Features

A complete OAuth 2.0 & OpenID Connect identity provider with enterprise features, post-quantum security, and FreeIPA-native integration.

OAuth 2.0 & OpenID Connect

Comprehensive protocol coverage with 25+ RFCs implemented.

Authorization Code + PKCE

Full authorization code flow with S256 PKCE for public and confidential clients. Plain method intentionally omitted per security best practices.

Client Credentials & Device Flow

Machine-to-machine client credentials grant and RFC 8628 device authorization grant for input-constrained devices.

Token Exchange (OBO)

RFC 8693 full On-Behalf-Of flow with actor_token validation, act claim chains, three-way scope intersection, and delegation target guards.

DPoP & Mutual-TLS

RFC 9449 Demonstration of Proof-of-Possession and RFC 8705 mutual-TLS client authentication with certificate-bound access tokens.

Pushed Authorization Requests

RFC 9126 PAR — pre-register authorization parameters via POST for enhanced security and long parameter lists.

OpenID Connect

OIDC Core 1.0 with ID tokens, UserInfo endpoint, pairwise subject identifiers, Discovery, and partial Federation support.

Authentication

Multiple authentication methods for users, services, and federated identities.

Kerberos SSO (SPNEGO)

Zero-click single sign-on for domain members via GSSAPI. No passwords, no redirects — the browser negotiates authentication automatically.

Passkey (WebAuthn)

W3C WebAuthn Level 2 passkey registration and assertion. Credentials merged from FreeIPA LDAP and the server's own database.

Federated Authentication

Upstream IdP delegation with OIDC Discovery and static endpoint overrides for plain OAuth2 providers like GitHub and Discord.

Kerberos Client Authentication

Machine clients present a Kerberos AP-REQ in Authorization: Negotiate. No per-machine secret needed — principal matched against registered patterns.

Password Form (LDAP)

FreeIPA LDAP-backed password authentication as a fallback for clients not on the Kerberos domain.

Seven Token Endpoint Auth Methods

private_key_jwt, client_secret_jwt, client_secret_basic, client_secret_post, tls_client_auth, self_signed_tls_client_auth, and kerberos_client_auth.

Security

Post-quantum cryptography, stateless tokens, and defense-in-depth.

Post-Quantum Signing

ML-DSA-44/65/87 (FIPS 204) JWT signing alongside ES256, EdDSA, RS256, and PS256. Automatic key rotation on algorithm change.

Stateless Tokens

Self-contained JWTs with no per-token server-side storage. Authorization codes and refresh tokens are AES-256-GCM encrypted.

Session Revocation

Explicit logout records with JTI blocklist propagated to all cluster nodes via CRDT gossip. Short-lived revocation records with automatic expiry.

Post-Quantum Gossip Encryption

ML-KEM-768 (FIPS 203) for inter-node gossip traffic. CMS SignedData(EnvelopedData) wrapping with ECDSA P-256 outer signature.

Resource Indicators

RFC 8707 audience-restricted tokens. Tokens are scoped to specific resource servers, preventing misuse across services.

Issuer Identification

RFC 9207 iss parameter in authorization responses to prevent authorization server mix-up attacks.

Enterprise & Scaling

From single-node to multi-node clusters with FreeIPA-native access control.

CRDT Gossip Replication

Built-in gossip protocol for multi-node deployments. Signing keys, client registry, scope definitions, and revocations converge automatically.

Multi-Database Backends

SQLite for zero-config single-node deployments. PostgreSQL or MariaDB for production clusters. Switch with one configuration line.

HBAC Access Control

FreeIPA-compatible Handler-Based Access Control policies. Define which users may obtain tokens for which clients with what authentication strength.

FreeIPA Co-Deployment

Discovers external IdP registrations and user authentication constraints from FreeIPA LDAP. Respects the built-in allow_all HBAC rule.

ACME Token Authority

RFC 9447 token authority for ACME tkauth-01 challenges. Kerberos-authenticated issuance of signed authority token JWTs.

Token Introspection & Revocation

RFC 7662 introspection for resource servers and RFC 7009 revocation with upstream token revocation support.

Identity & Integration

Machine-readable APIs, SPIFFE support, and self-service user management.

Identity API

Machine-readable directory API at /api/identity/ for SSSD and system-level clients. Bearer-token-gated user and group lookups.

SPIFFE Workload API

Trust domain authority issuing X.509-SVIDs and JWT-SVIDs via Unix domain socket gRPC. Bridges SPIFFE identity to OAuth2 via mTLS.

Self-Service Profile

Users can view and modify their IPA attributes — name, contact, SSH keys, certificates, password — through /ui/me.

Admin WebUI

React 19 + PatternFly 6 admin panel for managing clients, users, groups, federation providers, and HBAC policies.

Admin CLI (ahdapactl)

Full-featured command-line tool for cluster management — register clients, manage keys, configure HBAC, and monitor nodes.

Upstream Token Store

Store and refresh tokens from upstream IdPs. Automatic revocation of old upstream tokens on replacement when configured.