Skip to main content

Implemented technologies and standards

Abblix OIDC Server implements the OAuth 2.0, OpenID Connect, and JWT standards listed below. The server is certified by the OpenID Foundation across all login and logout profiles, with zero failures and zero skipped tests in 600+ conformance checks.

OAuth 2.0 core standards

  • The OAuth 2.0 Authorization Framework: RFC 6749: Defines procedures for secure authorization of applications including authorization code, implicit, client credentials, and resource owner password credentials flows.
  • The OAuth 2.0 Authorization Framework: Bearer Token Usage: RFC 6750: Secures protected resource access with bearer tokens, including compliant authentication challenges and proper HTTP status code mapping for token errors.
  • HTTP Semantics: Authentication: RFC 9110, Section 11: Ensures all 401 responses include authentication challenges matching the client's authentication scheme.
  • OAuth 2.0 Token Revocation: RFC 7009: Describes methods to securely invalidate access and refresh tokens.
  • OAuth 2.0 Token Introspection: RFC 7662: Allows resource servers to verify the active state and metadata of tokens.
  • JWT Response for OAuth Token Introspection: RFC 9701: Returns the token introspection response as a signed and optionally encrypted JWT, letting the requesting party verify the response's origin and integrity.
  • Proof Key for Code Exchange (PKCE): RFC 7636: Improves security for public clients during authorization code exchange.
  • OAuth 2.0 Device Authorization Grant: RFC 8628: Enables OAuth 2.0 authorization on devices with limited input capabilities (smart TVs, game consoles, IoT devices) by delegating user interaction to a secondary device.
  • OAuth 2.0 Dynamic Client Registration Protocol: RFC 7591: Provides mechanisms for clients to register dynamically with authorization servers.
  • OAuth 2.0 Dynamic Client Registration Management Protocol: RFC 7592: Enables management operations (read, update, delete) for dynamically registered clients.
  • OAuth 2.0 Token Exchange: RFC 8693: Allows a client to exchange a security token for a different one, enabling delegation and impersonation flows across services.
  • OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens: RFC 8705: Provides mutual TLS authentication with PKI and self-signed certificate validation, plus certificate-bound tokens.
  • OAuth 2.0 Resource Indicators: RFC 8707: Enables clients to specify the resources they want access to.
  • JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens: RFC 9068: Specifies the use of JWTs as OAuth 2.0 access tokens.
  • JWT-Secured Authorization Request (JAR): RFC 9101: Passes authorization request parameters in a JWT that may be signed and optionally encrypted, protecting their integrity and confidentiality.
  • JWT Secured Authorization Response Mode (JARM): JARM: Returns the authorization response parameters in a JWT that may be signed and optionally encrypted, protecting their integrity and confidentiality.
  • OAuth 2.0 Pushed Authorization Requests (PAR): RFC 9126: Lets clients push authorization request parameters directly to the authorization server instead of passing them through the browser.
  • OAuth 2.0 Authorization Server Issuer Identification: RFC 9207: Ensures the authenticity of authorization servers to clients.
  • OAuth 2.0 Rich Authorization Requests (RAR): RFC 9396: Lets clients request fine-grained authorization for specific operations, beyond the coarse-grained scope parameter.
  • OAuth 2.0 Demonstrating Proof of Possession (DPoP): RFC 9449: Sender-constrains access tokens by binding each one to a public key the client proves possession of on every request, so a stolen token is unusable without the corresponding private key.
  • OAuth 2.0 Multiple Response Type Encoding Practices: Specification: Encodes different response types in OAuth 2.0 requests.
  • OAuth 2.0 Form Post Response Mode: Specification: Transmits OAuth 2.0 responses via HTTP form posts.

JSON web standards

  • JSON Web Signature (JWS): RFC 7515: Defines digital signature and MAC methods for JSON data structures.
  • JSON Web Encryption (JWE): RFC 7516: Defines encryption methods for JSON data structures.
  • JSON Web Key (JWK): RFC 7517: Defines a JSON representation of cryptographic keys.
  • JSON Web Algorithms (JWA): RFC 7518: Defines cryptographic algorithms for use with JWS, JWE, and JWK.
  • JSON Web Token (JWT): RFC 7519: Defines the structure and use of JWTs for representing claims securely.
  • JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants: RFC 7523: Uses JWTs for secure client authentication (private_key_jwt, client_secret_jwt) and as authorization grants.
  • Authentication Method Reference Values: RFC 8176: Defines standardized values for the amr (Authentication Methods References) JWT claim, enabling interoperable communication of authentication methods (password, OTP, biometrics, MFA, smart card, etc.).

OpenID Connect specifications

  • OpenID Connect Core 1.0: Specification: Core functionality for OpenID Connect identity layer over OAuth 2.0, including ID Token issuance, standard claims, and authentication flows.
  • OpenID Connect Discovery 1.0 / OAuth 2.0 Authorization Server Metadata: Specification, RFC 8414: Enables clients to discover provider configurations dynamically via the well-known endpoint.
  • OpenID Connect Dynamic Client Registration 1.0: Specification: Enables OpenID Connect clients to register dynamically with providers.
  • OpenID Connect Session Management 1.0: Specification: Manages user session states in identity providers with check_session_iframe support.
  • OpenID Connect RP-Initiated Logout 1.0: Specification: Details logout initiated by relying parties via the end-session endpoint.
  • OpenID Connect Front-Channel Logout 1.0: Specification: Handles logout requests through front-channel communication.
  • OpenID Connect Back-Channel Logout 1.0: Specification: Manages logout processes using back-channel communication with logout tokens.
  • OpenID Connect Client-Initiated Backchannel Authentication (CIBA): Specification: Enables secure user authentication via backchannel communication on devices without direct web access, commonly used in IoT and financial-services scenarios. Supports three delivery modes: poll (client polls token endpoint), ping (server notifies client at callback), and push (server delivers tokens to notification endpoint).
  • Pairwise Pseudonymous Identifiers (PPID): OpenID Connect Core Section 8: Implements a privacy mechanism by generating unique subject identifiers per client.

Client authentication methods

The server supports all standard client authentication methods:

  • client_secret_basic - HTTP Basic authentication with client credentials
  • client_secret_post - Client credentials in POST body
  • client_secret_jwt - HMAC-signed JWT assertion
  • private_key_jwt - RSA/EC-signed JWT assertion
  • tls_client_auth - PKI mutual TLS authentication
  • self_signed_tls_client_auth - Self-signed certificate mutual TLS
  • none - Public clients without authentication