OIDC + OAuth 2.1

Discovery, JWKS, authorization-code + PKCE, single-use codes.

Every tenant is a full OpenID Connect provider. Discovery, JWKS, the authorization endpoint, and the token endpoint are all served from the tenant’s own host.

Discovery

GET https://acme.oauth.work/.well-known/openid-configuration

{
  "issuer": "https://acme.oauth.work",
  "authorization_endpoint": "https://acme.oauth.work/authorize",
  "token_endpoint": "https://acme.oauth.work/token",
  "jwks_uri": "https://acme.oauth.work/.well-known/jwks.json",
  "id_token_signing_alg_values_supported": ["EdDSA"],
  "code_challenge_methods_supported": ["S256"]
}

Authorization code + PKCE

OAuth 2.1 makes PKCE mandatory. The authorization code is single-use: it’s stored in a Durable Object and deleted atomically on exchange, so a replayed code fails closed.

GET /authorize
  ?response_type=code
  &client_id=acme-web
  &redirect_uri=https://app.acme.com/callback
  &code_challenge=<S256>
  &scope=openid profile email

Verify the ID token

ID tokens are EdDSA-signed with the tenant key. Verify the signature against the tenant JWKS and check iss, aud, and exp.

import { jwtVerify, createRemoteJWKSet } from 'jose'

const jwks = createRemoteJWKSet(new URL('https://acme.oauth.work/.well-known/jwks.json'))
const { payload } = await jwtVerify(idToken, jwks, {
  issuer: 'https://acme.oauth.work',
  audience: 'acme-web',
})

For token theft protection, layer on DPoP.