Airlock IAM, as an AS/OP, supports several mechanisms for authenticating static clients:
| |
---|
| The authentication with client_id and client_secret is the weakest form of authentication and corresponds to username/password authentication. It supports basic auth (client_secret_basic) and parameter authentication (client_secret_post). This method is only suitable for confidential clients. See RFC 6749: The OAuth 2.0 Authorization Framework for details. |
| The AS/OP verifies the subject and issuer DN of the presented certificate (tls_client_certificate_bound_access_tokens). This authentication method relies on a service verifying the integrity and validity of the certificate and a chain to a trusted root certificate. |
| The private_key_jwt mechanism verifies the client with either a configured public key or a JWKS URL where the public key can be obtained. |
Authentication support for dynamically registered clients is limited to client_secret and X.509 certificates.