Configuration of Airlock IAM as AS

  • Open the Config Editor
    • Make sure that the demo Airlock IAM configuration is loaded and active
  • Remove all target applications in MAIN SETTINGS >> Application Settings
  • Add a new Id Propagator Target Application to the Target Applications list.
    • Set "Default URL" to the External Base URL
    • Set "Application Entry URLs" and "URL Pattern" to the same URL, appending ".*" and escaping any dots with \. (for example https://airlock-client\.iam/auth/.* )
    • Set "Required Roles" to "authenticated" (or any role a user might need to have in order to access the OAuth 2.0 Client)
    • Add a new "Identity Propagator" of type "OAuth 2.0 Authorization Code Grant Identity Propagator"
      • Insert the "Client ID" and the shared secret into the respective fields
      • Set "Redirect URL" to the Redirect URL from above
      • Enable "Show User Confirm Page" if you want the user to explicitly accept all propagated roles/scopes. However, if enabling this feature, the "Client Name Key" and "Additional Information Key" will also have to be provided (but can contain dummy values for testing).
      • Go into the "Resource Endpoint"
        • In the List of "Resource Mappings", create a new "OAuth 2.0 Resource Mapping":
          • Set "URL Subpath" to "username". This results in the Specific Username Resource Endpoint URL available under https://airlock-as.iam/auth/oauth2-resource/<clientId>/username
          • In the List of "Resources" add a new "OAuth 2.0 Local Username Resource":
            • Set the "Identifier" to "username" (this results in a JSON response containing the username in the JSON parameter "username" und must match the "Resource Selector" of the Client configuration!)
        • Add a new "Access Token Config" of type "OAuth 2.0 Header Access Token Config" (this must be the same type as in the Client's "Access Token Config")
          • Set the "Header Prefix" to "Bearer"
      • Go into the "Authorization Server Settings" ("OAuth 2.0 Authorization Server Settings" by default):
        • Go into "Token Endpoint":
          • Go into "Client Authentication" ("Client Secret Authentication" by default):
            • Add a new "Client Secret Transmission Strategy" of type "OAuth 2.0 Parameter Client Secret". Leave its values on their defaults (the type of this plugin must match the "Token Endpoint Authentication" on the Client)

Either access the AS or the Client now to test your setup.