Logger.debug("RESPONSE ID_TOKEN: " + pair.getFirst());
+		params.put(OAuth20Constants.RESPONSE_ID_TOKEN, pair.getFirst());
+		Logger.debug("RESPONSE SCOPE: " + pair.getSecond());
+		params.put(OAuth20Constants.PARAM_SCOPE, pair.getSecond());
+		
+		return params;
+		
+	}
+	
+	private Pair<String, String> buildIdToken(String scope, OAuth20AuthRequest oAuthRequest, IAuthData authData)
+			throws MOAIDException, SignatureException {
+		OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oAuthRequest.getOAURL());
+		
+		OAuthSigner signer = OAuth20SignatureUtil.loadSigner(authData.getIssuer());
+		OAuthJsonToken token = new OAuthJsonToken(signer);
+		
+		StringBuilder resultScopes = new StringBuilder();
+		// always fill with open id
+		OAuth20AttributeBuilder.addScopeOpenId(token.getPayloadAsJsonObject(), oaParam, authData, oAuthRequest);
+		resultScopes.append("openId");
+		
+		for (String s : scope.split(" ")) {
+			if (s.equalsIgnoreCase("profile")) {
+				OAuth20AttributeBuilder.addScopeProfile(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" profile");
+			} else if (s.equalsIgnoreCase("eID")) {
+				OAuth20AttributeBuilder.addScopeEID(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" eID");
+			} else if (s.equalsIgnoreCase("eID_gov")) {
+				OAuth20AttributeBuilder.addScopeEIDGov(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" eID_gov");
+			} else if (s.equalsIgnoreCase("mandate")) {
+				OAuth20AttributeBuilder.addScopeMandate(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" mandate");
+			} else if (s.equalsIgnoreCase("stork")) {
+				OAuth20AttributeBuilder.addScopeSTORK(token.getPayloadAsJsonObject(), oaParam, authData);
+				resultScopes.append(" stork");
+			}
+		}
+		
+		// add properties and sign
+		// HmacSHA256Signer signer = new HmacSHA256Signer("testSigner", "key_id",
+		// "super_secure_pwd".getBytes());
+		// Signer signer = OAuth20Util.loadSigner(authData.getIssuer(), oaParam.getoAuth20Config());
+		
+		return Pair.newInstance(token.serializeAndSign(), resultScopes.toString());
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see
+	 * at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls
+	 * .IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) {
+		return true;
+	}
+	
+	private String addURLParameter(String url, String name, String value) {
+		String param = name + "=" + value;
+		if (url.indexOf("?") < 0) {
+			return url + "?" + param;
+		} else {
+			return url + "&" + param;
+		}
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName()
+	 */
+	public String getDefaultActionName() {
+		return OAuth20Protocol.AUTH_ACTION;
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
new file mode 100644
index 000000000..06509b333
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java
@@ -0,0 +1,234 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
+import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ResponseTypeException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.IAttributeBuilder;
+import at.gv.egovernment.moa.logging.Logger;
+
+public class OAuth20AuthRequest extends OAuth20BaseRequest {
+	
+	private static final long serialVersionUID = 1L;
+	
+	private String responseType;
+	private String state;
+	private String redirectUri;
+	private String scope;
+	private String clientID;
+	private String nonce;
+	
+	/**
+	 * @return the responseType
+	 */
+	public String getResponseType() {
+		return responseType;
+	}
+	
+	/**
+	 * @param responseType
+	 *            the responseType to set
+	 */
+	public void setResponseType(String responseType) {
+		this.responseType = responseType;
+	}
+	
+	/**
+	 * @return the state
+	 */
+	public String getState() {
+		return state;
+	}
+	
+	/**
+	 * @param state
+	 *            the state to set
+	 */
+	public void setState(String state) {
+		this.state = state;
+	}
+	
+	/**
+	 * @return the redirectUri
+	 */
+	public String getRedirectUri() {
+		return redirectUri;
+	}
+	
+	/**
+	 * @param redirectUri
+	 *            the redirectUri to set
+	 */
+	public void setRedirectUri(String redirectUri) {
+		this.redirectUri = redirectUri;
+	}
+	
+	/**
+	 * @return the scope
+	 */
+	public String getScope() {
+		return scope;
+	}
+	
+	/**
+	 * @param scope
+	 *            the scope to set
+	 */
+	public void setScope(String scope) {
+		this.scope = scope;
+	}
+	
+	/**
+	 * @return the clientID
+	 */
+	public String getClientID() {
+		return clientID;
+	}
+	
+	/**
+	 * @param clientID
+	 *            the clientID to set
+	 */
+	public void setClientID(String clientID) {
+		this.clientID = clientID;
+	}
+	
+	
+	
+	/**
+	 * @return the nonce
+	 */
+	public String getNonce() {
+		return nonce;
+	}
+
+	/**
+	 * @param nonce the nonce to set
+	 */
+	public void setNonce(String nonce) {
+		this.nonce = nonce;
+	}
+
+	@Override
+	protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception {
+		this.setResponseType(this.getParam(request, OAuth20Constants.PARAM_RESPONSE_TYPE, true));
+		this.setState(this.getParam(request, OAuth20Constants.PARAM_STATE, true));
+		this.setRedirectUri(this.getParam(request, OAuth20Constants.PARAM_REDIRECT_URI, true));
+		this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true));
+		this.setScope(this.getParam(request, OAuth20Constants.PARAM_SCOPE, false));
+		this.setNonce(this.getParam(request, OAuth20Constants.PARAM_NONCE, false));
+		
+		// check for response type
+		if (!this.responseType.equals(OAuth20Constants.RESPONSE_CODE)) {
+			throw new OAuth20ResponseTypeException();
+		}
+		
+		// check state for invalid characters (like < > & ; ... javascript ... to prevent xss)
