AS-centric AS - authorize call
https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize?response_type=code&
redirect_uri=https://app.airlock.com/function&
client_id=oidcConformance_clientId&
scope=openid&
acr_values=strong-acr&
state=ee26b0dd4a...28a8ff
Expected behaviour:
- Use the above URL in a browser. This is required since the REST UI configured depends heavily on javascript and without browser it will not be rendered.
- The login screen will be shown - enter username and password.
- The second login screen is shown - enter mTAN code.
- If local consents are configured, the consent screen is shown.
- The authorization server will now respond with a 302 status code and provide a location parameter with URL, the authorization code and the state parameter on this URL.
Depending on your configuration, this may lead to an error in the browser, if the location cannot be resolved. If you look at the network tab in the developer tools of your browser, you will find the redirect URL that you are looking for.
AS-centric AS - redirect
Location: https://app.airlock.com/function?
code=msaUh91PAW...KoiHc8ihp6En&
state=ee26b0dd4a...28a8ff
Use the code provided in this location parameter to exchange the authentication code for access and refresh tokens:
AS-centric AS - redirect URL to weak-app
POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ
grant_type=authorization_code
code=msaUh91PAW...KoiHc8ihp6En
redirect_uri=https://app.airlock.com/function
state=ee26b0dd4a...28a8ff
In the response there will also be an ID token. Due to the roles to ACR mapping, the acquired role "strong-role" will be mapped to the "strong-acr" ACR value and returned in the ID token.
AS-centric AS - ID token from response
{
"sub": "mike",
"aud": "oidcConformance_clientId",
"acr": "strong-acr",
"roles": [
"employee",
],
"auth_time": 1598100981,
"iss": "https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS",
"exp": 1598101107,
"iat": 1598100987,
"family_name": "Doujak"
}