Skip to content
Parako.ID

OIDC Provider Specifications

Parako.ID is built on node-oidc-provider, an OpenID Certified implementation of OpenID Connect. The tables below summarize which OIDC features and configuration options Parako.ID supports, their current status, and where to configure them.

For deeper customization or to understand the full range of provider options, refer to the official node-oidc-provider documentation. Every configuration option available upstream can potentially be wired into Parako.ID.

Features

Section titled “Features”
FeatureStandardProvider DefaultParako.ID StatusConfig Path
Back-Channel LogoutOIDC Back-Channel Logout 1.0falseEnabledfeatures.oidc.backchannel_logout.enabled
Client CredentialsRFC 6749falseEnabledfeatures.oidc.client_credentials.enabled
Device FlowRFC 8628falseEnabledfeatures.oidc.device_flow.enabled
IntrospectionRFC 7662falseEnabledfeatures.oidc.token_introspection.enabled
Request ObjectsRFC 9101falseEnabledfeatures.oidc.request_objects.enabled
Resource IndicatorsRFC 8707trueEnabledfeatures.oidc.resource_indicators.enabled
RevocationRFC 7009falseEnabledfeatures.oidc.token_revocation.enabled
RP-Initiated LogoutOIDC RP-Initiated Logout 1.0trueEnabledfeatures.oidc.rp_initiated_logout.enabled
UserInfoOIDC Core 1.0trueEnabledfeatures.oidc.userinfo_endpoint.enabled
EncryptionJWE (RFC 7516)falseAvailablefeatures.oidc.encryption.enabled
JARMJARMfalseAvailablefeatures.oidc.jwt_response_modes.enabled
JWT IntrospectionRFC 9701falseAvailablefeatures.oidc.jwt_introspection.enabled
JWT UserInfoOIDC Core 1.0falseAvailablefeatures.oidc.jwt_userinfo.enabled
RegistrationRFC 7591 / OIDC DCRfalseAvailablefeatures.oidc.dynamic_client_registration.enabled
Registration ManagementRFC 7592falseAvailablefeatures.oidc.client_registration_management.enabled
Dev InteractionstrueAvailablefeatures.oidc.dev_interactions.enabled
DPoPRFC 9449trueInherited
PARRFC 9126trueInherited
CIBAOIDC CIBAfalseNot Configured
Claims ParameterOIDC Core 1.0falseNot Configured
FAPIFAPI 1.0 / 2.0falseNot Configured
mTLSRFC 8705falseNot Configured

Status legend: Enabled = wired and on by default. Available = wired but off by default (toggle via config). Inherited = uses provider default. Not Configured = not wired; see upstream docs to implement.

Configuration

Section titled “Configuration”
ConfigurationProvider OptionIntegratedConfig Path
AdapteradapterYesoidc_storage.oidc_adapter.type
ClaimsclaimsYesfeatures.oidc.claims
Client-Based CORSclientBasedCORSYes (custom)features.oidc.client_based_cors
ClientsclientsYes (custom)
Find AccountfindAccountYes (custom)
InteractionsinteractionsYes (custom)
JWKSjwksYes
PKCEpkceYesfeatures.oidc.pkce.*
TTLttlYesoidc.token_ttl.*
Accept Query Param Access TokensacceptQueryParamAccessTokensYesfeatures.oidc.accept_query_param_access_tokens
ACR ValuesacrValuesYesfeatures.oidc.acr_values.supported
Allow Omitting Single Redirect URIallowOmittingSingleRegisteredRedirectUriYesfeatures.oidc.allow_omitting_single_registered_redirect_uri
Clock ToleranceclockToleranceYesfeatures.oidc.clock_tolerance
Conform ID Token ClaimsconformIdTokenClaimsYesfeatures.oidc.conform_id_token_claims
CookiescookiesYessecurity.secrets.cookie_secrets
DiscoverydiscoveryYesoidc.discovery.*
Enabled JWAenabledJWAYesoidc.jwa.*
Enable HTTP POST MethodsenableHttpPostMethodsYesfeatures.oidc.enable_http_post_methods
Expires With SessionexpiresWithSessionYesfeatures.oidc.expires_with_session
Extra Client MetadataextraClientMetadataYesfeatures.oidc.extra_client_metadata.*
Extra ParamsextraParamsYesfeatures.oidc.extra_params.*
Extra Token ClaimsextraTokenClaimsYes (custom)
Issue Refresh TokenissueRefreshTokenYes (custom)
Load Existing GrantloadExistingGrantYes (custom)
Pairwise IdentifierpairwiseIdentifierYesoidc.secrets.pairwise_salt
Render ErrorrenderErrorYes (custom)
Rotate Refresh TokenrotateRefreshTokenYes (custom)features.oidc.rotate_refresh_token
RoutesroutesYesoidc.routes.*
ScopesscopesYesfeatures.oidc.scopes
Subject TypessubjectTypesYesfeatures.oidc.subject_types
Client Auth MethodsclientAuthMethodsInherited
Response TypesresponseTypesInherited
Revoke Grant PolicyrevokeGrantPolicyInherited
Assert JWT Client AuthassertJwtClientAuthClaimsAndHeaderNo
Client DefaultsclientDefaultsNo
FetchfetchNo
Fetch Response Body LimitsfetchResponseBodyLimitsNo
Sector Identifier URI ValidatesectorIdentifierUriValidateNo

Integrated legend: Yes = configured via schema. Yes (custom) = custom implementation in code. Inherited = uses provider default. No = not integrated; see upstream docs.

Grant Types

Section titled “Grant Types”
Grant TypeDescriptionStatus
authorization_codeStandard code exchange flowEnabled
refresh_tokenRefresh access tokensEnabled
client_credentialsMachine-to-machine authEnabled
implicitLegacy implicit flowEnabled
urn:ietf:params:oauth:grant-type:device_codeDevice authorization (RFC 8628)Enabled
urn:openid:params:grant-type:cibaBackchannel authenticationNot Configured

Client Authentication Methods

Section titled “Client Authentication Methods”
MethodDescriptionStatus
client_secret_basicHTTP Basic with client_id/secretEnabled
client_secret_postClient credentials in request bodyEnabled
client_secret_jwtSymmetric key JWT assertionEnabled
private_key_jwtAsymmetric key JWT assertionEnabled
nonePublic clients (no secret)Enabled
tls_client_authMutual TLS with CA-signed certificateAvailable (requires mTLS)
self_signed_tls_client_authMutual TLS with self-signed certificateAvailable (requires mTLS)
Section titled “Related Documentation”
  • OIDC Endpoints — endpoint paths, scopes, claims, and token TTLs
  • OIDC Clients — client presets, registration, and configuration
  • Authentication — password policies, MFA, and multi-account sessions
  • Security — rate limiting, session binding, and encryption

Parako.ID by Dahkenangnon · docs source · Licensed under MIT.