Standards Conformance
OIDC Web is built on published, interoperable standards. Nothing in the integration is proprietary.
| Standard | Role in OIDC Web |
|---|---|
| OpenID Connect Core 1.0 | The base protocol: authorization endpoint, ID token, userinfo, discovery. |
| OAuth 2.0 (RFC 6749) | The underlying authorization framework. |
| RFC 8414 — Authorization Server Metadata / OIDC Discovery | The /.well-known/openid-configuration document your library reads. |
| RFC 7636 — PKCE | Proof Key for Code Exchange (S256); protects the authorization code in transit. Required for public clients. |
| RFC 9101 — JAR | JWT-Secured Authorization Request: the signed request object. The recommended way to call OIDC Web (see JAR and Signed Authorization Requests). |
| RFC 9126 — PAR | Pushed Authorization Requests: the request is pushed to OIDC Web over a back channel before the browser is redirected. Recommended (see PAR). |
| RFC 9449 — DPoP | Demonstrating Proof-of-Possession: binds access tokens to a client key so a stolen token cannot be replayed. |
| RFC 8705 — mTLS | Mutual-TLS client authentication and certificate-bound access tokens. |
| OpenID Connect CIBA | Client-Initiated Backchannel Authentication: decoupled login without a browser redirect (see CIBA). |
RFC 7523 — JWT client authentication (private_key_jwt) | Asymmetric client authentication at the token endpoint. |
| OIDC RP-Initiated / Front-Channel / Back-Channel Logout | Logout notification to your application, configured at registration. |
| FAPI 2.0 | The Financial-grade API security profile. OIDC Web enforces it for clients configured for signed requests, mandating signed requests, PKCE-S256, and sender-constrained tokens. |
You do not need to read every specification to integrate. A conformant OIDC relying-party library plus this document and the companion Integration & User Guide is enough.