ForgeRock Identity Cloud Express helps you integrate authentication and authorization into your application by using the OIDC and OAuth 2.0 protocols. The way you integrate depends on your app and how users interact with it.

Express uses both OAuth 2.0 and OpenID Connect:

  • OAuth 2.0 supports authorized access to protected resources.
  • OpenID Connect provides an identity layer on top of OAuth 2.0.

OAuth 2.0 lets you set up access to your resources without sharing your account information. OpenID Connect lets a client application read basic information about a user over REST. For more information, see the ForgeRock Access Management OpenID Connect 1.0 Guide.

OAuth 2.0 works with different client types, as defined in RFC6749.

Application Types

Express supports several main application types. Each of these apps requires different authorization flows based on their grant types. When you register your app in the Express console, we will set the appropriate Grant Types for you.

  • Single-Page Apps are OAuth 2 clients which run in a user’s web browser. The code within the app interacts with the user, and dynamically rewrites the current web page.

  • Native Apps are developed for specific platforms or devices. Examples include the apps you’ll see on mobile phones and apps dedicated to the MacOS platform.

In both cases, the application code is stored on the device or platform. Express enhances security for these apps in by:

  • Not using a client secret for these apps.
  • Using the Proof Key for Code Exchange (PKCE) extension to Keep Your Apps Secure.

Express supports the use of the following grant types for these apps:

alt text

ForgeRock combines Native and SPA apps into one category in the console, and uses the auth code flow with PKCE to add a layer of security. They share a common QUICK START ».

  • Web App is an OAuth 2 client which runs on a web server. Resource owners (users) access web apps. The app makes API calls using a server-side programming language. The user has no access to the OAuth 2 client secret, or any access tokens issued by the authorization server. QUICK START ».

Express supports the use of the following grant types for these apps:

alt text

NOTE You can also use PKCE to enhance the security of your web app. While web apps don’t have the same security issues as native/SPA apps, PKCE still enhances the security of how the app acquires access tokens.

  • Service App is also known as a Machine-to-Machine app. This app type represents a program that interacts with an API where there is no user involved. The app is acting on behalf of itself and not on behalf of a user. The app can ask for an access token directly without involving a user in the process at all. QUICK START ».

Express supports the use of the following grant type for these apps:

alt text

Learn more about OAuth 2.0 and OpenID Connect Flows

For more information on how the Express processes OAuth 2.0 and OpenID Connect flows, see the following Access Management documents:

If you have questions email [email protected].