Supported OAuth and OIDC features
13.2. Supported features (OAuth 2.0/OIDC)

AS-centric vs. client-centric authorization servers

Airlock IAM implements two different types of OAuth 2.0 / OpenID Connect authorization servers.

AS Type
Description
Storage of Client Information
Client-centric
The client-centric approach configures an entire authorization server for every single client. This is a design limitation and therefore prohibits support for dynamic client registration.
IAM configuration
AS-centric
The Authorization Server-centric (AS-centric) implementation provides support for dynamic client registration so that one authorization server can support a multitude of technical clients.
IAM database and configuration

Deprecation warning

It is recommended that customers use the AS-centric implementation of the OAuth 2.0 and OIDC features. The client-centric implementation has been deprecated (see deprecation announcement in the release information section for details).

The client-centric implementation will NOT be available in the Loginapp REST UI.

Supported features in the Loginapp REST UI:

  • OAuth 2.0 Client features: available from IAM 7.5
  • OAuth 2.0 Authorization Server - AS-centric: available from IAM 7.6

See also 17.5. Migrating from the JSP-Loginapp to the Loginapp REST UI.

OAuth 2.0 and OIDC feature set

The following table shows which features of the standards Airlock IAM implements and where:

Features
OAuth 2.0 Authorization Server (AS)
OAuth 2.0 Client
OAuth 2.0
OAuth 2.0 Authorization Code Grant
Icon - ON
Icon - ON
Icon - ON
OAuth 2.0 Implicit Grant
Icon - ON
OAuth 2.0 Client Credentials Grant
Icon - ON
OAuth 2.0 Token Introspection
Icon - ON
Icon - ON
OAuth 2.0 Token Revocation
Icon - ON
Icon - ON
OAuth 2.0 Dynamic Client Registration
Icon - ON
OAuth 2.0 Authorization Server Metadata Endpoint
Icon - ON
Icon - ON
Icon - ON
OIDC
OpenID Connect Authorization Code Flow
Icon - ON
Icon - ON
Icon - ON
OpenID Connect Implicit Flow
OpenID Connect Token Introspection
Icon - ON
Icon - ON
OpenID Connect Token Revocation
Icon - ON
Icon - ON
OpenID Connect Discovery
Icon - ON
Icon - ON
Icon - ON
OAuth 2.0 Dynamic Client Registration
Icon - ON
OpenID Connection Session Management
Icon - ON
OpenID Connect UserInfo Endpoint
Icon - ON
Icon - ON
Icon - ON
OpenID Connect RP-initiated logout (as RP)
 
Icon - ON
Account Linking
Icon - ON
Automated Account Registration ("Social Registration")
Icon - ON

Limitations of the AS-centric authorization server

The following features are supported by the client-centric authorization server but not yet implemented in the AS-centric authorization server:

  • Resource endpoint:
    • Authentication with access token as a parameter is only available with the client-centric AS.
    • Support for non-bearer headers (e.g. access token in header value, access token with different prefix) is only available with the client-centric AS.
    • Support for combined resources (through regex matching) is only available with the client-centric AS.
  • Support for the implicit flow is only available in the client-centric AS
  • Configuration of static clients using X.509 certificate authentication is only available with the client-centric AS.
  • Translations of the client name on the consent page is only available with the client-centric AS.
  • Role transformation in resources and JWT claims is only available with the client-centric AS.