Specification

Features	Version	Description
Standards	1.1~	RFC 6749: The OAuth 2.0 Authorization Framework RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage RFC 7009: OAuth 2.0 Token Revocation RFC 7636: Proof Key for Code Exchange by OAuth Public Clients RFC 7662: OAuth 2.0 Token Introspection OAuth 2.0 Multiple Response Type Encoding Practices OAuth 2.0 Form Post Response Mode OpenID Connect Core 1.0 OpenID Connect Discovery 1.0
	2.0~	RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants RFC 8705: OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens Financial-grade API - Part 1: Read-Only API Security Profile Financial-grade API - Part 2: Read and Write API Security Profile UK Open Banking Security Profile
	2.1~	RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol RFC 8628: OAuth 2.0 Device Authorization Grant OpenID Connect Dynamic Client Registration 1.0 OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) Financial-grade API: Client Initiated Backchannel Authentication Profile
	2.2~	RFC 8707: Resource Indicators for OAuth 2.0 RFC 9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) RFC 9126: OAuth 2.0 Pushed Authorization Requests RFC 9207: OAuth 2.0 Authorization Server Issuer Identification OAuth 2.0 Rich Authorization Requests OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) OpenID Connect for Identity Assurance 1.0 Australia Consumer Data Right Security Profile Open Banking Brasil Financial-grade API Security Profile
	2.3~	RFC 8693: OAuth 2.0 Token Exchange Grant Management for OAuth 2.0 Transformed Claims
Client Authentication Methods	1.1 ~	`none` `client_secret_basic` (RFC 6749) `client_secret_post` (RFC 6749)
Client Authentication Methods	2.0 ~	`client_secret_jwt` (RFC 7523) `private_key_jwt` (RFC 7523) `tls_client_auth` (RFC 8705) `self_signed_tls_client_auth` (RFC 8705)
Endpoints	1.1 ~	Authorization Endpoint (RFC 6749) Discovery Endpoint (OIDC Discovery 1.0) Introspection Endpoint (RFC 7662) JWK Set Endpoint (RFC 7517) Revocation Endpoint (RFC 7009) Token Endpoint (RFC 6749) UserInfo Endpoint (OIDC Core 1.0)
	2.1 ~	Backchannel Authentication Endpoint (CIBA Core 1.0) Device Authorization Endpoint (RFC 8628)
	2.2 ~	Pushed Authorization Request Endpoint (RFC 9126)
	2.3 ~	Grant Management Endpoint
Grant Types	1.1 ~	`authorization_code` (RFC 6749) `implicit` (RFC 6749) `password` (RFC 6749) `client_credentials` (RFC 6749) `refresh` (RFC 6749)
	2.1 ~	`urn:openid:params:grant-type:ciba` (CIBA Core) `urn:ietf:params:oauth:grant-type:device_code` (RFC 8628)
	2.3 ~	`urn:ietf:params:oauth:grant-type:token-exchange` (RFC 8693) `urn:ietf:params:oauth:grant-type:jwt-bearer` (RFC 7523)
Response Types	1.1 ~	`code` (RFC 6749) `token` (RFC 6749) `id_token` (Multiple Response Type) `code token` (Multiple Response Type) `code id_token` (Multiple Response Type) `id_token token` (Multiple Response Type) `code id_token token` (Multiple Response Type) `none` (Multiple Response Type)
Response Modes	1.1 ~	`query` (Multiple Response Type) `fragment` (Multiple Response Type) `form_post` (Form Post Response Mode)
Response Modes	2.1 ~	`jwt` (JARM) `query.jwt` (JARM) `fragment.jwt` (JARM) `form_post.jwt` (JARM)
Signature Algorithms	1.1 ~	`HS256` `HS384` `HS512` `RS256` `RS384` `RS512` `ES256` `ES384` `ES512` `PS256` `PS384` `PS512` `none`
	2.2 ~	`Ed25519`
Encryption Algorithms	1.1 ~	`RSA1_5` `RSA-OAEP` `RSA-OAEP-256` `A128KW` `A192KW` `A256KW` `dir` `ECDH-ES` `ECDH-ES+A128KW` `ECDH-ES+A192KW` `ECDH-ES+A256KW` `A128GCMKW` `A192GCMKW` `A1256GCMKW` `PBES2-HS256+A128KW` `PBES2-HS384+A192KW` `PBES2-HS512+A256KW`
	2.2 ~	`X25519`
Encryption Methods	1.1 ~	`A128CBC-HS256` `A192CBC-HS384` `A256CBC-HS512` `A128GCM` `A192GCM` `A256GCM`
Authlete Specific	1.1 ~	Client ID alias Extra properties Renewal policy on refresh tokens Single access token per subject Error description omission Error URI omission Granted scopes management ^*1 PKCE enforcement
	2.0 ~	Scope attributes PKI certificate chain validation for mutual TLS authentication (RFC 8705)
	2.1 ~	Mandating S256 for code_challenge_method (PKCE) JWT-based access token Allowable clock skew Mandating binding message in FAPI context (FAPI-CIBA) Advanced renewal policy on refresh tokens
	2.2 ~	Additional claims in a header part of ID tokens HSM (Hardware Security Module) support Variability of loopback redirection URIs
	2.3 ~	Database table isolation Idempotent refresh token Additional arbitrary claims in JWT access tokens Auto-generation of access tokens for external attachments (OIDC4IDA) Single access token per subject (configuration per client) PKCE enforcement (configuration per client) Restrictions on the use of token exchange (RFC 8693) Restrictions on the use of JWT authorization grant (RFC 7523)
Token Duration Configuration	1.1 ~	Access token duration per service Refresh token duration per service ID token duration per service
	2.0 ~	Access token duration per scope Refresh token duration per scope
	2.1 ~	Access token duration per client Refresh token duration per client Backchannel authentication request ID duration per service (CIBA Core) Authorization response JWT duration per service (JARM) Verification code duration per service (RFC 8628)
	2.2 ~	Request URI duration per service (RFC 9126)

