Standards and references

This Security Token Service application is primarily based upon the RFC8693 OAuth 2.0 Token Exchange specification and implements various OAuth 2.0 related specifications that enable clients to request and obtain security tokens in a secure and standardized manner.

Standards implemented in this application

• RFC 6749 OAuth 2.0 Authorization Framework
• RFC 6750 OAuth 2.0 Authorization Framework: Bearer Token Usage
• RFC 7009 OAuth 2.0 Token Revocation
• RFC 7521 OAuth 2.0 Assertion Framework
• RFC 7523 OAuth JWT Assertion Profiles for OAuth 2.0 Client Authentication and Authorization Grants
• RFC 7662 OAuth 2.0 Introspection messages
• RFC 7591 OAuth 2.0 Dynamic Client Registration Protocol
• RFC 7592 OAuth 2.0 Dynamic Registration Management
• RFC 8414 OAuth 2.0 Authorization Server Metadata
• RFC 8628 OAuth 2.0 Device Grant
• RFC 8693 OAuth 2.0 Token Exchange

Standards incorporated into this application

• RFC 7515 JSON Web Signature (JWS)
• RFC 7516 JSON Web Encryption (JWE)
• RFC 7517 JSON Web Key (JWK)
• RFC 7518 JSON Web Algorithms (JKA)
• RFC 7519 JSON Web Token (JWT)

plus

• OpenID Connect Discovery 1.0
• RFC 7797 JSON Web Signature for Unencoded Payloads (JUP)
• RFC 8252 OAuth 2.0 for Native Apps
• RFC 8615 Well-Known Uniform Resource Identifiers (URIs)

Standards used by this application for reference and best practice

• WS-Trust 1.4 Trusted [SOAP] message exchange
• WS-Federation 1.2 Security realm federation

Many of the specifications implemented and integrated into this application are developed within the IETF OAuth working group .