Spec Sheet

Specification

Features Version Description
Standards 1.1~
2.0~
2.1~
2.2~
Client Authentication Methods 1.1 ~
  • none
  • client_secret_basic (RFC 6749)
  • client_secret_post (RFC 6749)
2.0 ~
  • client_secret_jwt (RFC 7523)
  • private_key_jwt (RFC 7523)
  • tls_client_auth (MTLS)
  • self_signed_tls_client_auth (MTLS)
Endpoints 1.1 ~
  • Authorization Endpoint (RFC 6749)
  • Discovery Endpoint (OIDC Discovery 1.0)
  • Introspection Endpoint (RFC 7662)
  • JWK Set Endpoint (RFC 7517)
  • Revocation Endpoint (RFC 7009)
  • Token Endpoint (RFC 6749)
  • UserInfo Endpoint (OIDC Core 1.0)
2.1 ~
  • Backchannel Authentication Endpoint (CIBA Core 1.0)
  • Device Authorization Endpoint (RFC 8628)
2.2 ~
  • Pushed Authorization Request Endpoint (PAR)
Grant Types 1.1 ~
  • authorization_code (RFC 6749)
  • implicit (RFC 6749)
  • password (RFC 6749)
  • client_credentials (RFC 6749)
  • refresh (RFC 6749)
2.1 ~
  • urn:openid:params:grant-type:ciba (CIBA)
  • urn:ietf:params:oauth:grant-type:device_code (RFC 8628)
Response Types 1.1 ~
  • code (RFC 6749)
  • token (RFC 6749)
  • id_token (Multiple Response Type)
  • code token (Multiple Response Type)
  • code id_token (Multiple Response Type)
  • id_token token (Multiple Response Type)
  • code id_token token (Multiple Response Type)
  • none (Multiple Response Type)
Response Modes 1.1 ~
  • query (Multiple Response Type)
  • fragment (Multiple Response Type)
  • form_post (Form Post Response Mode)
2.1 ~
  • jwt (JARM)
  • query.jwt (JARM)
  • fragment.jwt (JARM)
  • form_post.jwt (JARM)
Signature Algorithms 1.1 ~
  • HS256
  • HS384
  • HS512
  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512
  • PS256
  • PS384
  • PS512
  • none
Encryption Algorithms 1.1 ~
  • RSA1_5
  • RSA-OAEP
  • RSA-OAEP-256
  • A128KW
  • A192KW
  • A256KW
  • dir
  • ECDH-ES
  • ECDH-ES+A128KW
  • ECDH-ES+A192KW
  • ECDH-ES+A256KW
  • A128GCMKW
  • A192GCMKW
  • A1256GCMKW
  • PBES2-HS256+A128KW
  • PBES2-HS384+A192KW
  • PBES2-HS512+A256KW
Encryption Methods 1.1 ~
  • A128CBC-HS256
  • A192CBC-HS384
  • A256CBC-HS512
  • A128GCM
  • A192GCM
  • A256GCM
Authlete Specific 1.1 ~
  • Client ID alias
  • Extra properties
  • Renewal policy on refresh tokens
  • Single access token per subject
  • Error description omission
  • Error URI omission
  • Granted scopes management *1
  • PKCE enforcement
2.0 ~
  • Scope attributes
  • PKI certificate chain validation for mutual TLS authentication (MTLS)
2.1 ~
  • Mandating S256 for code_challenge_method (PKCE)
  • JWT-based access token
  • Allowable clock skew
  • Mandating binding message in FAPI context (FAPI-CIBA)
  • Advanced renewal policy on refresh tokens
2.2 ~
  • Additional claims in a header part of ID tokens
Token Duration Configuration 1.1 ~
  • Access token duration per service
  • Refresh token duration per service
  • ID token duration per service
2.0 ~
  • Access token duration per scope
  • Refresh token duration per scope
2.1 ~
  • Access token duration per client
  • Refresh token duration per client
  • Backchannel authentication request ID duration per service (CIBA)
  • Authorization response JWT duration per service (JARM)
  • Verification code duration per service (RFC 8628)
2.2 ~
  • Request URI duration per service (PAR)

*1 : Only available in Enterprise plan

NOTE: Authlete 2.2 is under development and its commercial version has not been released yet.

OpenID Certification

OpenID Certification Version Categories
OpenID Provider 1.1 ~
  • Basic OP
  • Implicit OP
  • Hybrid OP
  • Config OP
2.1 ~
  • Dynamic OP
  • Form Post OP
FAPI OpenID Provider 2.1 ~
  • FAPI R/W OP w/ MTLS
  • FAPI R/W OP w/ Private Key
FAPI-CIBA Profile OpenID Provider 2.1 ~
  • FAPI-CIBA OP Poll w/ MTLS
  • FAPI-CIBA OP Poll w/ Private Key
  • FAPI-CIBA OP Ping w/ MTLS
  • FAPI-CIBA OP Ping w/ Private Key