Tagged: , , ,

This topic has 1 reply, 2 voices, and was last updated 6 years, 7 months ago by Scott Heger.

  • Author
    Posts
  • #8243
     nkarthik82
    Participant

    We have users who can use mobile apps as well as web applications.
    Is it fine to use a common approach like OAuth2 for both mobile as well as web applications to implement SSO? Or go with SAML for web SSO and OAuth2 for mobile SSO?

    Problem that we are facing is OpenAM doesn’t allow change password and some other functionalities without a SSO token. So, having just OAuth2 token for web apps is creating some issues. Moreover, it is the responsibility of the web apps to maintain the SSO by passing the OAuth2 tokens across applications.

    #8246
     Scott Heger
    Participant

    When comparing SAML and OAuth, SAML is more geared toward Web browser based SSO and OAuth + OpenID Connect are geared toward mobile apps and server to server (i.e. app to api) communication.

    You can use OAuth + OpenID Connect for both, but not all OAuth flows result in the creation of an OpenAM session and subsequent SSO Token. If using the more programmatic OAuth flows like the “Resource Owner Password Credentials” then you would need to invoke OpenAM REST calls to authenticate and obtain an SSO Token in addition to the REST calls to obtain your OAuth Token.

    If your OAuth flows are either the “Authorization Grant” or “Implicit Grant” flows then you would get an SSO Token in addition to the OAuth Token.

    You could also look into using OpenIDM to handle your password related operations and that would remove the need for the SSO Token.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?