OpenAM: More OAuth 2/OpenID Connect features

If you have not looked at OpenAM development in a while, you might have missed some of the new capabilities now in the nightly builds and coming in the next release. Many areas from STS to policy to REST APIs are involved.

One specific area centers on OAuth 2/OpenID Connect and mobile-oriented deployments.

OpenAM nightly builds now support:

  • GSMA Mobile Connect, especially the OpenID Connect 1.0 profile
    Mobile Connect lets users authenticate with their mobile phones, regardless of the service or the device on which it is consumed, so that Mobile Network Operators can serve as identity providers for their customers. As OpenAM has authenticators needed for GSMA Mobile Connect out of the box, and also has an authentication module SPI, OpenAM can play both the OP and authenticator roles in a Mobile Connect deployment.
    Check out this sample JavaScript client on GitHub for a non-secure but transparent look at how service using Mobile Connect client might work with OpenAM. Also read Using OpenAM with Mobile Connect.
  • Easily setting up OpenAM as a client of an OpenID Provider or an OAuth 2.0 authorization server
    When you first login as OpenAM administrator, there it is on the common tasks page: Configure Social Authentication.
    This makes it a snap to use Facebook, Google, MSN, or another provider as an identity provider for your users, and still protect resources with OpenAM.
  • OpenID Relying Parties registering without first obtaining an access token
    If you can throttle requests, this can streamline registration of OpenID RPs quite a bit. See To Register a Relying Party Dynamically.
  • Self-service management of OAuth 2.0 tokens
    This console feature lets users revoke authorization for applications. Even if you implement a feature like this elsewhere, it can be handy for testing. See User Consent Management.
  • Users authenticating with an OpenID Provider’s ID token
    OpenAM provides an OpenID Connect authentication module for this. See Hints for the OpenID Connect id_token bearer Module.
  • OAuth 2.0 scopes as conditions for OpenAM policies
  • CORS for OpenAM APIs
    Cross-Origin Resource Sharing makes it easier to use all the REST APIs in user-agent based applications. See Enabling CORS Support.
  • JWTs for authentication, and JWTs or SAML assertions to request access tokens
    Check out this sample Java client on GitHub for an example of how to request an access token with client-built JWT.
    The JWT bearer profile support can be handy for example with service accounts where there’s no end user involved. The documentation for this is in review.
    The SAML assertion bearer profile can be useful when integrating OAuth 2.0/OpenID Connect in a deployment that can already do SAML 2.0 federation. See SAML 2.0 Bearer Assertion Profiles.

As always, your input for the documentation on these topics is welcome. At the bottom of the draft docs, you will find a link to JIRA to open a doc issue for example.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?