Redirect (interaction model)
10.1.1. Redirect interaction model

The redirect interaction model relies on HTTP redirects and is therefore mainly used for HTML applications with web browsers.

Properties of the example

  • Authentication of browser-based HTML application.
  • User authentication with username, password, and Airlock 2FA as 2nd factor.
  • The session in the browser is tracked with an HTTP session cookie.
  • The back-ends use HTTP session cookies and an Authorization header bearing a JWT to track the user (identity propagation).

The example is typical for the 17.4. JSP-Loginapp.

Sequence diagram

RedirectFlowAuthentication
  • Used colors
  • Yellow: external view
  • Green: internal view

Both views are independent and can use different methods for session tracking, identity propagation, etc.

Airlock Gateway (WAF) translates the external session to the internal session used by the back-end applications. No session information from the back-end is sent to the client.

Description

  • 1.
    Unauthenticated access and redirect to Airlock IAM:
    • First, the Airlock Gateway (WAF) checks the request and applies the configured filter rules.
    • It then checks for the required roles in the mapping configuration.
    • If the user does not have the required roles, an HTTP redirect is sent to the web browser redirecting it to the IAM login application. The redirect HTTP response contains a session cookie.
  • 2.
    Login on Airlock IAM:
    • The login is performed on IAM with username, password, and the second factor.
    • Once the login is successful, IAM issues a JWT for identity propagation and sets a new Gateway (WAF) role.
    • The JWT and the role are stored in the Gateway (WAF) session store.
  • 3.
    Authenticated access with JWT:
    • The user can now access the back-end application.
    • In the first call, the back-end application extracts the user id from the JWT.
    • In the subsequent calls, it can either again use the JWT or rely on information stored in its session.
    • Application-specific access decisions are taken in the back-end application.