From bf3dc629c4c9354c32b79dd1bf0e59f1d13bdb8a Mon Sep 17 00:00:00 2001
From: Kremena Nenkova <kremena.nenkova@hmcts.net>
Date: Mon, 8 Jun 2026 13:08:29 +0100
Subject: [PATCH 1/2] Add CFT OIDC authentication standard

---
 ...thentication-and-authorization.html.md.erb | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 source/standards/standards/authentication-and-authorization.html.md.erb

diff --git a/source/standards/standards/authentication-and-authorization.html.md.erb b/source/standards/standards/authentication-and-authorization.html.md.erb
new file mode 100644
index 00000000..2d25a69a
--- /dev/null
+++ b/source/standards/standards/authentication-and-authorization.html.md.erb
@@ -0,0 +1,24 @@
+---
+title: Authentication and authorization
+last_reviewed_on: 2026-06-08
+review_in: 12 months
+weight: 5
+---
+
+# <%= current_page.data.title %>
+
+CFT services should use OpenID Connect with CFT IDAM for user authentication.
+
+Authentication and authorization are separate concerns. OpenID Connect establishes the user identity. Services are responsible for their own authorization decisions.
+
+### OpenID Connect flows
+
+Use the authorization code flow for browser-based user authentication.
+
+Use PKCE where the client stack supports it.
+
+Use client credentials only for service-to-service authentication where no user is involved.
+
+Avoid password and implicit grants for new integrations.
+
+For implementation guidance, see the [OpenID Connect Guide for CFT Developers Using CFT IDAM](https://tools.hmcts.net/confluence/spaces/SISM/pages/1973296310/OpenID+Connect+Guide+for+CFT+Developers+Using+CFT+IDAM).

From 7012ac815ae5eee92c7fb4311474966a0102f903 Mon Sep 17 00:00:00 2001
From: kremi <34029797+kremi@users.noreply.github.com>
Date: Mon, 8 Jun 2026 13:18:33 +0100
Subject: [PATCH 2/2] Update allow.txt

---
 .github/actions/spelling/allow.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/actions/spelling/allow.txt b/.github/actions/spelling/allow.txt
index 55dd1e5d..512a051a 100644
--- a/.github/actions/spelling/allow.txt
+++ b/.github/actions/spelling/allow.txt
@@ -218,6 +218,7 @@ Phishing
 pid
 pipeable
 pipefail
+PKCE
 placeholders
 platops
 plpgsql