+		if (!OAuth20Util.isValidStateValue(this.getState())) {
+			throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_STATE);
+		}
+		
+		// check if client id and redirect uri are ok
+		try {
+			// OAOAUTH20 cannot be null at this point. check was done in base request
+			OAAuthParameter oAuthConfig = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL());
+			
+			
+			if (!this.getClientID().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))
+					|| !this.getRedirectUri().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) {
+				throw new OAuth20AccessDeniedException();
+			}
+			
+			this.setOnlineApplicationConfiguration(oAuthConfig);
+			Logger.info("Dispatch OpenIDConnect AuthRequest: ClientID=" + this.clientID);
+			
+			
+		} catch (ConfigurationException e) {
+			throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
+		}
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes()
+	 */
+	@Override
+	public List<Attribute> getRequestedAttributes() {
+		Map<String, String> reqAttr = new HashMap<String, String>();
+		for (String el : PVP2XProtocol.DEFAULTREQUESTEDATTRFORINTERFEDERATION)
+			reqAttr.put(el, "");
+						
+		try {
+			OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(getOAURL());
+			
+			for (String s : scope.split(" ")) {
+				if (s.equalsIgnoreCase("profile")) {
+					for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersprofile())
+						reqAttr.put(el.getName(), "");
+
+				} else if (s.equalsIgnoreCase("eID")) {
+					for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseid())
+						reqAttr.put(el.getName(), "");
+					
+				} else if (s.equalsIgnoreCase("eID_gov")) {
+					for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuilderseidgov())
+						reqAttr.put(el.getName(), "");
+					
+				} else if (s.equalsIgnoreCase("mandate")) {
+					for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersmandate())
+						reqAttr.put(el.getName(), "");
+					
+				} else if (s.equalsIgnoreCase("stork")) {
+					for (IAttributeBuilder el :OAuth20AttributeBuilder.getBuildersstork())
+						reqAttr.put(el.getName(), "");
+					
+				}
+			}
+			
+			return AttributQueryBuilder.buildSAML2AttributeList(oa, reqAttr.keySet().iterator());
+			
+		} catch (ConfigurationException e) {
+			Logger.error("Load configuration for OA " + getOAURL() + " FAILED", e);
+			return null;
+		}
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
new file mode 100644
index 000000000..bd3fdb3e8
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java
@@ -0,0 +1,144 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.lang.StringEscapeUtils;
+import org.apache.commons.lang.StringUtils;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.moduls.RequestImpl;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidRequestException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20OANotSupportedException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+import at.gv.egovernment.moa.logging.Logger;
+
+abstract class OAuth20BaseRequest extends RequestImpl {
+	
+	private static final long serialVersionUID = 1L;
+	
+	protected Set<String> allowedParameters = new HashSet<String>();
+	
+	protected OAuth20BaseRequest() {
+		
+	}
+	
+	protected String getParam(final HttpServletRequest request, final String name, final boolean isNeeded) throws OAuth20Exception {
+		String param = request.getParameter(name);
+		Logger.debug("Reading param " + name + " from HttpServletRequest with value " + param);
+		
+		if (isNeeded && StringUtils.isEmpty(param)) {
+			throw new OAuth20WrongParameterException(name);
+		}
+		
+		this.allowedParameters.add(name);
+		
+		return param;
+	}
+	
+	protected void populateParameters(final HttpServletRequest request) throws OAuth20Exception {
+		
+		// moa id - load oa with client id!
+		try {
+			String oaURL = StringEscapeUtils.escapeHtml(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true));
+			if (!ParamValidatorUtils.isValidOA(oaURL)) {
+				throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
+			}
+			this.setOAURL(oaURL);
+			OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaURL);
+			
+			if (oaParam == null) {
+				throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
+			}
+			this.setTarget(oaParam.getTarget());
+			
+			if (StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET)) 
+					|| StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))
+					|| StringUtils.isEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_REDIRECTURL))) {
+				throw new OAuth20OANotSupportedException();
+			}
+		}
+		catch (ConfigurationException e) {
+			throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
+		}
+		
+		// oAuth
+		this.populateSpecialParameters(request);
+		
+		// cleanup parameters
+		this.checkAllowedParameters(request);
+	}
+	
+	private void checkAllowedParameters(final HttpServletRequest request) {
+		Logger.debug("Going to check for allowed parameters");
+		this.allowedParameters.add(OAuth20Constants.PARAM_MOA_ACTION);
+		this.allowedParameters.add(OAuth20Constants.PARAM_MOA_MOD);
+		
+		@SuppressWarnings("rawtypes")
+		Iterator iter = request.getParameterMap().keySet().iterator();
+		while (iter.hasNext()) {
+			String name = (String) iter.next();
+			if (!this.allowedParameters.contains(name)) {
+				
+				Logger.debug("Found wrong parameter: " + name);
+				throw new OAuth20WrongParameterException(name);
+			}
+		}
+		
+	}
+	
+	protected abstract void populateSpecialParameters(final HttpServletRequest request) throws OAuth20Exception;
+	
+	public static OAuth20BaseRequest newInstance(final String action, final HttpServletRequest request, String sessionId, String transactionId) throws OAuth20Exception {
