17.2.5.7. Session-less protected REST APIs

This article describes session-less services in the Loginapp REST API's protected REST API. It encompasses the following end-points:

  • All end-points under: /protected/my/
  • The end-point /protected/secret-questions.

For most of the session-less protected REST APIs, there is a corresponding flow-based API in the 17.2.5. Protected REST APIs (self-services)s.
Whenever possible, prefer the flow-based variant over the services listed here.

Authentication and authorization

Requests to the session-less protected REST APIs need to be authenticated and authorized. The corresponding configuration is:

Loginapp >> REST Settings >> API Access Control.

  • Request Credential Policy: Determines how to extract credentials (e.g. username and password or a ticket) from the REST request.
  • Examples are: 

    • HTTP Basic Auth header
    • Cookie with a JWT ticket
    • OAuth2 Bearer Token
    • Client certificate
  • Authenticator: Defines how the credentials are verified (e.g. password check, certificate validation, or JWT verification).
  • Access Controller: Defines what services are accessible by the authenticated user.
  • The following plugins are available:

    • "Resource Access Controller": role-based access policy based on REST resource paths (e.g. rules like " IF $user has role 'admin' THEN allow POST on path /protected/xxx")
    • "Enabling All Access Controller": use this plugin to disable authorization and allow all services to authenticated users.

You may use the Airlock Gateway (WAF)'s one-shot authentication flow to secure the protected API upfront.

This has the following security advantages:

  • Authentication enforcement and coarse-grained access control is done on the Airlock Gateway (WAF)
  • The API may be strictly enforced using the Airlock Gateway (WAF)s "API enforcement" feature

To do so, proceed as follows:

  • Setup the one-shot authentication flow according to 17.6. HTTP request authentication (Airlock One-Shot flow)
  • Use an Identity Propagator to transport the verified user identity to the IAM REST API
  • Use a "Request Credential Policy" and "Authenticator" in the "API Access Control" settings to extract and authenticate the propagated identity
  • On the Airlock Gateway (WAF), create a separate mapping for the protected APS (as described in 8.3.1. Airlock Gateway for Airlock IAM configuration)
    • Enable "API Enforcement"
    • Restrict access to specific roles.

Service List

Service
Description
Configuration Path in Config Editor*
Password Change and Reset
Allows a user to change or reset the password.
User Self-Service Settings >> Password Settings
Email Change
Allows a user to change the stored email address. Involves sending an email to the user with a verification link or code.
User Self-Service Settings >> Email Self-Service
mTAN Self-Service
List stored MTAN numbers (mobile phone numbers), change MTAN meta-data (e.g. label), change MTAN number (involves sending an OTP to the new number, and verifying it).
User Self-Service Settings >> mTAN Self-Service
Cronto Self-Service
Self-service to order Cronto activation letters.
User Self-Service Settings >> Cronto Self-Service
Secret Questions
List possible questions and store answers to secret questions.
User Token Settings >> Secret Question Settings
Device Token Registration
User Token Settings >> Device Registration Settings
User Information
Returns information about the authenticated user.
User Self-Service Settings >> mTAN Self-Service