Skip to main content
Version: v2.0 (latest)

Standards Conformance

OIDC Web is built on published, interoperable standards. Nothing in the integration is proprietary.

StandardRole in OIDC Web
OpenID Connect Core 1.0The base protocol: authorization endpoint, ID token, userinfo, discovery.
OAuth 2.0 (RFC 6749)The underlying authorization framework.
RFC 8414 — Authorization Server Metadata / OIDC DiscoveryThe /.well-known/openid-configuration document your library reads.
RFC 7636 — PKCEProof Key for Code Exchange (S256); protects the authorization code in transit. Required for public clients.
RFC 9101 — JARJWT-Secured Authorization Request: the signed request object. The recommended way to call OIDC Web (see JAR and Signed Authorization Requests).
RFC 9126 — PARPushed Authorization Requests: the request is pushed to OIDC Web over a back channel before the browser is redirected. Recommended (see PAR).
RFC 9449 — DPoPDemonstrating Proof-of-Possession: binds access tokens to a client key so a stolen token cannot be replayed.
RFC 8705 — mTLSMutual-TLS client authentication and certificate-bound access tokens.
OpenID Connect CIBAClient-Initiated Backchannel Authentication: decoupled login without a browser redirect (see CIBA).
RFC 7523 — JWT client authentication (private_key_jwt)Asymmetric client authentication at the token endpoint.
OIDC RP-Initiated / Front-Channel / Back-Channel LogoutLogout notification to your application, configured at registration.
FAPI 2.0The Financial-grade API security profile. OIDC Web enforces it for clients configured for signed requests, mandating signed requests, PKCE-S256, and sender-constrained tokens.

You do not need to read every specification to integrate. A conformant OIDC relying-party library plus this document and the companion Integration & User Guide is enough.