+		OAuth20BaseRequest res;
+		
+		if (action.equals(OAuth20Protocol.AUTH_ACTION)) {
+			res = new OAuth20AuthRequest();
+			
+		} else if (action.equals(OAuth20Protocol.TOKEN_ACTION)) {
+			res = new OAuth20TokenRequest();
+			
+		} else {
+			throw new OAuth20InvalidRequestException();
+		}
+		
+		res.setAction(action);
+		res.setModule(OAuth20Protocol.NAME);
+		
+		res.populateParameters(request);
+		return res;
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
new file mode 100644
index 000000000..56d86df72
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java
@@ -0,0 +1,215 @@
+package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+
+import java.net.URLEncoder;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang.StringUtils;
+
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.moduls.IAction;
+import at.gv.egovernment.moa.id.moduls.IModulInfo;
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.util.ErrorResponseUtils;
+import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.util.MiscUtil;
+
+import com.google.gson.JsonObject;
+
+import java.util.Arrays;
+
+public class OAuth20Protocol implements IModulInfo {
+	
+	public static final String NAME = OAuth20Protocol.class.getName();
+	public static final String PATH = "id_oauth20";
+	
+	public static final String AUTH_ACTION = "AUTH";
+	public static final String TOKEN_ACTION = "TOKEN";
+	
+	public static final List<String> DEFAULTREQUESTEDATTRFORINTERFEDERATION = Arrays.asList(
+			new String[] {
+					PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME,
+					PVPConstants.BPK_NAME
+			});
+	
+	private static HashMap<String, IAction> actions = new HashMap<String, IAction>();
+	
+	static {
+		actions.put(AUTH_ACTION, new OAuth20AuthAction());
+		actions.put(TOKEN_ACTION, new OAuth20TokenAction());
+	}
+	
+	public String getName() {
+		return NAME;
+	}
+	
+	public String getPath() {
+		return PATH;
+	}
+	
+	public IAction getAction(String action) {
+		return actions.get(action);
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see
+	 * at.gv.egovernment.moa.id.moduls.IModulInfo#preProcess(javax.servlet.http.HttpServletRequest,
+	 * javax.servlet.http.HttpServletResponse, java.lang.String)
+	 */
+	public IRequest preProcess(HttpServletRequest request, HttpServletResponse resp, String action,
+			String sessionId, String transactionId) throws MOAIDException {
+		// validation is done inside creation
+		OAuth20BaseRequest res = OAuth20BaseRequest.newInstance(action, request, sessionId, transactionId);
+		Logger.debug("Created: " + res);
+		return res;
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see
+	 * at.gv.egovernment.moa.id.moduls.IModulInfo#canHandleRequest(javax.servlet.http.HttpServletRequest
+	 * , javax.servlet.http.HttpServletResponse)
+	 */
+	public IAction canHandleRequest(HttpServletRequest request, HttpServletResponse response) {
+		if (!StringUtils.isEmpty(request.getParameter("action"))) {
+			if (request.getParameter("action").equals(AUTH_ACTION)) {
+				return getAction(AUTH_ACTION);
+			} else if (request.getParameter("action").equals(TOKEN_ACTION)) {
+				return getAction(TOKEN_ACTION);
+			}
+		}
+		
+		return null;// getAction(AUTH_ACTION);
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.moduls.IModulInfo#generateErrorMessage(java.lang.Throwable,
+	 * javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse,
+	 * at.gv.egovernment.moa.id.moduls.IRequest)
+	 */
+	public boolean generateErrorMessage(Throwable e, HttpServletRequest request, HttpServletResponse response, IRequest protocolRequest)
+			throws Throwable {
+				
+		// get error code and description
+		String errorCode;
+		String errorDescription;
+		String errorUri = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() 
+				+"/" + OAuth20Constants.ERRORPAGE;
+		String moaError = null;
+		
+		ErrorResponseUtils errorUtils = ErrorResponseUtils.getInstance();
+		
+		if (e instanceof OAuth20Exception) {
+			errorCode = ((OAuth20Exception) e).getErrorCode();
+			errorDescription = URLEncoder.encode(((OAuth20Exception) e).getMessageId() + ": " + e.getMessage(), "UTF-8");
+			moaError = errorUtils.mapInternalErrorToExternalError(((OAuth20Exception) e).getMessageId());
+			
+		} else {
+			errorCode = OAuth20Constants.ERROR_SERVER_ERROR;
+			errorDescription = URLEncoder.encode(e.getMessage(), "UTF-8");
+			moaError = errorUtils.getResponseErrorCode(e);
+		}
+				
+		String paramRedirect = null;
+		String state = null;
+		boolean isAuthRequest = false;
+		if (protocolRequest != null) {
+			if (protocolRequest instanceof OAuth20AuthRequest) {
+				isAuthRequest = true;
+				
+				paramRedirect = ((OAuth20AuthRequest) protocolRequest).getRedirectUri();
+				state = ((OAuth20AuthRequest) protocolRequest).getState();
+			} else {
+				isAuthRequest = false;
+			}
+		} else {
+			String action = request.getParameter("action");
+			if (MiscUtil.isNotEmpty(action)) {
+				if (action.equals(AUTH_ACTION)) {
+					
+					paramRedirect = request.getParameter(OAuth20Constants.PARAM_REDIRECT_URI);
+					state = request.getParameter(OAuth20Constants.PARAM_STATE);
+					isAuthRequest = true;
+				}
+			} else {
+				throw new MOAIDException("oauth20.01", new Object[] {});
+			}
+		}
+		
+		// if (action.equals(AUTH_ACTION)) {
+		if (isAuthRequest) {
+			Logger.debug("Going to throw O OAuth20Exception for auth request");
+			
+			StringBuilder url = new StringBuilder();
+			
+			// check if given redirect url is ok
+			if (StringUtils.isNotEmpty(paramRedirect) && OAuth20Util.isUrl(paramRedirect)) {
