Reference: OIDC Extensions and Useful Specs (Link Roundup)

Identity engineers often need to balance standards compliance with practical features. Below is a curated list of protocols, drafts, and companion specs for OAuth and OpenID Connect that are useful in production systems. Each entry includes a short note on when to consider it.

Canonical specs

• OpenID Connect Core 1.0 — The baseline for federated authentication.
• OAuth 2.0 (RFC 6749) — The core authorization framework; understand flows and threat models.

Important extensions

• OAuth 2.0 Token Exchange (RFC 8693) — Useful for delegating limited permissions between services.
• CIBA (Client Initiated Backchannel Authentication) — For decoupled authentication flows (e.g., TV or device without a browser).
• JWKS — Key discovery and rotation standards for verifying tokens.

Security-focused specs

• PKCE (RFC 7636) — Mandatory for public clients to mitigate authorization code interception.
• Token Binding (draft) — Attempts to cryptographically bind tokens to channels; adoption is mixed but useful where supported.

Practical reference links

• OAuth 2.0 Device Authorization Grant — Device sign-in flows used on TVs and consoles.
• OIDC Discovery — Standardizes endpoint discovery and simplifies client configuration.

When to adopt drafts

Approach drafts with caution. If you control both client and server, drafts can provide value, but beware future incompatibilities. Favor stable specs for public-facing services.

Bookmark this

We keep this roundup updated. Bookmark the page and check back when drafting security designs or vendor evaluations.