OAuth Security and Compliance Reference
Nodinite authenticates and authorizes users with OAuth 2.0 and OpenID Connect 1.0 against Microsoft Entra ID. The implementation is aligned with OAuth 2.1 draft requirements and follows RFC 9700 (OAuth 2.0 Security Best Current Practice).
Compliance Matrix
| Requirement (OAuth 2.1 draft / RFC 9700) | Nodinite |
|---|---|
| Authorization Code flow with mandatory PKCE | ✅ Required for supported interactive clients |
Implicit grant (response_type=token) |
Not used |
| Resource Owner Password Credentials (ROPC) | Not used |
| Redirect URI matching | ✅ Exact string match required |
| Bearer token transmission | ✅ Authorization header only |
| Refresh token rotation | ✅ Enabled |
| Token storage | ✅ Server-side with encrypted-at-rest protection |
About OAuth 2.1
OAuth 2.1 consolidates established OAuth 2.0 security improvements, including PKCE, browser-based application guidance, native application guidance, and RFC 9700 security practices. It also removes legacy flows that are considered unsafe in modern deployments.
As of 2026, OAuth 2.1 remains an active IETF Internet-Draft (draft-ietf-oauth-v2-1-15) and is not yet a ratified RFC. For this reason, products and identity providers generally state standards alignment rather than formal OAuth 2.1 RFC conformance.
Standards Implemented
| Standard | Status | Scope |
|---|---|---|
| RFC 6749 - OAuth 2.0 Authorization Framework | Ratified RFC | Core OAuth protocol |
| RFC 6750 - Bearer Token Usage | Ratified RFC | Token transport |
| RFC 7636 - PKCE | Ratified RFC | Authorization code protection |
| RFC 9700 - OAuth 2.0 Security Best Current Practice | Ratified RFC | Security requirements |
| OpenID Connect Core 1.0 | Final specification | Identity layer |
| draft-ietf-oauth-v2-1-15 - OAuth 2.1 | Internet-Draft | Consolidated security direction |
Security Disclosure Boundary
This page intentionally documents externally relevant controls and omits internal operational details that are not required for secure customer configuration.
- Published here: supported flows, disabled flows, standards mapping, and security control posture
- Not published here: internal cache behavior, sensitive recovery internals, and implementation details that are not needed for deployment
Next Step
- Install Nodinite v7 - OpenID Connect (OIDC) and OAuth 2.0
- Register Nodinite Applications in Azure AD (Entra ID) with OpenID
- Install Nodinite v7