Security & Compliance Track
Use this track when you are reviewing LumoAuth for procurement, a security audit, or a compliance program (GDPR, SOC 2, FAPI 2.0). It surfaces the pages you need and skips the rest.
1. Start here
- Security Overview — threat model and defense-in-depth layers
- Best Practices — recommended configuration
- Third-party Security Audits — externally verified reports
2. Data protection & GDPR
- GDPR features — data subject requests, consent tracking, breach reporting
- Data Export
- Audit Logs — append-only record of every operation
- Analytics
3. Authentication hardening
- Adaptive MFA — risk-based step-up
- Passkeys / WebAuthn — phishing-resistant login
- Rate Limiting
4. High-assurance OAuth
- FAPI 2.0 Security Profile — profile for financial-grade and regulated deployments
- PAR — Pushed Authorization Requests
- DPoP & mTLS (FAPI profile)
5. AI agent security
- AAuth Protocol — cryptographic agent identity
- Chain of Agency — auditable delegation via RFC 8693 Token Exchange
- JIT Permissions — human-in-the-loop for sensitive operations
Standards implemented
LumoAuth implements the following IETF and OpenID standards. Each RFC link points to the official specification.
- OAuth 2.0 Authorization Framework — RFC 6749. The core authorization protocol that defines the
authorizeandtokenendpoints and the four standard grant types. - OpenID Connect 1.0 — An authentication layer on top of OAuth 2.0. Adds ID tokens and the
userinfoendpoint. - SAML 2.0 — An XML-based SSO protocol used widely in enterprise environments.
- SCIM 2.0 — RFC 7643 (core schema) and RFC 7644 (protocol). Standard API for provisioning users and groups from an IdP.
- PKCE — RFC 7636. Binds an authorization code to a secret the client generates, so an intercepted code cannot be exchanged for tokens. Required for public clients (SPAs, mobile apps).
- DPoP — RFC 9449. Demonstrating Proof of Possession. Binds an access token to a client-held key, so a stolen token cannot be replayed from another host.
- PAR — RFC 9126. Pushed Authorization Requests. The client sends authorization parameters over a back-channel POST instead of a front-channel URL, avoiding URL-length limits and request tampering.
- RAR — RFC 9396. Rich Authorization Requests. Lets the client request fine-grained, structured permissions (e.g., "transfer €500 to IBAN X") instead of coarse scope strings.
- Token Exchange — RFC 8693. Allows a service to exchange one token for another — the building block for delegation and impersonation.
- Device Authorization Grant — RFC 8628. The flow used by CLIs, smart TVs, and other input-constrained devices: the device shows a code, the user enters it on a second device.
- CIBA — Client Initiated Backchannel Authentication. The client initiates login, the user authenticates out-of-band (e.g., via a push notification), and the client polls for the result.
- FAPI 2.0 — A security profile from the OpenID Foundation tightening OAuth for financial-grade and regulated use cases.
- WebAuthn / FIDO2 — Standard for hardware-backed, phishing-resistant authentication (passkeys, security keys).