OAuth 2.0 and OpenID Connect authorization Code Grant
For the OAuth 2.0 Authorization Code Grant (see RFC 6749 Section 4.1), Airlock IAM can take both the role of the authorization server and the role of the client:
- Airlock IAM as Client-centric OAuth 2.0 Authorization Server
- The OAuth 2.0 Authorization Endpoint allows users to authenticate using any of the authentication methods supported by Airlock IAM. Authenticated users obtain an OAuth 2.0 authorization code.
- The OAuth 2.0 Authorization Endpoint supports PKCE ("Pixy", https://tools.ietf.org/html/rfc7636)
- The OAuth 2.0 Token Endpoint allows to obtain access and refresh tokens using an authorization code.
- The OAuth 2.0 Resource Endpoint allows to obtain information about the user using an OAuth 2.0 access token.
- Airlock IAM as OAuth 2.0 Client
Internal and external target applications can fetch information about the current user from Airlock IAM.
The following OAuth 2.0 endpoints make this possible:
It is possible to authenticate users by interacting with third-party OAuth 2.0 Authorization Servers. This allows single sign-on (SSO) by referring to a third-party Authorization Server.
Airlock IAM also supports the OpenID Connect Authorization Code Grant in both the role of the authorization server and the client, as described above. The OpenID Connect UserInfo Endpoint is also supported.
The detailed documentation can be found in OAuth 2.0 / OpenID Connect Authorization Code Grant.
Deprecation warning
It is recommended that customers use the AS-centric implementation of the OAuth 2.0 and OIDC features. The client-centric implementation has been deprecated (see deprecation announcement in the release information section for details).
The client-centric implementation will NOT be available in the Loginapp REST UI.
Supported features in the Loginapp REST UI:
- OAuth 2.0 Client features: available from IAM 7.5
- OAuth 2.0 Authorization Server - AS-centric: available from IAM 7.6
See also Migrating from the JSP-Loginapp to the Loginapp REST UI.