Standards & conformance
Standards & conformance
Cbox ID is built against the specifications, not around them. This page is the canonical list of what is implemented. Status is one of ✅ implemented, ◐ partial (usable, with the noted limits), or ▢ planned.
OAuth 2.0 / OpenID Connect (as an authorization server)
| Spec | What it covers | Status |
|---|---|---|
| RFC 6749 | Authorization Code (mandatory PKCE) + Client Credentials + Refresh Token grants | ✅ |
| RFC 7636 | PKCE — S256 required, plain refused |
✅ |
| RFC 6750 | Bearer token usage | ✅ |
| RFC 7519 / 9068 | JWT access tokens (RS256, typ: at+jwt), jti-tracked for revocation; aud when resource-bound |
✅ |
| RFC 8725 (JWT BCP) | Explicit alg allow-list (RS256 / ES256 / EdDSA Ed25519, RFC 8037), per-key alg binding, scheduled key rotation (cbox-id:keys:rotate --alg) |
✅ |
| RFC 7662 | Token introspection — caller must authenticate as a client | ✅ |
| RFC 7009 | Token revocation (/oauth/revoke) — access and refresh tokens |
✅ |
| RFC 8414 | Authorization Server Metadata (/.well-known/oauth-authorization-server) |
✅ |
| RFC 9728 | Protected Resource Metadata (/.well-known/oauth-protected-resource) |
✅ |
| RFC 8707 | Resource Indicators — resource binds the access token's aud |
✅ |
| RFC 7591 | Dynamic Client Registration (/oauth/register) — gated (disabled/protected/open) |
✅ |
| RFC 7592 | Registration management (GET/PUT/DELETE by registration access token) | ✅ |
| OIDC Core | id_token with nonce, at_hash, auth_time, amr, acr; UserInfo endpoint |
✅ |
| OAuth 2.0 Security BCP | Refresh-token rotation with reuse detection (family revocation) | ✅ |
| RFC 9449 | DPoP — sender-constrained tokens (cnf.jkt, token_type: DPoP); proof validated for typ/alg/signature/htm/htu/iat with single-use jti replay guard; advertised in metadata |
✅ |
| RFC 9126 | Pushed Authorization Requests (/oauth/par) — client-authenticated, single-use short-lived request_uri consumed by /authorize; require_pushed_authorization_requests advertised |
✅ |
| RFC 8628 | Device Authorization Grant (/oauth/device_authorization) — user_code (unambiguous alphabet) + verification_uri; token polling with authorization_pending / slow_down / access_denied / expired_token; device_code stored hashed |
✅ |
| RFC 9207 | Issuer identification in the authorization response (iss) — IdP mix-up defense, always on |
✅ |
| FAPI 2.0 baseline | Enforceable profile: mandatory PAR + PKCE + DPoP sender-constraining + exact redirect matching + iss — see FAPI hardening |
✅ |
| M2M service accounts (client_credentials) — overlap credential rotation: mint a successor with the same privileges, cut over with zero downtime, then retire the predecessor (revoking its tokens) | ✅ | |
Authorization decision endpoint (POST /oauth/decisions) — live, deny-by-default permission (ReBAC) + entitlement checks in one round trip; version-invalidated hot-path cache; see Authorization |
✅ | |
Hybrid entitlement claims — coarse EnforcementMode::Claims entitlements embedded as the ent claim (ent_ver staleness signal); instant-critical ones stay live |
✅ | |
| RFC 8628 | Device Authorization Grant | ▢ |
| RFC 9126 | Pushed Authorization Requests (PAR) | ▢ |
Refresh tokens
Refresh tokens are issued only when the client is granted offline_access.
Every rotation is single-use: presenting a refresh token consumes it and mints a
successor in the same family. Presenting an already-consumed token is treated
as theft — the entire family is revoked, forcing re-authentication.
Model Context Protocol (MCP)
The MCP authorization model expects the server to be a standards-compliant OAuth 2.0 authorization server. All five required pieces are in place:
| MCP requirement | Backed by | Status |
|---|---|---|
| Authorization Server Metadata | RFC 8414 | ✅ |
| Protected Resource Metadata | RFC 9728 | ✅ |
| Dynamic Client Registration | RFC 7591 | ✅ |
| PKCE | RFC 7636 | ✅ |
| Resource / audience binding | RFC 8707 | ✅ |
An MCP client can therefore discover the server, self-register, run an authorization-code + PKCE flow, and receive an access token audience-bound to the MCP server it intends to call.
SCIM 2.0 (provisioning)
| Spec | What it covers | Status |
|---|---|---|
| RFC 7644 | /Users CRUD + PATCH (path and pathless), pagination, scimType errors |
✅ |
| RFC 7643 | Core User schema | ✅ |
| RFC 7644 | Filtering — eq/ne/co/sw/ew/pr (LIKE metacharacters escaped) |
◐ |
| RFC 7643 | /Groups + membership sync (create/list/PATCH add-remove/PUT/delete) |
✅ |
| RFC 7644 | ServiceProviderConfig / ResourceTypes / Schemas discovery | ✅ |
| RFC 7643 | Enterprise User extension (employeeNumber, costCenter, organization, division, department, manager) — ingested, patched, returned, advertised in discovery |
✅ |
Deprovision / deactivation drops membership and revokes sessions immediately.
SAML 2.0 & federation (as a relying party)
| Capability | Status |
|---|---|
SAML ACS — signature (XML-DSig), XSW defense, XXE-safe, strict mode, wantAssertionsSigned |
✅ |
| SAML assertion replay protection (single-use assertion ids) | ✅ |
| SAML SP metadata endpoint (importable EntityDescriptor: ACS + SLO) | ✅ |
SAML SP-initiated login (AuthnRequest, HTTP-Redirect, InResponseTo state, RelayState) |
✅ |
SAML Single Logout — IdP-initiated LogoutRequest, signed-message enforced, revokes the subject's sessions, returns a LogoutResponse |
✅ |
OIDC login (RP-initiated) — redirect + callback, code exchange, id_token verified (RS256-pinned), state CSRF + nonce replay defense |
✅ |
Authentication & MFA
| Capability | Status |
|---|---|
| Passwords — bcrypt, breached-password check (HIBP k-anonymity) | ✅ |
| TOTP (RFC 6238) — replay-protected (last-used step), rate-limited | ✅ |
| WebAuthn / passkeys (FIDO2) — registration + assertion, sign-count clone detection | ✅ |
| Passkey User-Verification enforced (primary-factor), server-side challenge TTL | ✅ |
| MFA recovery / backup codes — single-use, regenerable | ✅ |
| Magic-link email sign-in | ✅ |
| Password reset — hash-only single-use token, TTL, anti-enumeration, revokes all sessions on reset | ✅ |
| Email verification — hash-only single-use token, TTL, stale-address guard | ✅ |
| Social sign-in (Google, GitHub, Microsoft) with explicit account linking | ✅ |
This table is updated as each tier lands; ▢ items are tracked and in progress.