Security & Identity Standards

The core OpenID Connect specification defining authentication layer on top of OAuth 2.0.

The OAuth 2.0 authorization framework enabling third-party applications to obtain limited access to HTTP services.

Consolidates OAuth 2.0 and its extensions into a single document with updated security best practices.

Baseline security profile for financial-grade APIs.

Advanced security profile for high-risk financial APIs.

Next generation of Financial-grade API security profile with enhanced security features.

Application-level proof-of-possession mechanism for OAuth 2.0 access tokens.

Best current practices for implementing OAuth 2.0 authorization flows in browser-based applications.

OAuth 2.0 extension for devices that lack a browser or have limited input capability.

Security best practices for OAuth 2.0 cross-device flows to protect against various attacks.

Decoupled authentication flow allowing authentication initiation from one device and confirmation from another.

Security extension to the OAuth 2.0 Authorization Code flow to prevent authorization code interception attacks.

OAuth 2.0 extension that allows clients to push the authorization request payload directly to the authorization server before initiating the authorization flow, protecting against request tampering and improving security.

Compact, URL-safe means of representing claims to be transferred between two parties.

Represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON.

Represents encrypted content using JSON-based data structures.

JSON data structure that represents a cryptographic key.

Cryptographic algorithms and identifiers for use with JWS, JWE, and JWK.

Best practices for creating and validating JSON Web Tokens securely.

Method for expressing trustworthiness of authentication events and identity assertions.

Authentication Method Reference (AMR) values for OAuth and OpenID Connect.

Authentication Context Class Reference (ACR) values for OpenID Connect Extended Authentication Profile.

Protocol for exchanging one security token for another to enable delegation and impersonation scenarios.

Mechanism for clients to indicate to the authorization server that a token is no longer needed.

Method for a resource server to query an authorization server to determine token metadata.

Standard data model for expressing verifiable credentials and verifiable presentations on the web.

New type of identifier for verifiable, decentralized digital identity.

Enhanced DID method building on did:web with additional trust and security features.

Protocol for issuing verifiable credentials using OAuth 2.0 authorization framework.

Protocol for presenting verifiable credentials to relying parties using OpenID Connect.

Mechanism enabling selective disclosure of individual claims from a JSON object.

Data model for verifiable credentials based on SD-JWT with selective disclosure capabilities.

Privacy-preserving status information for credentials including revocation and suspension.

DID method using existing web infrastructure with domain names and HTTP(S).

API enabling strong authentication on the web using public key cryptography and hardware tokens.

Standards for passwordless authentication including WebAuthn and CTAP protocols.

Passkeys are a passwordless authentication method, designed as a simpler and more secure alternative to passwords. They leverage public key cryptography and tie credential access to the user's device, reducing phishing risk. Supported by the FIDO Alliance and major platform providers.

Extension to OpenID Connect for communicating identity assurance levels and evidence.

XML-based framework for exchanging authentication and authorization data between parties.