+				url.append(paramRedirect);
+				
+				// otherwise throw an
+			} else {
+				throw new MOAIDException("oauth20.01", new Object[] {});
+			}
+			
+			OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR, errorCode);
+			OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription);
+			if (MiscUtil.isNotEmpty(moaError))
+				OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_ERROR_URI, errorUri + "#" + moaError);
+			OAuth20Util.addParameterToURL(url, OAuth20Constants.PARAM_STATE, state);
+			
+			response.setContentType("text/html");
+			response.setStatus(HttpServletResponse.SC_FOUND);
+			response.addHeader("Location", url.toString());
+			Logger.debug("REDIRECT TO: " + url.toString());
+			return true;
+			
+		} else {
+			Logger.debug("Going to throw O OAuth20Exception for token request");
+			
+			Map<String, Object> params = new HashMap<String, Object>();
+			params.put(OAuth20Constants.PARAM_ERROR, errorCode);
+			params.put(OAuth20Constants.PARAM_ERROR_DESCRIPTION, errorDescription);
+			params.put(OAuth20Constants.PARAM_ERROR_URI, errorUri + "#" + moaError);
+			
+			// create response
+			JsonObject jsonObject = new JsonObject();
+			OAuth20Util.addProperytiesToJsonObject(jsonObject, params);
+			String jsonResponse = jsonObject.toString();
+			Logger.debug("JSON Response: " + jsonResponse);
+			
+			// write respone to http response
+			response.setContentType("application/json");
+			response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
+			response.getOutputStream().print(jsonResponse);
+			response.getOutputStream().close();
+			
+			return true;
+		}
+		
+		// return false;
+		
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see
+	 * at.gv.egovernment.moa.id.moduls.IModulInfo#validate(javax.servlet.http.HttpServletRequest,
+	 * javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.moduls.IRequest)
+	 */
+	public boolean validate(HttpServletRequest request, HttpServletResponse response, IRequest pending) {
+		// we validate in the preProcess
+		return true;
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
new file mode 100644
index 000000000..2238a25e1
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java
@@ -0,0 +1,124 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
+import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
+import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException;
+import at.gv.egovernment.moa.id.data.IAuthData;
+import at.gv.egovernment.moa.id.data.SLOInformationInterface;
+import at.gv.egovernment.moa.id.moduls.IAction;
+import at.gv.egovernment.moa.id.moduls.IRequest;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20UnauthorizedClientException;
+import at.gv.egovernment.moa.id.storage.AssertionStorage;
+import at.gv.egovernment.moa.logging.Logger;
+
+import com.google.gson.JsonObject;
+
+class OAuth20TokenAction implements IAction {
+	
+	public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp,
+			IAuthData authData) throws MOAIDException {
+		
+		
+		OAuth20SessionObject auth20SessionObject = null;
+		try {
+			OAuth20TokenRequest oAuthRequest = (OAuth20TokenRequest) req;
+		
+			MOAReversionLogger.getInstance().logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_OPENIDCONNECT_TOKENREQUEST);
+			
+			try {
+				Logger.debug("Loaded OAuth20SessionObject from session: " + oAuthRequest.getCode());
+				
+				auth20SessionObject = 
+						AssertionStorage.getInstance().get(oAuthRequest.getCode(), OAuth20SessionObject.class);
+			
+			} catch (MOADatabaseException e) {
+				throw new OAuth20UnauthorizedClientException();
+				
+			}
+
+			// do checking for different grant types and code
+			if (auth20SessionObject == null || !auth20SessionObject.getCode().equals(oAuthRequest.getCode())) {
+				throw new OAuth20UnauthorizedClientException();
+			} else {
+				Logger.debug("Loaded of OAuth20SessionObject was successful");
+			}
+			
+			// create response
+			JsonObject jsonObject = new JsonObject();
+			OAuth20Util.addProperytiesToJsonObject(jsonObject, auth20SessionObject.getAuthDataSession());
+			String jsonResponse = jsonObject.toString();
+			Logger.debug("JSON Response: " + jsonResponse);
+			
+			// write respone to http response
+			httpResp.setContentType("application/json");
+			httpResp.setStatus(HttpServletResponse.SC_OK);
+			httpResp.getOutputStream().print(jsonResponse);
+			httpResp.getOutputStream().close();
+			
+			return null;
+		}
+		catch (Exception e) {
+			Logger.error(e.getMessage(), e);
+			throw new OAuth20ServerErrorException();
+		}
+		
+		finally {
+			if (auth20SessionObject != null) {
+				// destroy session for clean up
+
+				Logger.debug("Going to destroy session: " + auth20SessionObject.getCode());
+				AssertionStorage.getInstance().remove(auth20SessionObject.getCode());
+
+			}
+		}
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see
+	 * at.gv.egovernment.moa.id.moduls.IAction#needAuthentication(at.gv.egovernment.moa.id.moduls
+	 * .IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
+	 */
+	public boolean needAuthentication(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp) {
+		return false;
+	}
+	
+	/*
+	 * (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName()
+	 */
+	public String getDefaultActionName() {
+		return OAuth20Protocol.TOKEN_ACTION;
+	}
+		
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
new file mode 100644
index 000000000..6bebe5a6a
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java
@@ -0,0 +1,157 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package at.gv.egovernment.moa.id.protocols.oauth20.protocol;
+
