{ "feature": "openid-connect-server", "version": "1.0.0", "description": "OAuth 2.0 and OpenID Connect identity provider with token issuance", "category": "auth", "tags": [ "oauth2", "oidc" ], "fields": [ { "name": "client_id", "type": "text", "required": true, "label": "Client ID", "validation": [ { "type": "required", "message": "Client ID required" } ] }, { "name": "scope", "type": "text", "required": true, "label": "Scopes", "validation": [ { "type": "required", "message": "Scope required" } ] }, { "name": "redirect_uri", "type": "url", "required": true, "label": "Redirect URI", "validation": [ { "type": "required", "message": "Redirect URI required" }, { "type": "url", "message": "Must be valid URL" } ] } ], "rules": { "core": "OIDC protocol compliance" }, "outcomes": { "authorization_success": { "priority": 5, "given": [ { "field": "client_id", "operator": "exists", "value": null } ], "then": [ { "action": "emit_event", "event": "oidc.authorized", "payload": [ "client_id" ] } ], "result": "Authorization code issued" }, "invalid_client": { "priority": 1, "error": "INVALID_CLIENT", "given": [ { "field": "client_id", "operator": "neq", "value": "registered" } ], "then": [ { "action": "emit_event", "event": "oidc.invalid_client", "payload": [ "client_id" ] } ], "result": "Invalid client" } }, "errors": [ { "code": "INVALID_CLIENT", "status": 401, "message": "Client not found" } ], "events": [ { "name": "oidc.authorized", "description": "OIDC authorization success", "payload": [ "client_id" ] }, { "name": "oidc.invalid_client", "description": "Invalid client error", "payload": [ "client_id" ] } ], "related": [], "agi": { "goals": [ { "id": "reliable_openid_connect_server", "description": "OAuth 2.0 and OpenID Connect identity provider with token issuance", "success_metrics": [ { "metric": "unauthorized_access_rate", "target": "0%", "measurement": "Failed authorization attempts that succeed" }, { "metric": "response_time_p95", "target": "< 500ms", "measurement": "95th percentile response time" } ], "constraints": [ { "type": "security", "description": "Follow OWASP security recommendations", "negotiable": false } ] } ], "autonomy": { "level": "supervised", "human_checkpoints": [ "before making irreversible changes" ], "escalation_triggers": [ "error_rate > 5", "consecutive_failures > 3" ] }, "safety": { "action_permissions": [ { "action": "authorization_success", "permission": "autonomous" }, { "action": "invalid_client", "permission": "autonomous" } ] }, "tradeoffs": [ { "prefer": "security", "over": "performance", "reason": "authentication must prioritize preventing unauthorized access" } ], "verification": { "invariants": [ "error messages never expose internal system details" ] } }, "extensions": { "source": { "repo": "https://github.com/keycloak/keycloak", "project": "Keycloak", "tech_stack": "Java" } } }