Supported standards

AM implements the following RFCs, Internet-Drafts, and standards:

Open Authentication

RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm, supported by the OATH authentication modules and nodes.

RFC 6238: TOTP: Time-Based One-Time Password Algorithm, supported by the OATH authentication modules and nodes.

For more information, see Open Authentication.

OAuth 2.0

RFC 6749: The OAuth 2.0 Authorization Framework

RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage

RFC 7009: OAuth 2.0 Token Revocation

RFC 7515: JSON Web Signature (JWS)

RFC 7516: JSON Web Encryption (JWE)

RFC 7517: JSON Web Key (JWK)

RFC 7518: JSON Web Algorithms (JWA)

RFC 7519: JSON Web Token (JWT)

RFC 7522: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants

RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

RFC 7636: Proof Key for Code Exchange by OAuth Public Clients

RFC 7662: OAuth 2.0 Token Introspection

RFC 7800: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)

RFC 8628: OAuth 2.0 Device Authorization Grant

RFC 8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

RFC 7592: OAuth 2.0 Dynamic Client Registration Management Protocol

Internet Draft: JWT Response for OAuth Token Introspection

RFC 8693: OAuth 2.0 Token Exchange (Access token to access token, access token to ID token, ID token to ID token, and ID token to access token)

RFC 9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)

RFC 9126: OAuth 2.0 Pushed Authorization Requests

For more information, see OAuth 2.0

OpenID Connect 1.0

OpenID Connect Core 1.0 incorporating errata set 1.

In section 5.6 of this specification, AM supports Normal Claims. AM does not support the optional Aggregated Claims and Distributed Claims representations.

OpenID Connect Client Initiated Backchannel Authentication Flow - Core 1.0 draft-02

AM applies the guidelines suggested by the OpenID Financial-grade API (FAPI) Working Group to the implementation of CIBA, which shapes the support of CIBA in AM.

Implementation Decisions Applying to CIBA Support in AM

AM only supports the CIBA "poll" mode, not the "push" or "ping" modes.
AM requires use of confidential clients for CIBA.
AM requires use of signed JSON-web tokens (JWT) to pass parameters, using one of the following algorithms:
- ES256 - ECDSA with SHA-256 and NIST standard P-256 elliptic curve.
- PS256 - RSASSA-PSS using SHA-256.

Plain JSON or form parameters for CIBA-related data is not supported.

OpenID Connect Discovery 1.0

OpenID Connect Dynamic Client Registration 1.0

OpenID Connect Session Management 1.0 Draft 05

OpenID Connect Session Management 1.0 Draft 10

OAuth 2.0 Multiple Response Type Encoding Practices

OAuth 2.0 Form Post Response Mode

Financial-grade API: JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)

OpenID Connect Back-Channel Logout 1.0 Draft 06.

AM currently only supports backchannel logout when acting as the provider.

For more information, see:

User-Managed Access (UMA) 2.0

User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization

Federated Authorization for User-Managed Access (UMA) 2.0

For more information, see: User-Managed Access (UMA) 2.0

Security Assertion Markup Language (SAML) and Federation-related standards

AM supports SAML v2.0; support for SAML v1.1 and v1.0 was removed in AM 7, although WS-Federation functionality still creates assertions in SAML v1.x format.

SAML Specifications are available from the OASIS standards page.

Web Services Federation Language (WS-Federation)

Web Services Description Language (WSDL)

eXtensible Access Control Markup Language (XACML)

For more information, see Security Assertion Markup Language (SAML)

Encryption and signatures

Assertion encryption:

aes128-cbc
aes192-cbc
aes256-cbc
tripledes-cbc

Assertion signatures:

rsa-sha1
rsa-sha256
rsa-sha384
rsa-sha512

Query string signatures:

rsa-sha1
rsa-sha256
rsa-sha384
rsa-sha512
ecdsa-sha1
ecdsa-sha256
ecdsa-sha384
ecdsa-sha512

RFC 2898: PKCS #5: Password-Based Cryptography Specification Version 2.0

RFC 3394: Advanced Encryption Standard (AES) Key Wrap Algorithm

RFC 7518: JSON Web Algorithms (JWA)

Federal Information Processing Standard (FIPS) "Security Requirements for Cryptographic Modules"

Other standards

Representational State Transfer (REST)

Simple Object Access Protocol (SOAP)

Recommendation E.146, concerning Mobile Subscriber ISDN Numbers (MSISDN), supported for authentication.

RFC 1271: Remote Network Monitoring Management Information Base, supported for monitoring over SNMP.

RFC 2578: Structure of Management Information Version 2 (SMIv2), supported for monitoring over SNMP.

RFC 2616: Hypertext Transfer Protocol — HTTP/1.1.

RFC 2579: Textual Conventions for SMIv2, supported for monitoring over SNMP.

RFC 2617: HTTP Authentication: Basic and Digest Access Authentication, supported as an authentication module.

RFC 2865: Remote Authentication Dial In User Service (RADIUS), supported as an AM service.

RFC 4510: Lightweight Directory Access Protocol (LDAP), for authentication modules and when accessing data stores.

RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, supported for certificate-based authentication.

RFC 5646: Tags for Identifying Languages.

RFC 5785: Defining Well-Known Uniform Resource Identifiers (URIs).

RFC 6265: HTTP State Management Mechanism regarding HTTP Cookies and Set-Cookie header fields.

RFC 7239: Forwarded HTTP Extension.

Internet-Draft: Password Policy for LDAP Directories (draft 09).