Zero IDS evaluates policies dynamically based on the requesting client's settings and individual user profile configurations.
The server performs policy checks during authorization initiation:
auth_mode: "password_and_otp"), the server prompts the user for 2FA, even if 2FA is disabled in the user's profile settings.auth_mode: "flexible", a user with 2FA enabled in their profile settings is prompted for 2FA. If a user has 2FA disabled, they authenticate directly with their primary credentials.| Client Auth Mode | User 2FA Preferences | Attempted Flow | Dynamic Outcome |
|---|---|---|---|
| password_and_otp (Enforced) | Enabled | Password / Magic Link | 2FA Promoted (OTP via Email/SMS) |
| password_and_otp (Enforced) | Disabled | Password / Magic Link | 2FA Promoted (Enforced Onboarding) |
| flexible (User Choice) | Enabled | Password / Magic Link | 2FA Promoted (User Preference) |
| flexible (User Choice) | Disabled | Password / Magic Link | Authenticated Successfully (Direct) |
| otp (OTP Only) | Disabled / Enabled | OTP Flow | Authenticated Successfully (Direct) |
Specify how client applications authenticate with the /oidc/token endpoint when exchanging authorization codes:
Client credentials sent inside the standard HTTP Basic Auth header. The header values are base64 encoded as Authorization: Basic BASE64(client_id:client_secret):
// Header format:
// Authorization: Basic c2Fhcy1jbGllbnQtaWQ6c3VwZXItc2VjcmV0LWtleQ==
// Node.js openid-client config:
const client = new issuer.Client({
client_id: 'saas-client-id',
client_secret: 'super-secret-key',
token_endpoint_auth_method: 'client_secret_basic' // Default
});
Client credentials sent as POST body parameters:
// POST body format: // POST /oidc/token // Content-Type: application/x-www-form-urlencoded // grant_type=authorization_code&code=xyz&client_id=saas-client-id&client_secret=super-secret-key
For public client applications (SPAs, mobile apps) where client secrets are omitted. PKCE parameters are evaluated for verification:
// POST /oidc/token // grant_type=authorization_code&code=xyz&client_id=spa-client-id&code_verifier=high-entropy-random-string
Scopes map to standard claim profiles returned inside the ID token or via userinfo endpoint queries:
| Scope Name | Included Claims | Purpose |
|---|---|---|
openid |
iss, sub, aud, exp, iat |
Identifies request as OIDC; returns core ID Token |
profile |
firstName, lastName, name, preferred_username |
Returns user profile details |
email |
email, email_verified |
Returns verified email credentials |
phone |
phone_number, phone_number_verified |
Returns verified phone details for SMS/OTP |