Skip to content
ProtocolSoup

Protocol Catalog

OAuth 2.0

Section titled “OAuth 2.0”

Standards: RFC 6749, RFC 7636 (PKCE), RFC 7662 (Introspection), RFC 7009 (Revocation), RFC 8628 (Device Code)

FlowDescription
Authorization CodeStandard authorization grant with redirect
Authorization Code + PKCEAuthorization code with Proof Key for Code Exchange
Client CredentialsMachine-to-machine token issuance
Refresh TokenToken renewal without re-authorization
Token IntrospectionValidate and inspect active tokens
Token RevocationInvalidate access or refresh tokens
Device CodeAuthorization for input-constrained devices
ImplicitLegacy browser-based flow (deprecated)
Resource Owner PasswordLegacy direct credential exchange (deprecated)

OpenID Connect

Section titled “OpenID Connect”

Standards: OIDC Core 1.0, OIDC Discovery 1.0

FlowDescription
Authorization CodeOIDC authentication with ID token
HybridCombined code + token response
ImplicitLegacy OIDC implicit flow
UserInfoClaims retrieval from the UserInfo endpoint
DiscoveryOpenID Provider metadata and JWKS resolution
Interaction CodeInteractive authorization with PKCE

SAML 2.0

Section titled “SAML 2.0”

Standards: SAML 2.0 Core, Bindings, Profiles, Metadata

FlowDescription
SP-Initiated SSOService Provider starts the login flow
IdP-Initiated SSOIdentity Provider starts the login flow
Single LogoutCoordinated logout across participants
Metadata ExchangeSP/IdP metadata discovery and sharing

Demo scenarios: Assertion Deep Dive, Metadata Exploration

SCIM 2.0

Section titled “SCIM 2.0”

Standards: RFC 7642, RFC 7643, RFC 7644

FlowDescription
User LifecycleCreate, read, update, deactivate users
Group MembershipGroup CRUD and membership management
User DiscoveryFilter expressions and search queries
Bulk OperationsBatch create/update/delete
Schema DiscoveryServiceProviderConfig, ResourceTypes, Schemas
Outbound ProvisioningClient-initiated provisioning sync

SPIFFE/SPIRE

Section titled “SPIFFE/SPIRE”

Standards: SPIFFE, SPIRE, SPIFFE Workload API, X.509-SVID, JWT-SVID

FlowDescription
X.509-SVID IssuanceRetrieve X.509 workload identity certificate
JWT-SVID IssuanceRetrieve JWT workload identity token
mTLS HandshakeMutual TLS using X.509-SVIDs
Certificate RotationAutomatic SVID renewal
Workload RegistrationRegister workload entries in SPIRE
Node AttestationNode identity verification
Workload AttestationWorkload identity verification
Trust Bundle FederationCross-trust-domain bundle exchange

Requires: SPIFFE compose overlay (docker-compose.spiffe.yml) for full mode. Demo mode returns 503.

Shared Signals Framework (SSF)

Section titled “Shared Signals Framework (SSF)”

Standards: OpenID SSF 1.0, CAEP 1.0, RISC 1.0

FlowDescription
Stream ConfigurationCreate and configure event streams
Push DeliveryTransmitter pushes SETs to receiver
Poll DeliveryReceiver polls transmitter for SETs
CAEP Session RevokedSession revocation event and response
CAEP Credential ChangeCredential change event and response
RISC Account DisabledAccount disabled event and response
RISC Credential CompromiseCredential compromise event and response

Demo scenarios: SSF Interactive Sandbox, Push vs Poll Comparison

OID4VCI

Section titled “OID4VCI”

Standards: OpenID4VCI 1.0

FlowDescription
Pre-Authorized CodeCredential issuance with pre-authorized grant
Pre-Authorized + tx_codeIssuance with transaction code challenge
Deferred IssuanceCredential issued asynchronously

Credential type: UniversityDegreeCredential

Credential formats: dc+sd-jwt (SD-JWT VC), jwt_vc_json, jwt_vc_json-ld, ldp_vc (W3C Data Integrity with ecdsa-rdfc-2019 / eddsa-rdfc-2022 cryptosuites)

OID4VP

Section titled “OID4VP”

Standards: OpenID4VP 1.0

FlowDescription
DCQL + direct_postDCQL query with direct_post response mode
DCQL + direct_post.jwtDCQL query with encrypted JWT response

Client ID schemes: redirect_uri, did:web (decentralized_identifier), verifier_attestation, x509_san_dns

Section titled “Related”