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.opensaml.saml2.core.Attribute;
+
+import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants;
+import at.gv.egovernment.moa.id.config.ConfigurationException;
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20InvalidGrantException;
+import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20WrongParameterException;
+import at.gv.egovernment.moa.logging.Logger;
+
+class OAuth20TokenRequest extends OAuth20BaseRequest {
+	
+	private static final long serialVersionUID = 1L;
+	
+	private String code;
+	private String grantType;
+	private String clientID;
+	private String clientSecret;
+	
+	/**
+	 * @return the code
+	 */
+	public String getCode() {
+		return code;
+	}
+	
+	/**
+	 * @param code
+	 *            the code to set
+	 */
+	public void setCode(String code) {
+		this.code = code;
+	}
+	
+	/**
+	 * @return the grantType
+	 */
+	public String getGrantType() {
+		return grantType;
+	}
+	
+	/**
+	 * @param grantType
+	 *            the grantType to set
+	 */
+	public void setGrantType(String grantType) {
+		this.grantType = grantType;
+	}
+	
+	/**
+	 * @return the clientID
+	 */
+	public String getClientID() {
+		return clientID;
+	}
+	
+	/**
+	 * @param clientID
+	 *            the clientID to set
+	 */
+	public void setClientID(String clientID) {
+		this.clientID = clientID;
+	}
+	
+	/**
+	 * @return the clientSecret
+	 */
+	public String getClientSecret() {
+		return clientSecret;
+	}
+	
+	/**
+	 * @param clientSecret
+	 *            the clientSecret to set
+	 */
+	public void setClientSecret(String clientSecret) {
+		this.clientSecret = clientSecret;
+	}
+	
+	@Override
+	protected void populateSpecialParameters(HttpServletRequest request) throws OAuth20Exception {
+		this.setCode(this.getParam(request, OAuth20Constants.RESPONSE_CODE, true));
+		this.setGrantType(this.getParam(request, OAuth20Constants.PARAM_GRANT_TYPE, true));
+		this.setClientID(this.getParam(request, OAuth20Constants.PARAM_CLIENT_ID, true));
+		this.setClientSecret(this.getParam(request, OAuth20Constants.PARAM_CLIENT_SECRET, true));
+		
+		// check for grant type
+		if (!this.getGrantType().equals(OAuth20Constants.PARAM_GRANT_TYPE_VALUE_AUTHORIZATION_CODE)) {
+			throw new OAuth20InvalidGrantException();
+		}
+		
+		// check if client id and secret are ok
+		try {
+			// OAOAUTH20 cannot be null at this point. check was done in base request
+			OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL());
+			
+			if (!this.getClientID().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))) {
+				throw new OAuth20AccessDeniedException();
+			}
+			
+			if (!this.getClientSecret().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTSECRET))) {
+				throw new OAuth20AccessDeniedException();
+			}
+			
+			this.setOnlineApplicationConfiguration(oaParam);
+			
+		}
+		catch (ConfigurationException e) {
+			throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID);
+		}
+		
+		Logger.info("Dispatch OpenIDConnect TokenRequest: ClientID=" + this.clientID);
+		
+		//add valid parameters
+		this.allowedParameters.add(OAuth20Constants.PARAM_SCOPE);
+		this.allowedParameters.add(OAuth20Constants.PARAM_REDIRECT_URI);
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.moduls.RequestImpl#getRequestedAttributes()
+	 */
+	@Override
+	public List<Attribute> getRequestedAttributes() {
+		return null;
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.moduls.IModulInfo b/id/server/modules/moa-id-module-openID/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.moduls.IModulInfo
new file mode 100644
index 000000000..b653c91c3
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/main/resources/META-INF/services/at.gv.egovernment.moa.id.moduls.IModulInfo
@@ -0,0 +1 @@
+at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20Protocol
\ No newline at end of file
diff --git a/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/CertTest.java b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/CertTest.java
new file mode 100644
index 000000000..6cf1e8280
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/CertTest.java
@@ -0,0 +1,131 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package test.at.gv.egovernment.moa.id.auth.oauth;
+
+import iaik.security.ecc.provider.ECCProvider;
+
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import net.oauth.jsontoken.crypto.Signer;
+import net.oauth.jsontoken.crypto.Verifier;
+
+import org.opensaml.xml.security.x509.BasicX509Credential;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SHA256Signer;
+import at.gv.egovernment.moa.id.protocols.oauth20.json.OAuth20SHA256Verifier;
+import at.gv.egovernment.moa.util.KeyStoreUtils;
+
+public class CertTest {
+	
+	/** KeyStore Path */
+	private String rsaKeyStorePath = "file:/D:/dev/work/exthex/workspace/OAuthTesting/resources/keys/test_keystore.jks";
+	
+	private String ecdsaKeyStorePath = "file:/D:/dev/work/exthex/workspace/OAuthTesting/resources/keys/ECDSA_keystore.jks";
+	
+	/** KeyStore Password */
+	private String keyStorePassword = "test12";
+	
+	/** Specific Key Name as Credential */
+	private String keyName = "1";
+	
+	/** Key password */
+	private String keyPassword = "test12";
+	
+	private BasicX509Credential getCredentials(String keyStorePath) {
+		Assert.assertNotNull(keyStorePath);
+		
+		// KeyStorePassword optional
+		// if (StringUtils.isEmpty(this.keyStorePassword))
+		// throw new SAMLException("No keyStorePassword specified");
+		
+		Assert.assertNotNull(this.keyName);
+		
+		// KeyStorePassword optional
+		// if (StringUtils.isEmpty(this.keyPassword))
+		// throw new SAMLException("No keyPassword specified");
+		
