OAuth AS configuration - client-centric

Tasks of an OAuth 2.0 / OpenID Connect authorization server

Airlock IAM has to provide the following services when configured as OAuth 2.0 / OpenID Connect authorization server:

  • Issue tokens to clients. This includes authorization codes, access, and refresh tokens as well as the ID Token if OpenID Connect is enabled.
  • Authenticate the user.
  • Handle client authorizations on behalf of the user. The authorization server should inform the user about the scope of authorization. Additionally, the user must have the possibility to revoke authorization of OAuth 2.0 / OpenID Connect clients.

When configured as authorization server, Airlock IAM also adopts the role of the resource endpoint. The duty of the resource endpoint is to serve resources to clients presenting an access token authorized to access this specific resource.

Deprecation warning

It is recommended that customers use the AS-centric implementation of the OAuth 2.0 and OIDC features. The client-centric implementation has been deprecated (see deprecation announcement in the release information section for details).

The client-centric implementation will NOT be available in the Loginapp REST UI.

Supported features in the Loginapp REST UI:

  • OAuth 2.0 Client features: available from IAM 7.5
  • OAuth 2.0 Authorization Server - AS-centric: available from IAM 7.6

See also Migrating from the JSP-Loginapp to the Loginapp REST UI.

OAuth 2.0 scopes and IAM roles

In order to grant any scope using OAuth2, the user must have the corresponding Airlock IAM role. Please refer to OAuth 2.0 Scopes for more details.