Standards
AuthHero is built on open identity standards. This section tracks every spec AuthHero touches and how complete our implementation is.
| Status | Meaning |
|---|---|
| Full | All MUST-level requirements are implemented. Optional features may still vary. |
| Partial | Core functionality works, but some optional features or endpoints from the spec are not yet implemented. |
| Planned | Declared in discovery metadata or on the roadmap, but not yet functional. |
OAuth 2.0 family
Tokens & keys
| Standard | Status |
|---|---|
| RFC 7517 — JSON Web Key (JWK) | Full |
| RFC 7519 — JSON Web Token (JWT) | Full |
OpenID Connect
| Standard | Status |
|---|---|
| OpenID Connect Core 1.0 | Partial |
| OpenID Connect Discovery 1.0 | Full |
| OAuth 2.0 Form Post Response Mode | Full |
Federation
| Standard | Status |
|---|---|
| SAML 2.0 | Partial |
Notes on unimplemented endpoints
A few endpoints are advertised in /.well-known/openid-configuration but are not yet wired up:
- RFC 7009 — Token Revocation —
revocation_endpointis advertised but not yet routed. - RFC 8628 — Device Authorization Grant —
device_authorization_endpointis advertised but not yet routed. - RFC 8693 — Token Exchange —
act-claim based impersonation exists internally, but nourn:ietf:params:oauth:grant-type:token-exchangeendpoint is exposed.
These will be documented as dedicated pages once implemented.