RFC compliance matrix
Every standard the library actively cites in its code, mapped to the package that implements it and the option / feature that gates it.
Status legend
full implements the spec end-to-end.
partial implements the parts the OP needs; some optional sections are out of scope by design.
planned in the spec list, not landed yet.
out out-of-scope; structurally not the library's concern.
refused deliberately rejected (e.g. alg=none).
OIDC core / discovery
| Standard | Status | Where |
|---|---|---|
| OpenID Connect Core 1.0 | full | op/, internal/authorize, internal/tokenendpoint, internal/userinfo |
| OpenID Connect Discovery 1.0 | full | internal/discovery |
| OpenID Connect Dynamic Client Registration 1.0 | partial (core flow, sector_identifier_uri fetch, application_type=web / =native redirect rules, JWKs / pairwise / response-type cross-checks, and PUT reserved-field rejection are enforced; client_secret is intentionally omitted from GET /register/{id} responses, software_statement is not accepted) | internal/registrationendpoint |
| OpenID Connect RP-Initiated Logout 1.0 | full | internal/endsession |
| OpenID Connect Back-Channel Logout 1.0 | full | internal/backchannel |
| OpenID Connect Front-Channel Logout 1.0 | planned | — |
| OpenID Connect Session Management 1.0 | out (third-party-cookie-dependent; back-channel preferred) | — |
OAuth 2.0 core RFCs
| RFC | Status | Where / option |
|---|---|---|
| RFC 6749 OAuth 2.0 Framework | full | op/, internal/authorize, internal/tokenendpoint |
| RFC 6750 Bearer Token Usage | full | internal/tokens |
| RFC 6819 Threat Model & Security Considerations | full (the BCP this library is built around) | whole codebase |
| RFC 7009 Token Revocation | full (gated by feature.Revoke) | internal/revokeendpoint |
| RFC 7521 Assertion Framework | full | internal/clientauth |
| RFC 7523 JWT Bearer Assertions for Client Auth | full (private_key_jwt) | internal/clientauth |
| RFC 7591 Dynamic Client Registration | partial (gated by feature.DynamicRegistration; software_statement is rejected with invalid_software_statement) | internal/registrationendpoint |
| RFC 7592 DCR Management | partial (read / update / delete; PUT omission resets to server defaults rather than deleting fields, and the response only re-emits client_secret on a none → confidential auth-method upgrade or an explicit rotation request) | internal/registrationendpoint |
| RFC 7636 PKCE | full (only S256; plain refused) | internal/pkce |
| RFC 7662 Token Introspection | full (gated by feature.Introspect) | internal/introspectendpoint |
RFC 7800 Confirmation Methods (cnf) | full | internal/dpop, internal/mtls, internal/tokens |
| RFC 8252 OAuth 2.0 for Native Apps | full (loopback hardening enforced) | internal/registrationendpoint, internal/authorize |
| RFC 8414 Authorization Server Metadata | full | internal/discovery |
| RFC 8485 Vectors of Trust | partial (consumed via ACR/AAL mapping) | op/aal.go, op/acr.go |
| RFC 8628 Device Authorization Grant | planned (grant.DeviceCode reserved; not yet wired) | — |
| RFC 8705 OAuth 2.0 mTLS Client Auth & Cert-Bound Tokens | full (gated by feature.MTLS) | internal/mtls |
| RFC 8707 Resource Indicators | full | internal/tokenendpoint |
| RFC 8725 JWT Best Current Practices | full (alg allow-list, type checks) | internal/jose |
| RFC 9068 JWT Profile for Access Tokens | full | internal/tokens |
| RFC 9101 JAR (JWT-Secured Authorization Request) | full (gated by feature.JAR) | internal/jar |
| RFC 9126 PAR (Pushed Authorization Requests) | full (gated by feature.PAR) | internal/parendpoint |
| RFC 9207 OAuth 2.0 Authorization Server Issuer Identifier | full | internal/authorize (iss parameter on the response) |
RFC 9396 Rich Authorization Requests (authorization_details) | full (consumed at JAR merge & authorize) | internal/jar, internal/authorize |
| RFC 9449 DPoP | full incl. §8 nonce flow (gated by feature.DPoP) | internal/dpop, op.WithDPoPNonceSource |
| RFC 9470 OAuth 2.0 Step Up Authentication Challenge | full | op/rule.go (RuleACR) |
| RFC 9700 OAuth 2.0 Security Best Current Practice | full | whole codebase |
| RFC 9701 JWT Response for OAuth 2.0 Token Introspection | planned | — |
JOSE family
| RFC | Status | Where |
|---|---|---|
| RFC 7515 JWS | full | internal/jose |
| RFC 7517 JWK | full | internal/jwks |
| RFC 7518 JWA | partial — only RS256, PS256, ES256, EdDSA allowed; HS* and none refused | internal/jose |
| RFC 7519 JWT | full | internal/jose |
| RFC 7638 JWK Thumbprint | full (used by DPoP cnf.jkt) | internal/dpop |
RFC 8037 Edwards-curve DSA / EdDSA | full (Ed25519; Ed448 not enabled) | internal/jose |
FAPI family
| Profile | Status | Switch |
|---|---|---|
| FAPI 2.0 Baseline | full (continuously regressed; see OFCS) | op.WithProfile(profile.FAPI2Baseline) |
| FAPI 2.0 Message Signing | full (continuously regressed) | op.WithProfile(profile.FAPI2MessageSigning) |
| FAPI 1.0 Advanced | out | — (use FAPI 2.0) |
| FAPI-CIBA | planned for v1.x | profile.FAPICIBA (constant exists) |
| OpenID iGov High | planned for v2 | profile.IGovHigh (constant exists) |
Other RFCs the library cites
| RFC | Use |
|---|---|
| RFC 1918 | Private-network deny-list for back-channel logout SSRF defense |
| RFC 3986 | URI parsing |
| RFC 4122 | UUIDv4 generation |
| RFC 4514 | DN handling for mTLS subject DN |
| RFC 4648 | Base64url encoding |
| RFC 5280 | X.509 cert validation |
| RFC 6238 | TOTP authenticator |
| RFC 6265 | Cookie syntax |
| RFC 6711 | Authentication Context Class Reference values registry |
| RFC 7230 / 7231 / 7232 / 7235 | HTTP/1.1 (now superseded by RFC 9110) |
| RFC 7807 | application/problem+json (selected error paths) |
| RFC 8176 | AMR values registry |
| RFC 8259 | JSON |
| RFC 9110 | HTTP semantics |
Verification
The list is grepped from the live source under op/ and internal/. You can audit it yourself:
sh
git clone https://github.com/libraz/go-oidc-provider.git
cd go-oidc-provider
grep -rhoE 'RFC [0-9]+' op/ internal/ | sort -uThe list above mirrors the output of that command, with the ones that are normative-for-the-library called out and the ones that are incidental references rolled up in "Other".