Version 6.x has been out of support since May 14, 2024, and this corresponding section of the documentation is no longer maintained. We strongly recommend you upgrade to the latest supported version of 7.x and read the latest version of this documentation.

Supported Specifications

Duende IdentityServer implements the following specifications:

OpenID Connect

  • OpenID Connect Core 1.0 (spec)
  • OpenID Connect Discovery 1.0 (spec)
  • OpenID Connect RP-Initiated Logout 1.0 (spec)
  • OpenID Connect Session Management 1.0 (spec)
  • OpenID Connect Front-Channel Logout 1.0 (spec)
  • OpenID Connect Back-Channel Logout 1.0 (spec)
  • Multiple Response Types (spec)
  • Form Post Response Mode (spec)
  • Enterprise Edition: OpenID Connect Client-Initiated Backchannel Authentication (CIBA) (spec).

OAuth 2.x

  • OAuth 2.0 (RFC 6749)
  • OAuth 2.0 Bearer Token Usage (RFC 6750)
  • JSON Web Token (RFC 7519)
  • OAuth 2.0 Token Revocation (RFC 7009)
  • OAuth 2.0 Token Introspection (RFC 7662)
  • Proof Key for Code Exchange by OAuth Public Clients (RFC 7636)
  • OAuth 2.0 JSON Web Tokens for Client Authentication (RFC 7523)
  • OAuth 2.0 Device Authorization Grant (RFC 8628)
  • Proof-of-Possession Key Semantics for JSON Web Tokens (RFC 7800)
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens (RFC 8705)
  • OAuth 2.0 Token Exchange (RFC 8693)
  • JWT Secured Authorization Request / JAR (RFC 9101)
  • JWT Profile for OAuth 2.0 Access Tokens (RFC 9068)
  • OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response (RFC 9207)
  • OAuth 2.0 Step-up Authentication Challenge Protocol (RFC pending)
  • Business Edition: OAuth 2.0 Dynamic Client Registration Protocol (RFC 7591)
  • Business Edition: OAuth 2.0 Pushed Authorization Requests (RFC 9126)
  • Enterprise Edition: Resource Indicators for OAuth 2.0 (RFC 8707)
  • Enterprise Edition: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer / DPoP (RFC 9449)