OAuth 2.1 & OpenID Compatibility Matrix
This document provides an overview of SympAuthy's compatibility with the OAuth 2.1 specification (draft-ietf-oauth-v2-1) and OpenID Connect. OAuth 2.1 consolidates OAuth 2.0 (RFC 6749) and its security best practices into a single specification. Items marked Planned are not yet enforced but will be in a future release.
Grant Types
| Grant Type | Status | Reference |
|---|---|---|
| Authorization Code Grant | Supported | draft-ietf-oauth-v2-1 - section 4.1 |
| Implicit Grant | Not Supported | Removed in draft-ietf-oauth-v2-1 (was RFC 6749 - 4.2) |
| Resource Owner Password Credentials Grant | Not Supported | Removed in draft-ietf-oauth-v2-1 (was RFC 6749 - 4.3) |
| Client Credentials Grant | Supported | draft-ietf-oauth-v2-1 - section 4.2 |
| Refresh Token Grant | Supported | draft-ietf-oauth-v2-1 - section 4.3 |
The Implicit Grant and Resource Owner Password Credentials grant have been removed from OAuth 2.1. The Implicit Grant exposes tokens in the browser URL. The ROPC grant exposes user credentials directly to the client, bypassing the delegated authorization model that OAuth was designed to provide, and offers no support for multi-factor authentication.
Token Types
| Token Type | Status | Reference |
|---|---|---|
| Access Token | Supported | draft-ietf-oauth-v2-1 - section 1.4 |
| Refresh Token | Supported | draft-ietf-oauth-v2-1 - section 1.5 |
| ID Token (JWT) | Supported | OpenID Connect Core 1.0 |
| Refresh Token Rotation (Public Clients) | Supported | draft-ietf-oauth-v2-1 - section 6.1 |
| JWT Profile for Access Tokens | Supported | RFC 9068 |
| Sender-constrained Tokens (DPoP) | Supported | RFC 9449 |
| Sender-constrained Tokens (mTLS) | Not Supported | RFC 8705 |
| Bearer Tokens in Query Strings | Not Supported | draft-ietf-oauth-v2-1 - section 5.1 |
SympAuthy supports sender-constrained tokens via DPoP (RFC 9449). When a client sends a valid DPoP proof, the issued access token is bound to the client's key pair and returned with
token_type: "DPoP". See the Security documentation for details.
Client Authentication Methods
| Method | Status | Reference |
|---|---|---|
| Client Secret Basic | Supported | draft-ietf-oauth-v2-1 - section 2.4.1 |
| Client Secret Post | Supported | draft-ietf-oauth-v2-1 - section 2.4.1 |
| Client Secret JWT | Not Supported | RFC 7523 |
| Private Key JWT | Not Supported | RFC 7523 |
| None (Public Clients) | Supported | draft-ietf-oauth-v2-1 |
Authorization Flow Security
| Feature | Status | Reference |
|---|---|---|
| PKCE (S256) | Required | RFC 7636 |
| PKCE Plain Method | Not Supported | RFC 7636 |
| State Parameter | Required | draft-ietf-oauth-v2-1 - section 7.5.1 |
| Nonce Parameter | Supported | OpenID Connect Core |
| Authorization Code One-Time Use | Enforced | draft-ietf-oauth-v2-1 - section 4.1.2 |
| HTTP 307 Redirect Prohibition | Enforced | draft-ietf-oauth-v2-1 - section 7.5.3 |
| DPoP Nonce & Replay Detection | Planned | RFC 9449 - section 8 |
| Exact Redirect URI Matching | Enforced | draft-ietf-oauth-v2-1 - section 7.5.3 |
The
plainchallenge method will not be implemented. RFC 7636 section 7.2 identifies it as vulnerable to interception and recommendsS256for all deployments.
OAuth 2.1 requires PKCE for all clients using the authorization code flow. SympAuthy enforces this for both public and confidential clients. See the Security documentation for details.
OpenID Connect
Features
| Feature | Status | Reference |
|---|---|---|
| OpenID Connect Discovery | Supported | OpenID Connect Discovery 1.0 |
| ID Token | Supported | OpenID Connect Core 1.0 |
| Dynamic Client Registration | Not Supported | RFC 7591 |
Scopes
| Scope | Status | Description |
|---|---|---|
openid | Supported | Required for OpenID Connect flows |
profile | Supported | User profile claims |
email | Supported | User email claims |
address | Supported | User address claims |
phone | Supported | User phone claims |
| Custom Scopes | Not Supported | Application-specific scopes |
Endpoints
OAuth 2.1 Endpoints
| Endpoint | Status | Path | Reference |
|---|---|---|---|
| Authorization Endpoint | Supported | /api/oauth2/authorize | draft-ietf-oauth-v2-1 - section 3.1 |
| Token Endpoint | Supported | /api/oauth2/token | draft-ietf-oauth-v2-1 - section 3.2 |
| Token Revocation | Supported | /api/oauth2/revoke | RFC 7009 |
| Token Introspection | Supported | /api/oauth2/introspect | RFC 7662 |
OpenID Connect Endpoints
| Endpoint | Status | Path | Reference |
|---|---|---|---|
| OpenID Provider Configuration | Supported | .well-known/openid-configuration | OpenID Connect Discovery 1.0 |
| UserInfo Endpoint | Supported | /api/openid/userinfo | OpenID Connect Core 1.0 - section 5.3 |
Legend
- Supported: Feature is implemented and available
- Supported (>= version): Feature is implemented and available since a specific version
- Not Supported: Feature is not implemented and not planned
- Planned: Feature is not yet implemented but will be in a future release
- Required: Feature must be used by clients
- Enforced: Feature is enforced by the server
For more information about OAuth specifications, visit: