This entire section of the wiki is entirely tentative! While it is unlikely, everything is still subject to change.

Flashii uses a mix of OAuth 2.0, the experimental OAuth 2.1 and some components of OpenID Connect to provide authentication and authorization for third-party applications. Being that OAuth is a framework, certain things have been omitted and other things have been augmented where it makes sense, but at a basic level there should be no incompatibilities.

• RFC6749¹⁾: The base OAuth 2.0 authorization framework specification.
  • RFC8996²⁾: Deprecation of TLS 1.0 and 1.1, mostly as a result of server configuration.
  • RFC9700³⁾: Redirect URIs are validates against a known list; PKCE is available and required when not explicitly operating in OAuth 2.0 backwards compatible mode; Implicit and Resource Owner Password grants are omitted entirely; DPoP is not implemented at this time but may come in the future as an option.
• RFC8414⁴⁾: An endpoint with up-to-date metadata about the authorization server is available and should be used if possible. Certain fields specific to OpenID Connect are also included as the same output is used for the OpenID Metadata endpoint, both paths are provided for compatibility reasons.
• RFC8628⁵⁾: Device Authorization Grant for clients that are not able to spawn a web browser window is availeble.
• RFC9728⁶⁾: An endpoint with up-to-date protected resource information is available and may should additionally be used to resolve the authorization server.