Application Passwords for Native Client Authentication with OpenID Connect
A new type of authentication flow is provided for native clients to connect to ELM applications that are configured for OpenID Connect authentication (by using a Jazz Authorization Server, or JAS). This flow allows native clients to work with configurations that use certain third-party identity providers for user authentication without directly supporting the protocol that is used by that identity provider.
OpenID Connect (OIDC) is a form of delegated authentication. Instead of handling authentication directly, an application obtains an access token from an OIDC provider (OP) on behalf of a user. The application then uses that access token to represent the identity of the user. The access token can be passed from application to application, providing a single sign-on experience.
The OIDC specification defines various flows for getting an access token, depending upon the type of client used or the application topology. All flows require the user to prove their identity by using some form of credentials, and the OIDC specification does not define the possibilities. Implementations can decide what to support. Most commonly, a username and password is validated against a user registry (for example, LDAP), but implementations are free to support anything they prefer. Other possibilities include smart cards or client certificates, or another type of identity provider such as SAML, Kerberos, or even another OIDC OP.