Session-less protected REST APIs

This article describes session-less services in the Loginapp REST API's protected REST API.

It applies to the following end-points:
All end-points under: /protected/my/.
The end-point /protected/secret-questions.

For most of the session-less protected REST APIs, there is a corresponding flow-based API in the Protected self-service REST APIs.
Whenever possible, prefer the flow-based variant over the services listed here.

Authentication and authorization

Requests to the session-less protected REST APIs need to be authenticated and authorized. The corresponding configuration is:

Loginapp >> REST Settings >> Request Authentication and Request Authorization.

Request Authentication: Defines how users or REST clients are authenticated (e.g. Basic Auth, client certificates, or OAuth tokens).

See Authentication of REST requests for more information about request authentication.

Access Controller: Defines what services are accessible by the authenticated user or REST client.

The following plugins are available:
"Resource Access Controller": role-based access policy based on REST resource paths (e.g. rules like " IF $user has role 'admin' THEN allow POST on path /protected/xxx")
"Enabling All Access Controller": use this plugin to disable authorization and allow all services to authenticated users.

You may use the Airlock Gateway (WAF)'s one-shot authentication flow to secure the protected API upfront.

This has the following security advantages:
Authentication enforcement and coarse-grained access control are done on the Airlock Gateway (WAF)
The API may be strictly enforced using the Airlock Gateway (WAF)s "API enforcement" feature

To do so, proceed as follows:

Setup the one-shot authentication flow according to HTTP request authentication (Airlock One-Shot flow)
Use an identity propagator to transport the verified user identity to the IAM REST API
Use a request authentication plugin to authenticate the propagated identity.
On the Airlock Gateway (WAF), create a separate mapping for the protected APS (as described in Airlock Gateway for Airlock IAM configuration)

Enable API Enforcement
Restrict access to specific roles.

Service List

Service	Description	Configuration Path in Config Editor*
Password Change and Reset	Allows a user to change or reset the password.	User Self-Service Settings >> Password Settings
Email Change	Allows a user to change the stored email address. Involves sending an email to the user with a verification link or code.	User Self-Service Settings >> Email Self-Service
mTAN Self-Service	List stored MTAN numbers (mobile phone numbers), change MTAN meta-data (e.g. label), and change MTAN number (involves sending an OTP to the new number, and verifying it).	User Self-Service Settings >> mTAN Self-Service
Cronto Self-Service	Self-service to order Cronto activation letters.	User Self-Service Settings >> Cronto Self-Service
Secret Questions	List possible questions and store answers to secret questions.	User Token Settings >> Secret Question Settings
Device Token Registration	See Device tokens - REST authentication API.	User Token Settings >> Device Registration Settings
User Information	Returns information about the authenticated user.	User Self-Service Settings >> mTAN Self-Service