Free · spec-cited · reads only public metadata

SSL Labs for your Identity Provider

Paste an OIDC/OAuth issuer URL and get an instant, shareable security-posture grade — built entirely from the provider’s published discovery metadata. Every finding cites the RFC.

Try:
1

Fetch

Only the two well-known discovery paths + the JWKS — over HTTPS, never private ranges.

2

Grade

18 checks (keys, algs, PKCE, flows, mix-up, PAR…). Fixed, versioned rubric.

3

Share

An immutable /scan/… permalink you can send to your team or auditor.

What an external scan cannot see

By design, oidcscan reads only public metadata. It cannot see token lifetimes, refresh-token rotation, consent policies, or per-client configuration. Judging those requires access to your tenant — that is what an IntegrAuth identity audit covers.

oidcscan reads only public discovery metadata. An IntegrAuth product.

ruleset 2026.07.2