mobileapplication integration with OpenAM

This topic has 4 replies, 3 voices, and was last updated 4 years, 12 months ago by alfmel.

  • Author
  • #17952

    Hi all,

    We need some expert advice from you to integrate a mobile application with OpenAM.

    While going through internet, I have seen some demo that a sample mobile application making a REST authentication call to OpenAM and receive the tokenId. Later using that tokenId, its doing some subsequent calls, also logout. IF this is the case, its a straight forward implementation where we need to make OpenAM rest calls to authenticate user.

    I am also seeing that OpenAM can be configured as an Oauth2 provider ( configure Oauth2.0 or configure openId). I have recently tested the OpenAM integration with google, where OpenAM is the Oauthclient and google is the Oauth provider. It has a clientID and secret key at the Google end which we need to add to the Oauth module at OpenAM side. considering this flow, how we can implement an Oauth implementation between a mobile device and an OpenAM. So at this point, we can leave any social network Oauth provider, its just been mobile device as a Oauth client and OpenAM as a provider. Can you please shed some light on this? or I explained the 1st paragraph, we really dont need to implement Oauth method here and can go with simple RESTapi authentication calls.

    Kindly advice me.

     Scott Heger

    It really boils down to whether or not you want, or need, to use an industry standard as your implementation method. If you do, then OAuth/OpenID is the way to go. Just make sure you fully understand both specs and use the correct flow for mobile. I would recommend using the Authorization Code flow with PKCE that OpenAM now supports. See If you don’t need to go with an industry standard, then you can certainly use the REST authentication API of OpenAM as your integration method.

    Hope that helps.


    Is PKCE available in 13.5? I’m trying the AppAuth reference project for Android and I had to use Basic Auth in order to redeem the code for a token.

    If PKCE is available in 13.5, how do you configure it for a client?

     Scott Heger

    Go into your OAuth2 Provider service and look for the “Code verifier parameter required” option. That turns that feature on for Authorization Code requests. It is not set on a per client basis. See for more info on that.


    The description of that setting implies that enabling it will require all clients to use PKCE. If this setting is enabled, will clients be able to exchange codes for tokens using their client_id and client_secret?

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?