Elevating the Customer Experience with Expanded OAuth 2.0 and OpenID Connect (OIDC) Support

Why a Standards-Based Approach Is Key to Capturing Customers and Improving Security

Consumers are notoriously impatient when it comes to poor digital experiences.

According to the ForgeRock: The New Normal survey, 35% of consumers will cancel or delete your app if they have trouble logging into your service. And 32% will switch to your competitor. Ouch!

You can see the stakes are high to get it right, and how important it is to get it right the first time. This means designing your digital customer journey via your customer identity and access management (CIAM) solution using a standards based-approach with well-known protocols like OAuth 2.0 and OpenID Connect (OIDC). Doing so will not only help you create engaging experiences that will keep your customers coming back time and again, but it also helps improve your overall security. 

First, let’s look at the two popular standards-based protocols and what they are used for:

  • OAuth 2.0 is the industry standard for authorization. Instead of using passwords, it uses authorization tokens. These tokens share a piece of identity data with an untrusted party in a secure, standardized fashion. This makes OAuth 2.0 great when you need to share identity information with others in your CIAM ecosystem but don’t want to give away the entire identity data set to third-party service providers or developers.
  • OpenID Connect layers on top of OAuth 2.0 and allows clients to verify the identity of the end user based on the authentication performed by an authorization server. It also allows the client to obtain basic profile information about the end user in an interoperable and Representational State Transfer (REST)-like manner.

Let’s take a look at three use cases and ForgeRock Identity Platform capabilities that involve these protocols and how they can improve both digital customer experience and security.

OAuth 2.0 Token Exchange 

Few CIAM scenarios are self-contained. Instead, they rely on an ecosystem of services that your users are able to access and move between. But a nightmare scenario you want to avoid is any interruption in your users’ digital customer experiences as they are accessing this constellation of services. An interruption could be having users login again when they cross a service boundary or having to be reauthorized to a particular application. This is where OAuth 2.0 token exchange, with its authorized delegation and impersonation capabilities, comes into play.

Here’s a great example of OAuth 2.0 in action: your customer dials into your call center. Instead of a cumbersome, lengthy, and potentially insecure knowledge-based authentication exchange between your agent and the user (date of birth, mother’s maiden name, and other identity data, for example), an OAuth 2.0 token exchange is kicked off. The user simply responds to a push notification through their mobile application and is immediately confirmed to your call center agent (authorized delegation and impersonation in action!). Other identity information can be securely shared to help facilitate the transaction. OAuth 2.0 token exchange expands the ways organizations use the OAuth protocol by using authorized delegation and impersonation to help deliver that coveted omnichannel customer experience.

OpenID Connect Back-Channel Application Logout

The “stateless” nature of web applications means that you don’t always have end-to-end visibility or control over other parties in the chain. Every HTTP/S request occurs in total isolation. This can create some unintentional security issues in a robust CIAM deployment. For example, if a user logs out or times out of a session in one part of the digital experience, this may go unnoticed by other services, potentially leaving an application open to a man-in-the-middle hack. The OIDC back channel application logout ensures end-to-end security throughout the user session by signaling back to other applications that the user session has ended. Authorization privileges can then be positively closed until the next time the user logs in. 

OpenID Connect Third-Party Identity Providers (IdP)

Who actually “owns” the user identity? Where does it reside? For many organizations, it simply doesn’t matter. They just want to offer a service to an authorized user without having to manage and maintain an entire identity management system. OIDC third-party IdP provides a way for one party to extend services to the users of another organization securely and seamlessly, without the need for identity management overhead or additional authentication. An example of this is a financial institution offering retirement portfolio services to customers of another institution. Using OpenID Connect third-party IdP, they can conveniently authenticate customers to their applications without having to onboard and verify their identities. If users of the trusted institution have authenticated, that trust can be temporarily extended so those users can access your application.

ForgeRock is a champion of using open standards in all types of applications and with all types of identities. We help organizations achieve their dual goals of creating great digital customer journeys that are both seamless and secure, so that your customers keep coming back. 

Get additional details on the standards and use cases discussed here at ForgeRock Identity Platform. Reach out to us here to talk to one of our identity experts about your open standards or CIAM needs.


*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by Jeff Carpenter. Read the original post at:

Secure Guardrails