News
Abstract
This page describes the known limitations that are now resolved with the new OpenID Connect solution.
Content
Note: The following known limitations are only applicable to the Legacy OpenID Connect federations. They are now supported from IBM Security Access Manager version 9.0.4 and later. For more information on the new OpenID Connect solution, see OAuth and OpenID Connect. For the new OpenID Connect Relying Party, see OpenID Connect Relying Party federations.
LIMITATION | SOLUTION |
No hybrid flow support for the RP or OP |
From version 9.0.4, this is supported by using API Protection. See OAuth 2.0 Workflow |
No encryption of id_tokens, limited signature algorithms Encrypting id_tokens is not supported. The signature algorithms that are supported for signing them are 256-bit RSA or HMAC. |
From version 9.0.4, this is supported by using API Protection. this is supported by using API Protection. See API Protection OpenID Connect Provider properties |
Cannot configure both posting client credentials and providing them in a basic authentication header when contacting the /token endpoint Only one of clientSecretBasic and clientSecretPost can be configured for an OP federation. |
From version 9.0.4, this is supported by using API Protection which allows for both clientSecretBasic and clientSecretPost to be used. |
There is no /userinfo endpoint A client cannot use an access token to access a /userinfo endpoint to obtain information about the user the token was issued on behalf of. |
From version 9.0.4, this is supported by using API Protection. See OAuth 2.0 endpoints |
No discovery The ability to discover a user's OP and interact with it as per https://openid.net/specs/openid-connect-discovery-1_0.html is not available. |
From version 9.0.4, this is supported by using API Protection. See OAuth 2.0 endpoints |
No dynamic client registration The ability for clients to self-register against an OP as per https://openid.net/specs/openid-connect-registration-1_0.html is not available. |
From version 9.0.5, this is supported by using API Protection. See OIDC Dynamic Clients |
The access_token provided to an OpenID Connect client cannot be used to authenticate to a reverse proxy The access token is different from one obtained by using an OAuth 2.0 client, and cannot be used to authenticate as a user to the OP. |
From version 9.0.4, this is supported by using API Protection. For more information on how to configure a reverse proxy as a resource server, see Configuring a reverse proxy for OAuth and an OIDC Connect provider |
Users cannot manage grants or consent information |
From version 9.0.4, this is supported by using API Protection which exposes grant and consent management APIs. See OAuth 2.0 endpoints |
Was this topic helpful?
Document Information
Modified date:
30 August 2018
UID
ibm10729473