Free · spec-cited · reads only public metadata
SSL Labs for your Identity Provider
Paste an OIDC/OAuth issuer URL and get an instant, shareable security-posture grade — built entirely from the provider’s published discovery metadata. Every finding cites the RFC.
1
Fetch
Only the two well-known discovery paths + the JWKS — over HTTPS, never private ranges.
2
Grade
18 checks (keys, algs, PKCE, flows, mix-up, PAR…). Fixed, versioned rubric.
3
Share
An immutable /scan/… permalink you can send to your team or auditor.
What an external scan cannot see
By design, oidcscan reads only public metadata. It cannot see token lifetimes, refresh-token rotation, consent policies, or per-client configuration. Judging those requires access to your tenant — that is what an IntegrAuth identity audit covers.