RFC Compliance

Ahdapa implements 27 IETF RFCs and standards — 25 fully, 2 partially.

Full (25)

Partial (2)

RFC	Title	Status	Notes
RFC 6749	OAuth 2.0 Authorization Framework	Full	Authorization code + PKCE, client credentials, device flow.
RFC 6750	OAuth 2.0 Bearer Token Usage	Full	Bearer token transport in Authorization header.
RFC 7009	OAuth 2.0 Token Revocation	Full	Family-wide revocation; JTI blocklist propagated via CRDT gossip.
RFC 7519	JSON Web Token (JWT)	Full	Self-contained stateless tokens with configurable signing algorithms.
RFC 7521	Assertion Framework for OAuth 2.0	Full	Foundation for JWT-based client authentication.
RFC 7523	JWT Profile for OAuth 2.0 Client Authentication	Full	private_key_jwt and client_secret_jwt authentication methods.
RFC 7636	Proof Key for Code Exchange (PKCE)	Full	S256 challenge method; plain method intentionally not supported.
RFC 8414	OAuth 2.0 Authorization Server Metadata	Full	Discovery at /.well-known/oauth-authorization-server.
RFC 8628	OAuth 2.0 Device Authorization Grant	Full	Device code flow for input-constrained devices.
RFC 8693	OAuth 2.0 Token Exchange	Full	Full OBO flow with actor_token, act claim chains, scope intersection, HBAC.
RFC 8705	OAuth 2.0 Mutual-TLS Client Authentication	Full	tls_client_auth and self_signed_tls_client_auth; certificate-bound tokens.
RFC 8707	Resource Indicators for OAuth 2.0	Full	Audience-restricted tokens via resource parameter.
RFC 9068	JWT Profile for OAuth 2.0 Access Tokens	Full	Structured JWT access tokens with standard claims.
RFC 9126	Pushed Authorization Requests (PAR)	Full	Pre-register authorization parameters via POST.
RFC 9207	Authorization Server Issuer Identification	Full	iss parameter in authorization response for mix-up attack prevention.
RFC 9449	Demonstration of Proof-of-Possession (DPoP)	Full	Sender-constrained tokens with DPoP proof JWTs.
RFC 9700	OAuth 2.0 Security Best Current Practice	Full	Comprehensive security recommendations implemented throughout.
RFC 7662	OAuth 2.0 Token Introspection	Full	Token introspection endpoint for resource servers.
RFC 9447	ACME Challenges Using an Authority Token	Full	Kerberos-authenticated authority token issuance for tkauth-01.
RFC 9118	Enhanced JWT Claim Constraints	Full	EnhancedJWTClaimConstraints DER encoding in authority tokens.
RFC 8226	Secure Telephone Identity Credentials (JWT Claim Constraints)	Full	JWTClaimConstraints extension format for Kerberos identity binding.
OIDC Core 1.0	OpenID Connect Core 1.0	Full	ID tokens, UserInfo endpoint, pairwise subjects, acr_values.
OIDC Discovery	OpenID Connect Discovery 1.0	Full	Dynamic scopes_supported and claims_supported from CRDT state.
W3C WebAuthn L2	Web Authentication Level 2	Full	Passkey registration and assertion; EC2, OKP, RSA key types.
OIDC Federation	OpenID Connect Federation 1.0	Partial	Entity Statement published; bilateral and direct-subordinate trust; no multi-hop intermediaries.
RFC 7591	OAuth 2.0 Dynamic Client Registration	Partial	Admin API CRUD; public endpoint gated by registration_token.
draft-ietf-jose-fully-specified-algorithms	ML-DSA Algorithm Identifiers for JOSE	Full	ML-DSA-44/65/87 key generation and signing via native-ossl.