Skip to content
TCTDX Identity

Protocol contract

The provider should advertise only implemented behavior. Discovery metadata is a contract, not marketing copy.

Required initial surface

  • Authorization Code Flow with PKCE S256.
  • Exact redirect URI matching.
  • Short-lived, single-use authorization codes.
  • Token endpoint issuing bearer access tokens and ID tokens for OIDC requests.
  • JWKS for active public signing keys.
  • UserInfo with scope-authorized claims only.
  • Public subject identifiers unless pairwise subject identifiers are implemented.

Explicitly unsupported until implemented

  • Implicit flow.
  • Hybrid flow.
  • Resource Owner Password Credentials.
  • Refresh tokens and offline_access.
  • Token exchange.
  • Dynamic client registration.
  • Introspection and revocation endpoints.

Unsupported features must fail safely and stay out of metadata.

Token transport

Bearer tokens should use the Authorization header. The rewrite should reject access tokens in query strings to avoid leaks through logs, browser history, and referrers.