Overview

An Identity and Access Management system that centralizes user identities, profiles, authentication, and authorization using the OpenID Connect (OIDC) and OAuth 2.0 standards. It provides a standards‑based way for applications to authenticate users, obtain tokens, and authorize access to APIs.

Key capabilities

  • User lifecycle: create, update, deactivate, and delete users
  • Profiles and attributes: manage core and custom attributes, profile photos, and preferences
  • Authentication: OIDC Authorization Code + PKCE for web and SPAs, Refresh Token rotation, optional Client Credentials for M2M
  • Authorization: scopes and claims, role‑based and group‑based access models
  • Sessions and MFA: secure session handling with optional second factor
  • Audit and integrations: webhooks for lifecycle events and comprehensive error reporting

OIDC endpoints

  • Discovery: GET {ISSUER}/.well-known/openid-configuration
  • Authorization: GET {ISSUER}/authorize
  • Token: POST {ISSUER}/token
  • UserInfo: GET {ISSUER}/userinfo
  • JWKS: GET {ISSUER}/.well-known/jwks.json
  • Introspection: POST {ISSUER}/introspect
  • Revocation: POST {ISSUER}/revoke
  • Logout (RP‑initiated): GET/POST {ISSUER}/logout

Tokens

  • ID Token: user identity claims, signed (e.g., RS256)
  • Access Token: API authorization, bearer usage, short TTL
  • Refresh Token: offline access and rotation support

Validate tokens against the JWKS and respect clock skew. Document supported algorithms and rotation cadence.

Was this page helpful?