+		KeyStore ks = null;
+		try {
+			ks = KeyStoreUtils.loadKeyStore(keyStorePath, this.keyStorePassword);
+			
+		}
+		catch (Exception e) {
+			e.printStackTrace();
+		}
+		
+		// return new KeyStoreX509CredentialAdapter(ks, keyName, keyPwd.toCharArray());
+		BasicX509Credential credential = null;
+		try {
+			X509Certificate certificate = (X509Certificate) ks.getCertificate(this.keyName);
+			
+			PrivateKey privateKey = (PrivateKey) ks.getKey(this.keyName, this.keyPassword.toCharArray());
+			
+			// System.out.println("KS Provider:" + privateKey.getClass());
+			credential = new BasicX509Credential();
+			credential.setEntityCertificate(certificate);
+			credential.setPrivateKey(privateKey);
+			
+			System.out.println("Private Key: " + privateKey);
+			
+		}
+		catch (Exception e) {
+			e.printStackTrace();
+			
+		}
+		
+		return credential;
+	}
+	
+	private void signAndVerify(BasicX509Credential credential) throws Exception {
+		String data = "someData";
+		
+		Signer signer = new OAuth20SHA256Signer("signer1", keyName, credential.getPrivateKey());
+		
+		byte[] signedData = signer.sign(data.getBytes());
+		
+		Verifier verifier = new OAuth20SHA256Verifier(credential.getPublicKey());
+		verifier.verifySignature(data.getBytes(), signedData);
+	}
+	
+	@Test
+	// (enabled = false)
+	public void testRSA() throws Exception {
+		BasicX509Credential credential = this.getCredentials(this.rsaKeyStorePath);
+		
+		// System.out.println(credential);
+		this.signAndVerify(credential);
+	}
+	
+	@Test
+	public void testECDSA() throws Exception {
+		ECCProvider.addAsProvider();
+		
+		// Security.addProvider(new ECCProvider());
+		BasicX509Credential credential = this.getCredentials(this.ecdsaKeyStorePath);
+		this.signAndVerify(credential);
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
new file mode 100644
index 000000000..abfca4f36
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20ErrorsTests.java
@@ -0,0 +1,184 @@
+package test.at.gv.egovernment.moa.id.auth.oauth;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.commons.lang.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.testng.Assert;
+import org.testng.annotations.AfterMethod;
+import org.testng.annotations.BeforeMethod;
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants;
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
+
+import com.google.api.client.extensions.java6.auth.oauth2.VerificationCodeReceiver;
+import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
+
+public class OAuth20ErrorsTests {
+	
+	final static Logger log = LoggerFactory.getLogger(OAuth20ErrorsTests.class);
+	
+	private static VerificationCodeReceiver receiver;
+	
+	// base uri
+	private static String OAUTH2_BASE_URI = "https://localhost/moa-id-auth/";
+	// auth action
+	private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "oauth2/auth";
+	// token action
+	private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "oauth2/token";
+	
+	// client id
+	private static String CLIENT_ID = "http://test";
+	// client secret
+	private static String CLIENT_SECRET = "d435cf0a-3933-48f7-b142-339710c8f070";
+	// OAuth 2.0 scopes
+	//private static List<String> SCOPES = Arrays.asList("testScope1", "testScope2");
+	// state
+	private static String STATE = "testState";
+	// code
+	private static String CODE = "code";
+	// redirect uri
+	private static String REDIRECT_URI = "http://localhost:59542/Callback";
+	
+	@BeforeMethod
+	public void beforeTest() throws Exception {
+		receiver = new LocalServerReceiver.Builder().setPort(59542).build();
+		// REDIRECT_URI = receiver.getRedirectUri();
+		// start
+		receiver.getRedirectUri();
+	}
+	
+	@AfterMethod
+	public void afterTest() {
+		try {
+			receiver.stop();
+		}
+		catch (IOException e) {
+		}
+	}
+	
+	private void checkParam(final String paramString, final String paramName) {
+		String[] help = paramString.split("=");
+		Assert.assertEquals(help[0], paramName);
+		Assert.assertTrue(StringUtils.isNotEmpty(help[1]));
+	}
+	
+	private void checkParams(final String queryString) {
+		// System.out.println("QueryString: " + queryString);
+		
+		System.out.println("Result url: " + queryString);
+		
+		String[] params = queryString.split("&");
+		
+		this.checkParam(params[0], OAuth20Constants.PARAM_ERROR);
+		this.checkParam(params[1], OAuth20Constants.PARAM_ERROR_DESCRIPTION);
+		// this.checkParam(params[2], OAuth20Constants.PARAM_ERROR_URI);
+		// this.checkParam(params[3], OAuth20Constants.PARAM_STATE);
+		this.checkParam(params[2], OAuth20Constants.PARAM_STATE);
+	}
+	
+	class OAuthRequestParameters {
+		String redirectUri;
+		String clientId;
+		String responseType;
+		String scope;
+		String state;
+		String error;
+		
+		public OAuthRequestParameters(String redirectUri, String clientId, String responseType, String scope, String state,
+				String error) {
+			this.redirectUri = redirectUri;
+			this.clientId = clientId;
+			this.responseType = responseType;
+			this.scope = scope;
+			this.state = state;
+			this.error = error;
+		}
+	}
+	
+	@DataProvider(name = "parameter")
+	public Object[][] parameterProvider() {
+		// parameter is missing
+		// OAuthRequestParameters p0 = new OAuthRequestParameters(null, OA_URL, CLIENT_ID, CODE,
+		// "testScope1", null,
+		// "User authorization failed (invalid_request)");
+		// OAuthRequestParameters p1 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, CODE,
+		// "testScope1", STATE,
+		// "User authorization failed (invalid_request)");
+		OAuthRequestParameters p2 = new OAuthRequestParameters(REDIRECT_URI, null, CODE, "testScope1", STATE,
+				"User authorization failed (invalid_request)");
