Supported features (OAuth 2.0/OIDC)

AS-centric vs. client-centric authorization servers

Airlock IAM implements two different types of OAuth 2.0 / OpenID Connect authorization servers.

AS Type

Description

Storage of Client Information

Client-centric

The client-centric approach configures an entire authorization server for every single client. This is a design limitation and therefore prohibits support for dynamic client registration.

IAM configuration

AS-centric

The Authorization Server-centric (AS-centric) implementation provides support for dynamic client registration so that one authorization server can support a multitude of technical clients.

IAM database and configuration

Deprecation warning

It is recommended that customers use the AS-centric implementation of the OAuth 2.0 and OIDC features. The client-centric implementation has been deprecated (see deprecation announcement in the release information section for details).

The client-centric implementation will NOT be available in the Loginapp REST UI.

Supported features in the Loginapp REST UI:

  • OAuth 2.0 Client features: available from IAM 7.5
  • OAuth 2.0 Authorization Server - AS-centric: available from IAM 7.6

See also Migrating from the JSP-Loginapp to the Loginapp REST UI.

OAuth 2.0 and OIDC feature set

The following table shows which features of the standards Airlock IAM implements and where:

Features

OAuth 2.0 Authorization Server (AS)

OAuth 2.0 Client

OAuth 2.0

OAuth 2.0 Authorization Code Grant

Icon - ON
Icon - ON
Icon - ON

OAuth 2.0 Implicit Grant

Icon - ON

OAuth 2.0 Client Credentials Grant

Icon - ON

OAuth 2.0 Token Introspection

Icon - ON
Icon - ON

OAuth 2.0 Token Revocation

Icon - ON
Icon - ON

OAuth 2.0 Dynamic Client Registration

Icon - ON

OAuth 2.0 Authorization Server Metadata Endpoint

Icon - ON
Icon - ON
Icon - ON

OIDC

OpenID Connect Authorization Code Flow

Icon - ON
Icon - ON
Icon - ON

OpenID Connect Implicit Flow

OpenID Connect Token Introspection

Icon - ON
Icon - ON

OpenID Connect Token Revocation

Icon - ON
Icon - ON

OpenID Connect Discovery

Icon - ON
Icon - ON
Icon - ON

OAuth 2.0 Dynamic Client Registration

Icon - ON

OpenID Connection Session Management

Icon - ON

OpenID Connect UserInfo Endpoint

Icon - ON
Icon - ON
Icon - ON

OpenID Connect RP-initiated logout (as RP)

Icon - ON

Account Linking

Icon - ON

Automated Account Registration ("Social Registration")

Icon - ON

Limitations of the AS-centric authorization server

The following features are supported by the client-centric authorization server but not yet implemented in the AS-centric authorization server:

  • Resource endpoint:
    • Authentication with access token as a parameter is only available with the client-centric AS.
    • Support for non-bearer headers (e.g. access token in header value, access token with different prefix) is only available with the client-centric AS.
    • Support for combined resources (through regex matching) is only available with the client-centric AS.
  • Support for the implicit flow is only available in the client-centric AS
  • Configuration of static clients using X.509 certificate authentication is only available with the client-centric AS.
  • Translations of the client name on the consent page is only available with the client-centric AS.
  • Role transformation in resources and JWT claims is only available with the client-centric AS.