Configuration using JWT bearer tokens

This article describes how to configure Airlock IAM and Airlock Gateway for using JWT bearer tokens with one-shot authentication.

Client authentication and identity propagation in Airlock IAM

Note that with Airlock Gateway 7.4 (and newer), this feature can be entirely configured on Airlock Gateway and the feature does not have to be enabled in Airlock IAM.

A corresponding configuration in the mapping could look like the following:

Session.Tracking.HeaderToken.Enable                               "TRUE"
Session.Tracking.HeaderToken.Response.Header.Name                 "Access-Token"
Session.Tracking.HeaderToken.Request.Header.Name                  "Authorization"
Session.Tracking.HeaderToken.Request.Header.Value.Pattern         "^Bearer ([[:graph:]]+)$"
Session.Tracking.HeaderToken.Request.Header.Value.IgnoreCase      "TRUE"
Session.Tracking.HeaderToken.Request.Header.Value.Template        "$1"
  • Add a target application for the protected service and configure it (authentication flow, Airlock Gateway (WAF) roles/credentials). 
    • In the target application configuration, configure identity propagation such that a JWT is sent to the REST client:
      • Use an HTTP Response Header Identity Propagator plugin (within the REST Identity Propagator).
      • Headers: use plugin Encoded User Data Response Header.
      • Header name: do not use the same header name as in Session Binding With Header Token (default is X-Access-Token). The header would be added twice to the HTTP header.
      • Ticket Service: use the Mapping Ticket Service and add the desired information to it (remember that it gets sent to the REST client!)
      • Ticket Encoder: use the JWT Ticket Encoder with adequate cryptographic protection (signature and/or encryption). Choose a reasonably short validity period.

One-Shot end-point in IAM

Go to: Loginapp >> Airlock One-Shot Authentication

Add a target application for the protected service and configure it as follows:

  • Credential Extractor: use plugin HTTP Header Token Extractor (as SSO Credential) with the JWT Ticket Encoder.
  • Authenticator: use the plugin SSO Credential Authenticator.
  • Failure Responses: configure responses as desired - always use responses of type FINAL_RESPONSE 
  • Identity Propagator: as required by back-end application
  • URL pattern: according to the back-end application
  • Header Value Conversion Pattern and Header Value Conversion Replacement: optionally configure a string conversion of the header (i.e. to remove the token name).
  • Shared One-Shot Configuration

    The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.

Airlock Gateway (WAF) Configuration

  • Make sure there is an IAM mapping and One-Shot Functionality is enabled in the allow rule list.
  • Add a Gateway (WAF) mapping for the service/API to be protected
    • Set Denied access URL to /<iam-mapping-entry-path>/login-oneshot.
    • From the Authentication flow drop-down, select One-Shot.
  • Enable Bearer Token Session Tracking on the IAM mapping and on the mappings of the protected services: see above
  • JWTs can become quite large. Therefore it is advisable to increase the maximum length of the session tracking header in the Airlock Gateway (WAF) (Mapping Security Gate Expert Settings):

    Session.Tracking.ExternalToken.MaxLength                  "1024"