Skip to main content

Implemented technologies and standards

Abblix OIDC Server fully implements a comprehensive suite of advanced standards for authorization and security, providing a robust and secure environment for authorization data handling. The server is certified by the OpenID Foundation across all login and logout profiles.

OAuth 2.0 Core Standards

  • The OAuth 2.0 Authorization Framework: RFC 6749: Defines procedures for secure authorization of applications including authorization code, implicit, client credentials, and resource owner password credentials flows.
  • The OAuth 2.0 Authorization Framework: Bearer Token Usage: RFC 6750: Explains how to securely use bearer tokens to access resources.
  • OAuth 2.0 Token Revocation: RFC 7009: Describes methods to securely cancel access and refresh tokens.
  • OAuth 2.0 Token Introspection: RFC 7662: Allows resource servers to verify the active state and metadata of tokens.
  • Proof Key for Code Exchange (PKCE): RFC 7636: Improves security for public clients during authorization code exchange with S256 and plain methods.
  • OAuth 2.0 Device Authorization Grant: RFC 8628: Enables OAuth 2.0 authorization on devices with limited input capabilities (smart TVs, game consoles, IoT devices) by delegating user interaction to a secondary device. Includes brute force protection with exponential backoff and per-IP rate limiting (RFC 8628 Section 5.2), plus atomic device code redemption to prevent race conditions (RFC 8628 Section 3.5).
  • OAuth 2.0 Dynamic Client Registration Protocol: RFC 7591: Provides mechanisms for clients to register dynamically with authorization servers.
  • OAuth 2.0 Dynamic Client Registration Management Protocol: RFC 7592: Enables management operations (read, update, delete) for dynamically registered clients.
  • OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens: RFC 8705: Provides mutual TLS authentication with PKI and self-signed certificate validation, plus certificate-bound tokens.
  • OAuth 2.0 Token Exchange: RFC 8693: Details the method for a secure exchange of one token type for another.
  • OAuth 2.0 Resource Indicators: RFC 8707: Enables clients to specify the resources they want access to, enhancing security and access control.
  • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens: RFC 9068: Specifies the use of JWTs as OAuth 2.0 access tokens.
  • JWT-Secured Authorization Request (JAR): RFC 9101: Secures authorization requests using JWTs.
  • OAuth 2.0 Pushed Authorization Requests (PAR): RFC 9126: Enhances security by allowing clients to push authorization requests directly to the server.
  • OAuth 2.0 Authorization Server Issuer Identification: RFC 9207: Ensures the authenticity of authorization servers to clients.
  • OAuth 2.0 Multiple Response Type Encoding Practices: Specification: Encodes different response types in OAuth 2.0 requests.
  • OAuth 2.0 Form Post Response Mode: Specification: Transmits OAuth 2.0 responses via HTTP form posts.
  • JWT Secured Authorization Response Mode (JARM): Specification: Secures authorization responses using JWTs.

JSON Web Standards

  • JSON Web Signature (JWS): RFC 7515: Defines digital signature and MAC methods for JSON data structures.
  • JSON Web Encryption (JWE): RFC 7516: Defines encryption methods for JSON data structures.
  • JSON Web Key (JWK): RFC 7517: Defines a JSON representation of cryptographic keys.
  • JSON Web Algorithms (JWA): RFC 7518: Defines cryptographic algorithms for use with JWS, JWE, and JWK.
  • JSON Web Token (JWT): RFC 7519: Defines structure and use of JWTs for representing claims securely.
  • JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants: RFC 7523: Uses JWTs for secure client authentication (private_key_jwt, client_secret_jwt) and as authorization grants.

OpenID Connect Specifications

  • OpenID Connect Core 1.0: Specification: Core functionality for OpenID Connect identity layer over OAuth 2.0, including ID Token issuance, standard claims, and authentication flows.
  • OpenID Connect Discovery 1.0: Specification: Enables clients to discover provider configurations dynamically via the well-known endpoint.
  • OpenID Connect Dynamic Client Registration 1.0: Specification: Enables OpenID Connect clients to register dynamically with providers.
  • OpenID Connect Session Management 1.0: Specification: Manages user session states in identity providers with check_session_iframe support.
  • OpenID Connect RP-Initiated Logout 1.0: Specification: Details logout initiated by relying parties via the end-session endpoint.
  • OpenID Connect Front-Channel Logout 1.0: Specification: Handles logout requests through front-channel communication.
  • OpenID Connect Back-Channel Logout 1.0: Specification: Manages logout processes using back-channel communication with logout tokens.
  • OpenID Connect Client-Initiated Backchannel Authentication (CIBA): Specification: Enables secure user authentication via backchannel communication on devices without direct web access, ideal for IoT and financial services scenarios. Supports three delivery modes: poll (client polls token endpoint), ping (server notifies client at callback), push (server delivers tokens to notification endpoint)
  • Pairwise Pseudonymous Identifiers (PPID): OpenID Connect Core Section 8: Implements a privacy mechanism by generating unique subject identifiers per client.

Client Authentication Methods

The server supports all standard client authentication methods:

  • client_secret_basic - HTTP Basic authentication with client credentials
  • client_secret_post - Client credentials in POST body
  • client_secret_jwt - HMAC-signed JWT assertion
  • private_key_jwt - RSA/EC-signed JWT assertion
  • tls_client_auth - PKI mutual TLS authentication
  • self_signed_tls_client_auth - Self-signed certificate mutual TLS
  • none - Public clients without authentication