+		OAuthRequestParameters p3 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, null, "testScope1", STATE,
+				"User authorization failed (invalid_request)");
+		OAuthRequestParameters p4 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, CODE, null, STATE, null);
+		OAuthRequestParameters p5 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, CODE, "testScope1", null,
+				"User authorization failed (invalid_request)");
+		
+		// wrong response type
+		OAuthRequestParameters p6 = new OAuthRequestParameters(REDIRECT_URI, CLIENT_ID, "WRONG_CODE", "testScope1", STATE,
+				"User authorization failed (unsupported_response_type)");
+		// wrong client id
+		OAuthRequestParameters p7 = new OAuthRequestParameters(REDIRECT_URI, "wrongClient", CODE, "testScope1", STATE,
+				"User authorization failed (invalid_request)");
+		// wrong redirect uri
+		// OAuthRequestParameters p9 = new OAuthRequestParameters("wrongURI", OA_URL, "wrongClient",
+		// CODE, "testScope1", STATE,
+		// "User authorization failed (access_denied)");
+		
+		return new Object[][] { { p2 }, { p3 }, { p4 }, { p5 }, { p6 }, { p7 } };
+	}
+	
+	@Test(dataProvider = "parameter", enabled = false)
+	public void testMissingParams(OAuthRequestParameters p) throws Exception {
+		StringBuilder url = new StringBuilder();
+		url.append(OAUTH2_AUTH_URI);
+		
+		if (StringUtils.isNotEmpty(p.redirectUri)) OAuth20Util.addParameterToURL(url, "redirect_uri", p.redirectUri);
+		if (StringUtils.isNotEmpty(p.clientId)) OAuth20Util.addParameterToURL(url, "client_id", p.clientId);
+		if (StringUtils.isNotEmpty(p.responseType)) OAuth20Util.addParameterToURL(url, "response_type", p.responseType);
+		if (StringUtils.isNotEmpty(p.scope)) OAuth20Util.addParameterToURL(url, "scope", p.scope);
+		if (StringUtils.isNotEmpty(p.state)) OAuth20Util.addParameterToURL(url, "state", p.state);
+		
+		String finalUrl = url.toString();
+		System.out.println("Calling: " + finalUrl);
+		
+		HttpClient client = new HttpClient();
+		GetMethod get = new GetMethod(finalUrl);
+		int res = client.executeMethod(get);
+		Assert.assertEquals(res, HttpServletResponse.SC_OK);
+		
+		// assert
+		
+		if (p.error == null) {
+			Assert.assertFalse(get.getQueryString().contains("error"));
+			// receiver.waitForCode();
+		} else {
+			// check if all error params are returned
+			this.checkParams(get.getQueryString());
+			try {
+				receiver.waitForCode();
+				Assert.assertTrue(false);
+			}
+			catch (Exception e) {
+				Assert.assertEquals(e.getMessage(), p.error);
+			}
+		}
+	}
+	
+	@Test(enabled = false)
+	public void testTokenErrorResponse() throws Exception {
+		HttpClient client = new HttpClient();
+		GetMethod get = new GetMethod(OAUTH2_TOKEN_URI + "&client_id=" + CLIENT_ID + "&client_secret=" + CLIENT_SECRET
+				+ "&code=test&grant_type=authorization_code");
+		int res = client.executeMethod(get);
+		
+		System.out.println(res);
+		System.out.println(get.getResponseBodyAsString());
+	}
+}
diff --git a/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20GoogleClientTestCase.java b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20GoogleClientTestCase.java
new file mode 100644
index 000000000..53c7ad496
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20GoogleClientTestCase.java
@@ -0,0 +1,158 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package test.at.gv.egovernment.moa.id.auth.oauth;
+
+import java.awt.Desktop;
+import java.awt.Desktop.Action;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.net.URI;
+import java.security.SecureRandom;
+import java.util.Arrays;
+import java.util.List;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
+import com.google.api.client.auth.oauth2.AuthorizationCodeRequestUrl;
+import com.google.api.client.auth.oauth2.BearerToken;
+import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
+import com.google.api.client.auth.oauth2.TokenResponse;
+import com.google.api.client.auth.openidconnect.IdToken;
+import com.google.api.client.extensions.java6.auth.oauth2.VerificationCodeReceiver;
+import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
+import com.google.api.client.http.GenericUrl;
+import com.google.api.client.http.HttpExecuteInterceptor;
+import com.google.api.client.http.HttpTransport;
+import com.google.api.client.http.javanet.NetHttpTransport;
+import com.google.api.client.json.JsonFactory;
+import com.google.api.client.json.jackson2.JacksonFactory;
+
+public class OAuth20GoogleClientTestCase {
+	
+	final static Logger log = LoggerFactory.getLogger(OAuth20GoogleClientTestCase.class);
+	
+	// private static FileDataStoreFactory DATA_STORE_FACTORY;
+	
+	// Global instance of the HTTP transport.
+	private static HttpTransport HTTP_TRANSPORT = new NetHttpTransport();
+	// Global instance of the JSON factory.
+	private static final JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();
+	
+	private static String ISS = "https://localhost/moa-id-auth/";
+	
+	// base uri
+	//private static String OAUTH2_BASE_URI = ISS + "dispatcher";
+	// auth action
+	//private static String OAUTH2_AUTH_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=AUTH";
+	private static String OAUTH2_AUTH_URI = ISS + "oauth2/auth";
+
+	// token action
+	//private static String OAUTH2_TOKEN_URI = OAUTH2_BASE_URI + "?mod=id_oauth20&action=TOKEN";
+	private static String OAUTH2_TOKEN_URI = ISS + "oauth2/token";
+	
+	// client id
+	private static String CLIENT_ID = "http://test";
+	// client secret
+	private static String CLIENT_SECRET = "d435cf0a-3933-48f7-b142-339710c8f070";
+	// OAuth 2.0 scopes
+	private static final List<String> SCOPES = Arrays.asList("profile", "eID", "eID_gov", "mandate");
