Supported Specifications

This page lists what TokenIDP currently supports, what is partially implemented, and what is not part of the current product surface.

Supported

  • OAuth 2.1 Authorization Code grant for browser and app sign-in
  • PKCE on the authorization flow for public clients
  • OAuth 2.1 Client Credentials grant
  • Refresh Token grant
  • Device Code grant via /device_authorization and /token
  • OpenID Connect Discovery via /.well-known/openid-configuration
  • JWKS publishing via /.well-known/jwks.json
  • OpenID Connect UserInfo via /userinfo
  • Token revocation via /revoke
  • Token introspection via /introspect
  • Logout via /logout
  • JWT signing with RS256
  • Client authentication on the token endpoint with client_secret_basic and client_secret_post
  • Discovery-advertised grant types: authorization_code, client_credentials, refresh_token, device_code, ciba
  • Client-level rate limiting for OAuth-facing requests
  • Tenant host and request-context resolution for multi-tenant deployments

Partially Supported or Implementation-Specific

  • CIBA poll mode is implemented, but you should validate your user experience, client policy, and notification model before using it broadly.
  • Revocation and introspection endpoints are present, but their request shape is JSON-based and implementation-specific rather than a strict form-encoded standards profile.
  • A password grant handler exists in the server code, but it is not advertised in discovery metadata and should be treated as legacy or internal-only, not a preferred public integration.

Not Supported for New Integrations

  • Implicit flow
  • Hybrid flow
  • Pushed Authorization Requests
  • JARM
  • Dynamic Client Registration
  • private_key_jwt client authentication
  • MTLS-bound access tokens
  • DPoP
  • Front-channel logout specification
  • Back-channel logout specification

Specification References

  • OAuth 2.1 Authorization Framework
  • OAuth 2.1 for Native Apps
  • OAuth 2.1 PKCE
  • OAuth 2.1 Token Revocation
  • OAuth 2.1 Token Introspection
  • OAuth 2.1 Device Authorization Grant
  • OpenID Connect Core 1.0
  • OpenID Connect Discovery 1.0
  • JSON Web Key, RFC 7517
  • JSON Web Token, RFC 7519

Example

curl https://localhost:5001/.well-known/openid-configuration

Confirm that grant_types_supported, response_types_supported, and token_endpoint_auth_methods_supported match your client's expectations.

Common Pitfalls

  • Assuming discovery metadata alone proves full spec conformance for every optional feature.
  • Treating legacy grants as recommended simply because a handler exists in code.

Troubleshooting

  • When in doubt, compare the actual endpoint request and response formats to the Reference section before picking a client library.