This page details our compliance level with the OpenID Connect specifications.
Currently supported
The following features are fully supported in our current implementation.
Server
- Authorization code flow
- Implicit flow
- UserInfo endpoint
- Manual client management through an administrator console
- Client authentication through form parameters, HTTP Basic, and public key JWT assertion
- Webfinger discovery endpoint
- OpenID Configuration discovery endpoint
- JWK Set public key endpoint
- Standard scopes: openid, phone, address, email, profile, and offline_access
- Additional arbitrary scopes
- Refresh tokens
- ID Tokens
- Signed JWT access tokens
- RSA Signing (used for all tokens)
- RSA Encryption
- HMAC Signing
- Dynamic registration endpoint
- Request Objects (signed)
- Introspection Endpoint
- Revocation Endpoint
- Token chaining
Client
- Authorization code flow
- UserInfo fetching service (for user details)
- Form-based authentication
- Webfinger discovery
- OpenID Configuration server discovery
- Request Objects (signed)
- JWK public key endpoint (for signed request objects)
- Standard scopes: openid, phone, address, email, profile, offline_access
- Additional arbitrary scopes
- Signed JWT access tokens
- RSA Signing
- Dynamic registration
- Account chooser / third party login
- Introspection Endpoint (through speical token service)
Currently unsupported / pending implementation / incomplete
The following features are not supported yet, but will be at some point.
- Session management
- Request File (Signed / Encrypted)
- ID-token-only request
- Token chaining client utility library