+	
+	// open browser for bku login
+	private void openURL(String url) {
+		Assert.assertNotNull(url);
+		log.info("Please open the following URL in your browser:");
+		log.info(url);
+		if (Desktop.isDesktopSupported()) {
+			Desktop desktop = Desktop.getDesktop();
+			if (desktop.isSupported(Action.BROWSE)) {
+				try {
+					desktop.browse(URI.create(url));
+					return;
+				}
+				catch (IOException e) {
+					// handled below
+				}
+			}
+		}
+		
+	}
+	
+	private TokenResponse authorize() throws Exception {
+		// set up a receiver for the callback
+		VerificationCodeReceiver receiver = new LocalServerReceiver.Builder().setPort(59542).build();
+		
+		// create AuthorizationCodeFlow
+		GenericUrl token_uri = new GenericUrl(OAUTH2_TOKEN_URI);
+		HttpExecuteInterceptor credentials = new ClientParametersAuthentication(CLIENT_ID, CLIENT_SECRET);
+		AuthorizationCodeFlow flow = new AuthorizationCodeFlow.Builder(BearerToken.queryParameterAccessMethod(), HTTP_TRANSPORT,
+				JSON_FACTORY, token_uri, credentials, CLIENT_ID, OAUTH2_AUTH_URI).setScopes(SCOPES).build();
+		// .setDataStoreFactory(DATA_STORE_FACTORY)
+		
+		// create AuthorizationCodeRequestUrl
+		try {
+			String redirectUri = receiver.getRedirectUri();
+			String state = new BigInteger(130, new SecureRandom()).toString(32);
+			AuthorizationCodeRequestUrl authorizationUrl = flow.newAuthorizationUrl().setRedirectUri(redirectUri).setState(state);
+			
+			// open in browser
+			this.openURL(authorizationUrl.build());
+			
+			// receive authorization code and exchange it for an access token
+			String code = receiver.waitForCode();
+			System.out.println(code);
+			TokenResponse response = flow.newTokenRequest(code).setRedirectUri(redirectUri).execute();
+			return response;
+		}
+		finally {
+			// if anything fails, stop the receiver
+			receiver.stop();
+		}
+		
+	}
+	
+	// eyJhbGciOiJSUzI1NiIsImtpZCI6IjEifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdC9tb2EtaWQtYXV0aC8iLCJleHAiOi02MzE5MDMsInN1YiI6IncveThQY2pNTHBFTGZmUHRTSDNtbmd6M24rRVx1MDAzZCIsImJpcnRoZGF0ZSI6IjE5ODUtMDItMDEiLCJmYW1pbHlfbmFtZSI6IkhpZXNzIiwiZ2l2ZW5fbmFtZSI6Ik1pY2hhZWwiLCJpYXQiOi02MzIyMDN9.Z_jveITHlTtktPOOV3n_sMbg50YQ4YcOEcSUs_RJ-4FGedj1sVxk9gmlUQcBPfQaBrPgC6RoiPLTy8CKu2PBClEyv9c9HdzIGqBjWzaTSNASx_QL5bfG4EQ8VZmSEI9d0whzlaBgkUFNfhx-Q2ZVh-g8SJ-0JO0zFR18OSRNTxPTJ4PPl0APqn2H-98sU331_zQKiZxNOvl_6OG26VoIYwEuW5m_N5tsf4lLAlqYcdHR3iNTeu8AkAOvlEwv7Z3BeeOiP4u-OWuc6VusWBPxaI2NwmDIoorpyIxY-wEFb4CWICuyk61Wlq1SCNdl-f-ODwJBK3rlj0IMlYbAjKSB0g
+	private void verifyIdToken(TokenResponse response) throws Exception {
+		String id_token = (String) response.getUnknownKeys().get("id_token");
+		log.info("going to parse id token: {}", id_token);
+		
+		IdToken idToken = IdToken.parse(JSON_FACTORY, id_token);
+		Assert.assertTrue(idToken.verifyIssuer(ISS));
+		
+		log.info(idToken.getPayload().toPrettyString());
+		log.info(idToken.getHeader().toPrettyString());
+
+	}
+	
+	@Test(enabled = false)
+	public void testServerFlow() throws Exception {
+		TokenResponse response = this.authorize();
+		log.info(response.toPrettyString());
+		
+		this.verifyIdToken(response);
+	}
+	
+}
diff --git a/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20UtilTest.java b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20UtilTest.java
new file mode 100644
index 000000000..8e18adc08
--- /dev/null
+++ b/id/server/modules/moa-id-module-openID/src/test/java/test/at/gv/egovernment/moa/id/auth/oauth/OAuth20UtilTest.java
@@ -0,0 +1,70 @@
+/*******************************************************************************
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ *******************************************************************************/
+package test.at.gv.egovernment.moa.id.auth.oauth;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.testng.Assert;
+import org.testng.annotations.Test;
+
+import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util;
+
+public class OAuth20UtilTest {
+	
+	@Test
+	public void validateURL() {
+		Assert.assertTrue(OAuth20Util.isUrl("file:/D:/dev/work/exthex/workspace/OAuthTesting/resources/keys/test_keystore.jks"));
+		Assert.assertTrue(OAuth20Util.isUrl("https://www.google.at/"));
+		Assert.assertTrue(OAuth20Util.isUrl("http://test"));
+		Assert.assertTrue(OAuth20Util.isUrl("http://localhost:59542/Callback"));
+		
+		
+		Assert.assertFalse(OAuth20Util.isUrl("http://"));
+		Assert.assertFalse(OAuth20Util.isUrl("123http://test"));
+		Assert.assertFalse(OAuth20Util.isUrl("test"));
+	}
+	
+	@Test
+	public void validateState() {
+		// check state for invalid characters (like < > & ; ... javascript ... to prevent xss)
+		
+		Assert.assertFalse(OAuth20Util.isValidStateValue("javascript"));
+		Assert.assertFalse(OAuth20Util.isValidStateValue("<Test"));
+		Assert.assertFalse(OAuth20Util.isValidStateValue("Test>"));
+		Assert.assertFalse(OAuth20Util.isValidStateValue("Tas<est"));
+		Assert.assertFalse(OAuth20Util.isValidStateValue("Te>st"));
+		Assert.assertFalse(OAuth20Util.isValidStateValue("Tes&t"));
+		Assert.assertFalse(OAuth20Util.isValidStateValue("Tes;t"));
+		Assert.assertTrue(OAuth20Util.isValidStateValue("secure_state"));
+	}
+	
+	
+	@Test
+	public void testExp() {
+		Pattern urlPattern = Pattern.compile("/oauth2/auth\\?(.*)$", Pattern.CASE_INSENSITIVE);
+		Matcher matcher = urlPattern.matcher("https://localhost/moa-id-auth/oauth2/auth?client_id=http://test&redirect_uri=http://localhost:59542/Callback&response_type=code&scope=profile%20eID%20eID_gov%20mandate&state=7gfnabf112ogg9segnnrfpi83q");
+		System.out.println(matcher.find());
+	}
+	
+}