^{*1 : Only available in Enterprise plan}

OpenID Certification

OpenID Certification	Version	Categories
OpenID Provider	1.1 ~	Basic OP Implicit OP Hybrid OP Config OP
OpenID Provider	2.1 ~	Dynamic OP Form Post OP
FAPI OpenID Provider	2.1 ~	Financial-grade API (FAPI) 1.0 Second Implementer’s Draft FAPI R/W OP w/ MTLS FAPI R/W OP w/ Private Key
FAPI OpenID Provider	2.2 ~	Financial-grade API (FAPI) 1.0 Final FAPI Adv. OP w/ MTLS FAPI Adv. OP w/ MTLS, PAR FAPI Adv. OP w/ Private Key FAPI Adv. OP w/ Private Key, PAR FAPI Adv. OP w/ MTLS, JARM FAPI Adv. OP w/ Private Key, JARM FAPI Adv. OP w/ MTLS, PAR, JARM FAPI Adv. OP w/ Private Key, PAR, JARM UK Open Banking (Based on FAPI 1 Advanced Final) UK-OB Adv. OP w/ MTLS UK-OB Adv. OP w/ Private Key Australia CDR (Based on FAPI 1 Advanced Final) AU-CDR Adv. OP w/ Private Key AU-CDR Adv. OP w/ Private Key, PAR Brazil Open Banking (Based on FAPI 1 Advanced Final) BR-OB Adv. OP w/ MTLS BR-OB Adv. OP w/ Private Key BR-OB Adv. OP w/ MTLS, PAR BR-OB Adv. OP w/ Private Key, PAR BR-OB Adv. OP w/ MTLS, JARM BR-OB Adv. OP w/ Private Key, JARM BR-OB Adv. OP w/ MTLS, PAR, JARM BR-OB Adv. OP w/ Private Key, PAR, JARM BR-OB Adv. OP DCR Financial-grade API (FAPI) 1.0 Second Implementer’s Draft FAPI R/W OP w/ MTLS FAPI R/W OP w/ MTLS, PAR FAPI R/W OP w/ Private Key FAPI R/W OP w/ Private Key, PAR UK-OB R/W OP w/ MTLS UK-OB R/W OP w/ Private Key AU-CDR R/W OP w/ Private Key AU-CDR R/W OP w/ Private Key, PAR
FAPI-CIBA Profile OpenID Provider	2.1 ~	FAPI-CIBA OP Poll w/ MTLS FAPI-CIBA OP Poll w/ Private Key FAPI-CIBA OP Ping w/ MTLS FAPI-CIBA OP Ping w/ Private Key

Last Updated at August 12, 2022 by Authlete, Inc.

Spec Sheet

Specification

OpenID Certification