On many mobile devices, users want to avoid repeatedly entering credentials such as an email address or user name and a password. They do not want new credentials to manage for every application they try. They do not want to share their credentials across applications. Instead users want single sign-on with few identity providers. They want to authorize access for applications rather than share their credentials.
OpenAM supports emerging standards including OAuth 2.0 and OpenID Connect 1.0. After you register your application as an OAuth or OpenID Connect client with OpenAM, your application can then redirect a user to OpenAM to authenticate and to authorize access to resources that the user owns, such as profile data. Your application gets an access token that can be used later to gain authorized access without requiring the user to authenticate again. OpenID Connect extends OAuth, standardizing how client applications discover and register with identity providers, and also defining how applications can manage user sessions and handle logout when they no longer want to authorize access.
An OAuth 2.0 client application can thus make simplify the user experience on the phone to authorizing access.
In addition to serving as an identity provider, OpenAM can also function as an OAuth 2.0 client, protecting access to resources within your control based on authorization granted by an identity provider who users already know and use, such as Facebook, Google, MSN and others. OpenAM's built in authorization policy management makes it straightforward to integrate this capability into your applications.
The OAuth and OpenID Connect standards specify REST interfaces, making them essentially programming language-independent and accessible for web applications and mobile applications alike.
OpenAM also supports Open Authentication architecture with the OATH module mentioned in the next section.
