IBM Support

Resolved known limitations for OpenID Connect federations

News


Abstract

This page describes the known limitations that are now resolved with the new OpenID Connect solution.

Content

Note: The following known limitations are only applicable to the Legacy OpenID Connect federations. They are now supported from IBM Security Access Manager version 9.0.4 and later. For more information on the new OpenID Connect solution, see OAuth and OpenID Connect. For the new OpenID Connect Relying Party, see OpenID Connect Relying Party federations.

LIMITATION SOLUTION

No hybrid flow support for the RP or OP
The currently supported flows are implicit or authorization code flow.

From version 9.0.4, this is supported by using API Protection. See OAuth 2.0 Workflow
No encryption of id_tokens, limited signature algorithms
Encrypting id_tokens is not supported. The signature algorithms that are supported for signing them are 256-bit RSA or HMAC.
From version 9.0.4, this is supported by using API Protection. this is supported by using API Protection. See API Protection OpenID Connect Provider properties
Cannot configure both posting client credentials and providing them in a basic authentication header when contacting the /token endpoint
Only one of clientSecretBasic and clientSecretPost can be configured for an OP federation.
From version 9.0.4, this is supported by using API Protection which allows for both clientSecretBasic and clientSecretPost to be used.
There is no /userinfo endpoint
A client cannot use an access token to access a /userinfo endpoint to obtain information about the user the token was issued on behalf of.
From version 9.0.4, this is supported by using API Protection. See OAuth 2.0 endpoints
No discovery
The ability to discover a user's OP and interact with it as per https://openid.net/specs/openid-connect-discovery-1_0.html is not available.
From version 9.0.4, this is supported by using API Protection. See OAuth 2.0 endpoints
No dynamic client registration
The ability for clients to self-register against an OP as per https://openid.net/specs/openid-connect-registration-1_0.html is not available.
From version 9.0.5, this is supported by using API Protection. See OIDC Dynamic Clients
The access_token provided to an OpenID Connect client cannot be used to authenticate to a reverse proxy
The access token is different from one obtained by using an OAuth 2.0 client, and cannot be used to authenticate as a user to the OP.
From version 9.0.4, this is supported by using API Protection. For more information on how to configure a reverse proxy as a resource server, see Configuring a reverse proxy for OAuth and an OIDC Connect provider

Users cannot manage grants or consent information
There is no way to revoke access a grant that was issued to a client, or remove any remembered consent decisions.

From version 9.0.4, this is supported by using API Protection which exposes grant and consent management APIs. See OAuth 2.0 endpoints

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Component":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"9.0.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 August 2018

UID

ibm10729473