UniAuth.ID
OIDC Feature Matrix
Getting StartedQuick StartOIDC Feature MatrixIntegration ChecklistAccount SetupConfigurationAuthenticationMulti-Factor AuthBackup CodesPassword PolicyRoles & PermissionsSessionsOAuth2 / OIDCDevice FlowLogout & PropagationTokensIntegrationsWebhooksSCIM ProvisioningSDKsReactNext.jsPHPLaravelDjangoRailsSpring BootExpressMigratingFrom Auth0From OktaAPI ReferenceError ReferenceRate LimitsSecurityRecovery PhraseOperationsDeploymentChangelog

OIDC Feature Matrix

Every OpenID Connect and OAuth 2.0 feature UniAuth supports. If you're coming from Auth0, Okta, or Keycloak, this table tells you what works out of the box.

One URL to rule them all: /.well-known/openid-configuration — advertises every endpoint, claim, scope, and algorithm below.

Core

Discovery (RFC 8414)/.well-known/openid-configurationdocs →
JWKS (RFC 7517)/.well-known/jwks.jsondocs →
Authorization Code flow/api/oauth/authorizedocs →
Token endpoint/api/oauth/tokendocs →
UserInfo endpoint/api/oauth/userinfodocs →
Token Revocation (RFC 7009)/api/oauth/revokedocs →
Token Introspection (RFC 7662)/api/oauth/introspectdocs →

Tokens

ID Tokens (RS256 JWT)docs →
RS256 signed, OIDC-standard claims
Access Tokens (HS256 JWT)docs →
1h expiry, stateless, pairwise sub
Refresh Tokens with Rotationdocs →
Family-based replay detection

Security

PKCE S256 (RFC 7636)docs →
Required for all clients (RFC 9700)
Pairwise Subject Identifiersdocs →
App-specific sub via HMAC, prevents cross-app correlation
DPoP (RFC 9449)docs →
ES256 and RS256 proof-of-possession
PAR (RFC 9126)/api/oauth/par
Pushed Authorization Request
Post-Quantum Session Signingdocs →
ML-DSA-44 (FIPS 204)

Logout

RP-Initiated Logout (OIDC 1.0)/api/oauth/end-sessiondocs →
Back-Channel Logout (OIDC 1.0)docs →
RS256 logout tokens via POST
Front-Channel Logout (OIDC 1.0)docs →
iframe URLs with iss + sid

Enterprise

Device Authorization (RFC 8628)/api/oauth/devicedocs →
Token Exchange (RFC 8693)
access↔access, id→access delegation
CIBA (OIDC CIBA 1.0)/api/oauth/backchannel-authenticate
Poll mode
Dynamic Client Registration (RFC 7591)/api/oauth/register
SAML 2.0 Identity Providerdocs →
Full SAML 2.0 with pairwise NameIDs
SCIM 2.0 Provisioningdocs →
Users, Groups, Bulk ops

Claims

Standard OIDC Claims
sub, name, email, email_verified, picture, locale, zoneinfo, address…
Groups Claimdocs →
Scope: groups — array of group names in ID token + userinfo
ACR/AMR Claims
urn:uniauth:acr:pwd / mfa / passkey
Custom Claims
Per-client claim mappings (static, user field, role)
Trust Tier Claim
trust_tier + trust_tier_name (UniAuth extension)
Locale/Zoneinfo Claims
From user preferences (OIDC standard)

Flows

Authorization Code Flow + PKCE
Refresh Token Flow
With rotation + replay detection
Client Credentials Flow
Service accounts
Device Code Flow
For TVs, CLIs, smart devices
CIBA Flow
Poll mode, MFA-triggered
Token Exchange Flow

OIDC Conformance

UniAuth implements OpenID Connect Core 1.0, OpenID Connect Discovery 1.0, OpenID Connect Dynamic Client Registration 1.0, OpenID Connect Back-Channel Logout 1.0, OpenID Connect Front-Channel Logout 1.0, and OpenID Connect CIBA Core 1.0.

OAuth 2.0 RFCs implemented: 6749, 6750, 7009, 7519, 7517, 7591, 7636, 7662, 8414, 8628, 8693, 9068, 9126, 9449, 9700.