OAuth 2.0 and OpenID Connect overview

OAuth 2.0 is an authorization framework that enables target applications (so-called OAuth 2.0 Clients) to securely obtain access to protected HTTP resources (such as user information) on behalf of a user. The obvious way to achieve this goal would be for the user to share her credentials (e.g. her password) with the target application. As sharing passwords has many drawbacks, OAuth 2.0 solves this problem without requiring the user to share credentials.

OpenID Connect 1.0 adds an identity layer to the OAuth 2.0 protocol, allows clients to verify the user's identity information and usually save a few HTTP roundtrips.

Before Airlock IAM 8.0 there were two implementations of the OAuth 2.0 / OpenID Connect server. These two implementations had the following characteristics.

Since Airlock IAM 8.0, only the AS-centric implementation of the OAuth 2.0 / OpenID Connect server remains in the product. Therefore, the differentiator AS-centric has been removed from the product and the documentation.

• External links:
• RFC 6749: The OAuth 2.0 Authorization Framework
• RFC8252 "OAuth 2.0 for Native Apps"
• OpenID Connect Project Site
• OpenID Connect Core Specification
• Signing into One Billion Mobile App Accounts Effortlessly with OAuth 2.0, Yang et al., BlackHat Europe 2016
• 1000 Ways to Die in Mobile OAuth, Cheng et al., BlackHat 2016