Weak authentication
13.3.2.4.1. Use Case – Weak authentication
  • REST target application configuration
  • 1.
    Go to:
    Loginapp >> Authentication Flows
  • 2.
    Create and edit a Target Application plugin
    • Create an Application ID plugin with the ID set to "weak-app"
    • Create and edit an Authentication Flow plugin with
      • Username/password authentication
      • A consent step
    • Create an OAuth 2.0/OIDC ID Propagator plugin
  • 3.
    The target application will choose the correct authentication flow and complete it with OIDC identity propagation.
  • AS-centric AS configuration
  • 1.
    Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code Flow
  • 2.
    In the section FLow Settings configure an ACR to Flow Application ID Mapping plugin
    • ACR Value is set to "weak-acr"
    • Flow Application ID is an Application ID plugin with the ID set to "weak-app"
  • The authorization code flow will select the correct target application if the client requests an acr_values of "weak-acr".
  • 3.
    In the section ID Token create and edit a Flow Condition Based OIDC ID Token ACR Value plugin
    • Create and edit a OIDC Flow Condition To ACR Value Mapping plugin
      • Flow Condition: Has Tag - Weak Authentication Tag
      • ACR Value: weak-acr
  • The authorization code flow will return an acr with the value "weak-acr" based on the tag set in the flow.
  • Loginapp REST UI configuration
  • 1.
    Go to:
    In Loginapp >> UI Settings >> Authentication UIs
  • 2.
    Create an Authentication & Authorization UI plugin
    • Create an Application ID plugin with the ID set to "weak-app"
    • Create a Target URI Resolver plugin that allows redirection to the client after the flow has completed successfully.
  • 3.
    The authorization code flow will now use the Loginapp REST UI for authentication.

Using the weak-app example

AS-centric AS - authorize call

https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize
    response_type=code&
    redirect_uri=https://app.airlock.com/function&
    client_id=oidcConformance_clientId&
    scope=openid&
    acr_values=weak-acr&
    state=ee26b0dd4a...28a8ff

Expected behavior:

  • 1.
    Use the above URL in a browser. This is required since the REST UI configured depends heavily on javascript and without a browser, it will not be rendered.
  • 2.
    The login screen will be shown - enter username and password
  • 3.
    If local consents are configured, the consent screen is shown - grant consent
  • 4.
    The authorization server will now respond with a 302 status code and provide a location parameter with the URL, the authorization code, and the state parameter on this URL

Depending on your configuration, this may lead to an error in the browser, if the location cannot be resolved. If you look at the network tab in the developer tools of your browser, you will find the redirect URL that you are looking for.

AS-centric AS - redirect URL to weak-app

Location: https://app.airlock.com/function?
    code=msaUh91PAW...KoiHc8ihp6En&
    state=ee26b0dd4a...28a8ff

Use the code provided in this location parameter to exchange the authentication code for access and refresh tokens:

AS-centric AS - redirect URL to weak-app

POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ

    grant_type=authorization_code
    code=msaUh91PAW...KoiHc8ihp6En
    redirect_uri=https://app.airlock.com/function

In the response, there will also be an ID token with all the required acr and role information.

AS-centric AS - ID token from the response

{
 "sub": "mike",
 "aud": "oidcConformance_clientId",
 "acr": "weak-acr",
 "roles": [
 "employee"
 ],
 "auth_time": 1598097477,
 "iss": "https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS",
 "exp": 1598097602,
 "iat": 1598097482,
 }