Specification

Features	Version	Description
Standards	1.1~	RFC 6749: The OAuth 2.0 Authorization Framework RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 7009: OAuth 2.0 Token Revocation RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 7662: OAuth 2.0 Token Introspection OAuth 2.0 Multiple Response Type Encoding Practices OAuth 2.0 Form Post Response Mode OpenID Connect Core 1.0 OpenID Connect Discovery 1.0
	2.0~	RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC 8705: OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens Financial-grade API - Part 1: Read-Only API Security Profile Financial-grade API - Part 2: Read and Write API Security Profile UK Open Banking Security Profile
	2.1~	RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol RFC 8628: OAuth 2.0 Device Authorization Grant OpenID Connect Dynamic Client Registration 1.0 OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) Financial-grade API: Client Initiated Backchannel Authentication Profile
	2.2~	RFC 8707: Resource Indicators for OAuth 2.0 OAuth 2.0 Pushed Authorization Requests OAuth 2.0 Rich Authorization Requests OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) OpenID Connect for Identity Assurance 1.0 The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR) OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
Client Authentication Methods	1.1 ~	`none` `client_secret_basic` (RFC 6749) `client_secret_post` (RFC 6749)
Client Authentication Methods	2.0 ~	`client_secret_jwt` (RFC 7523) `private_key_jwt` (RFC 7523) `tls_client_auth` (MTLS) `self_signed_tls_client_auth` (MTLS)
Endpoints	1.1 ~	Authorization Endpoint (RFC 6749) Discovery Endpoint (OIDC Discovery 1.0) Introspection Endpoint (RFC 7662) JWK Set Endpoint (RFC 7517) Revocation Endpoint (RFC 7009) Token Endpoint (RFC 6749) UserInfo Endpoint (OIDC Core 1.0)
	2.1 ~	Backchannel Authentication Endpoint (CIBA Core 1.0) Device Authorization Endpoint (RFC 8628)
	2.2 ~	Pushed Authorization Request Endpoint (PAR)
Grant Types	1.1 ~	`authorization_code` (RFC 6749) `implicit` (RFC 6749) `password` (RFC 6749) `client_credentials` (RFC 6749) `refresh` (RFC 6749)
Grant Types	2.1 ~	`urn:openid:params:grant-type:ciba` (CIBA) `urn:ietf:params:oauth:grant-type:device_code` (RFC 8628)
Response Types	1.1 ~	`code` (RFC 6749) `token` (RFC 6749) `id_token` (Multiple Response Type) `code token` (Multiple Response Type) `code id_token` (Multiple Response Type) `id_token token` (Multiple Response Type) `code id_token token` (Multiple Response Type) `none` (Multiple Response Type)
Response Modes	1.1 ~	`query` (Multiple Response Type) `fragment` (Multiple Response Type) `form_post` (Form Post Response Mode)
Response Modes	2.1 ~	`jwt` (JARM) `query.jwt` (JARM) `fragment.jwt` (JARM) `form_post.jwt` (JARM)
Signature Algorithms	1.1 ~	`HS256` `HS384` `HS512` `RS256` `RS384` `RS512` `ES256` `ES384` `ES512` `PS256` `PS384` `PS512` `none`
Encryption Algorithms	1.1 ~	`RSA1_5` `RSA-OAEP` `RSA-OAEP-256` `A128KW` `A192KW` `A256KW` `dir` `ECDH-ES` `ECDH-ES+A128KW` `ECDH-ES+A192KW` `ECDH-ES+A256KW` `A128GCMKW` `A192GCMKW` `A1256GCMKW` `PBES2-HS256+A128KW` `PBES2-HS384+A192KW` `PBES2-HS512+A256KW`
Encryption Methods	1.1 ~	`A128CBC-HS256` `A192CBC-HS384` `A256CBC-HS512` `A128GCM` `A192GCM` `A256GCM`
Authlete Specific	1.1 ~	Client ID alias Extra properties Renewal policy on refresh tokens Single access token per subject Error description omission Error URI omission Granted scopes management ^*1 PKCE enforcement
	2.0 ~	Scope attributes PKI certificate chain validation for mutual TLS authentication (MTLS)
	2.1 ~	Mandating S256 for code_challenge_method (PKCE) JWT-based access token Allowable clock skew Mandating binding message in FAPI context (FAPI-CIBA) Advanced renewal policy on refresh tokens
	2.2 ~	Additional claims in a header part of ID tokens
Token Duration Configuration	1.1 ~	Access token duration per service Refresh token duration per service ID token duration per service
	2.0 ~	Access token duration per scope Refresh token duration per scope
	2.1 ~	Access token duration per client Refresh token duration per client Backchannel authentication request ID duration per service (CIBA) Authorization response JWT duration per service (JARM) Verification code duration per service (RFC 8628)
	2.2 ~	Request URI duration per service (PAR)

^{*1 : Only available in Enterprise plan}

NOTE: Authlete 2.2 is under development and its commercial version has not been released yet.

OpenID Certification

OpenID Certification	Version	Categories
OpenID Provider	1.1 ~	Basic OP Implicit OP Hybrid OP Config OP
OpenID Provider	2.1 ~	Dynamic OP Form Post OP
FAPI OpenID Provider	2.1 ~	FAPI R/W OP w/ MTLS FAPI R/W OP w/ Private Key
FAPI-CIBA Profile OpenID Provider	2.1 ~	FAPI-CIBA OP Poll w/ MTLS FAPI-CIBA OP Poll w/ Private Key FAPI-CIBA OP Ping w/ MTLS FAPI-CIBA OP Ping w/ Private Key

Last Updated at October 26, 2020 by Authlete, Inc.

Spec Sheet

Specification

OpenID Certification