This article describes session-less services in the Loginapp REST API's protected REST API. It encompasses the following end-points:
- ●All end-points under: /protected/my/
- ●The end-point /protected/secret-questions.
For most of the session-less protected REST APIs, there is a corresponding flow-based API in the 17.2.5. Protected REST APIs (self-services)s.
Whenever possible, prefer the flow-based variant over the services listed here.
Authentication and authorization
Requests to the session-less protected REST APIs need to be authenticated and authorized. The corresponding configuration is:
Loginapp >> REST Settings >> API Access Control.
- ●Request Credential Policy: Determines how to extract credentials (e.g. username and password or a ticket) from the REST request.
- ●HTTP Basic Auth header
- ●Cookie with a JWT ticket
- ●OAuth2 Bearer Token
- ●Client certificate
- ●Authenticator: Defines how the credentials are verified (e.g. password check, certificate validation, or JWT verification).
- ●Access Controller: Defines what services are accessible by the authenticated user.
- ●"Resource Access Controller": role-based access policy based on REST resource paths (e.g. rules like " IF $user has role 'admin' THEN allow POST on path /protected/xxx")
- ●"Enabling All Access Controller": use this plugin to disable authorization and allow all services to authenticated users.
Examples are:
The following plugins are available:
You may use the Airlock Gateway (WAF)'s one-shot authentication flow to secure the protected API upfront.
This has the following security advantages:
- ●Authentication enforcement and coarse-grained access control is done on the Airlock Gateway (WAF)
- ●The API may be strictly enforced using the Airlock Gateway (WAF)s "API enforcement" feature
To do so, proceed as follows:
- ●Setup the one-shot authentication flow according to 17.6. HTTP request authentication (Airlock One-Shot flow)
- ●Use an Identity Propagator to transport the verified user identity to the IAM REST API
- ●Use a "Request Credential Policy" and "Authenticator" in the "API Access Control" settings to extract and authenticate the propagated identity
- ●On the Airlock Gateway (WAF), create a separate mapping for the protected APS (as described in 8.3.1. Airlock Gateway for Airlock IAM configuration)
- ●Enable "API Enforcement"
- ●Restrict access to specific roles.
Service List
Service | Description | Configuration Path in Config Editor* |
Password Change and Reset | Allows a user to change or reset the password. | User Self-Service Settings >> Password Settings |
Email Change | Allows a user to change the stored email address. Involves sending an email to the user with a verification link or code. | User Self-Service Settings >> Email Self-Service |
mTAN Self-Service | List stored MTAN numbers (mobile phone numbers), change MTAN meta-data (e.g. label), change MTAN number (involves sending an OTP to the new number, and verifying it). | User Self-Service Settings >> mTAN Self-Service |
Cronto Self-Service | Self-service to order Cronto activation letters. | User Self-Service Settings >> Cronto Self-Service |
Secret Questions | List possible questions and store answers to secret questions. | User Token Settings >> Secret Question Settings |
Device Token Registration | User Token Settings >> Device Registration Settings | |
User Information | Returns information about the authenticated user. | User Self-Service Settings >> mTAN Self-Service |