Skip to content

Flow Walkthroughs

Use this method to evaluate any flow with consistent evidence.

Repeatable Method

Choose a flow from the Protocol Catalog and define the expected outcome.
Check prerequisites — some flows need an existing token (refresh, introspection), a prior credential (OID4VP), or SPIFFE mode enabled.
Execute the flow in Looking Glass.
Inspect the event timeline — click each step to see full payloads.
Interpret validation outcomes and security annotations.
Rerun with one changed variable to confirm control behavior.

Recommended Starting Flows

Protocol	Flow	Why Start Here
OAuth 2.0	Authorization Code + PKCE	Core delegated authorization with modern security
OIDC	Authorization Code + UserInfo	Identity layer on OAuth, ID token claims
SAML 2.0	SP-Initiated SSO	Enterprise SSO entry pattern, assertion inspection
SCIM 2.0	User Lifecycle	Full CRUD cycle with PATCH semantics
SPIFFE	X.509-SVID Issuance	Workload identity fundamentals
SSF	CAEP Session Revoked	Real-time security event stream with receiver response
OID4VCI	Pre-Authorized Code	Credential issuance (SD-JWT VC, JWT VC, LDP VC)
OID4VP	DCQL + direct_post	Verifier request and wallet submission

Interpreting Outcomes

Success

Inspect the resulting artifacts:

Tokens: Verify claims, audience, issuer, expiry, and signature algorithm.
Assertions: Check subject, conditions, attribute statements.
Credentials: Validate VCT, selective disclosure claims, proof binding.
SVIDs: Confirm SPIFFE ID, trust domain, and certificate chain.

Validation Failure

Check alignment of:

Nonce and state parameters
Audience restrictions
Signature keys and algorithms
Token expiry and not-before constraints
Redirect URI registration

Policy Denial

A denied flow is not necessarily an error. It may indicate:

Correct scope enforcement (requesting a scope the client is not authorized for)
PKCE enforcement (missing or mismatched code verifier)
Consent requirements
Session policy enforcement (SSF receiver revoking a session)