Identity Server 3 OAuth2 support without OIDC

Question

Configuration : We are using Identity Server 3 with a Web API 2 application, a mobile phone application and an upstream identity server.

Problem : The upstream identity server supports OAuth2 but not OIDC.

Question 1 : Does Identity Server 3 support OAuth2 without OIDC to the upstream identity server?

Question 2 : Do I need additional configuration to make OAuth2 work without OIDC?

Answer 1

Just to give a bit of understanding about OAuth2 and OIDC:

OIDC is extension of OAuth2. OAuth 2 isn't about authentication. It's all about authorization. https://tools.ietf.org/html/rfc6749 OIDC is a simple layer on top of the OAuth 2 protocol that deals with the end user. http://openid.net/specs/openid-connect-core-1_0.html

I'm not exactly sure about your implementation detail but Identity Server 3 supports OAuth2 as well as OIDC and it all depends how the client is setup (flow) and what the client asks in terms of a “ResponseType” as part of a token request to Identity Server 3.

I know this may not be an answer to your 2 questions but I think you need to think of the interaction between the Client (mobile phone application), Identity Server 3, and the Upstream Identity Server. If the Upstream Identity Server does not support OIDC then it does not care about authentication of the end user and therefore I would think that it only requires some sort of clientId/clientsecret that could be passed as part of the request to get a token? Machine to machine (Client Credential Flow). So maybe your mobile phone application calls the Upstream Identity Server in a different fashion then it does Identity Server 3? Hope this helped a bit. Cheers