Best-Practice Checklist
Run your integration through this checklist before going live.
- Read endpoints from the discovery document; do not hardcode them.
- Use signed authorization requests (JAR), and ask for your client to require them in production.
- Add PAR on top of signing for high-security deployments.
- Always use PKCE
S256(mandatory for public clients). - Use the
_onlyscope form (see Scopes) and pick the verification level deliberately: Dynamic for high assurance, Express for speed. - Send a stable
login_hintper user (see login_hint) — never alternate identifiers for the same person. - If trust on first use is unacceptable, pre-provision profiles via the user-management API; delete profiles when users leave.
- Validate the ID token properly: signature against
jwks_uri, plusiss,aud,exp, andnonce. - Verify
stateon every redirect. - Enforce your required
acr(see Reading the Result); do not just trust that a token was issued. Do not correlate users bysub— it changes every session. - Prefer
private_key_jwtor mTLS over shared secrets for confidential clients. - Consider DPoP or mTLS-bound tokens for sensitive APIs.
- Decide your retry and lockout policy for failed verifications.