The instruction-lists in this chapter apply to the Loginapp REST API only.
Procedure-related prerequisites
- The previously described configuration steps have been carried out.
- You need to be logged in to the Airlock IAM Adminapp and be able to access the Config Editor.
- The credentials for the connection to the remote authorization server must be available.
Basic Settings
- Go to and if necessary create:
Loginapp >> OAuth 2.0/OIDC Clients >> OAuth 2.0 Flow Client - Provider identifier must hold the identifier of the remote authorization server
- Client ID holds the identifier which Airlock IAM uses as a client at the remote authorization server
- Client Secret is a string generated by the remote authorization server during the registration of Airlock IAM as a client. This string is used as a password.
- Airlock IAM can successfully connect to the OAuth 2.0 REST endpoints of the remote authorization server
To retain existing account links when migrating from JSP-Loginapp to Login REST UI, it is possible to configure the OAuth 2.0 or OIDC client settings with the identical Provider Identifier.
It is important that the configuration of the OAuth 2.0 or OIDC client settings for both providers are configured identically to ensure that all account links connect to the same remote authorization server for authentication.
Authorization Request
- Authorization Endpoint URL must hold the URL of the authorize endpoint of the remote authorization server.
- Scope To Request contains a list of all scopes the remote authorization server should supply.
- Client Redirect URI is used by the remote authorization server after successful authentication of the user to deliver the authorization code. Choose a plugin from the following table:
- Airlock IAM can successfully start the authorize call and receive an authorization code.
Plugin | Redirect URI properties |
---|---|
OAuth 2.0 REST UI Client Redirect URI | This is the default setting. It contains the external base URL of IAM as it must be used by the remote authorization server. IAM will complete the base URL with the correct path for the client. |
OAuth 2.0 Custom Client Endpoint Redirect URI | Use this setting to hardcode an absolute URL to be used by the remote authorization server. |
OAuth 2.0 Legacy Client Endpoint Redirect URI | Use this setting for backward compatibility, if the remote authorization server configuration cannot be changed. It contains the external base URL of IAM as it must be used by the remote authorization server. IAM will complete the base URL with the correct legacy path for the client. This plugin requires that the Legacy Client Endpoint Setting in the OAuth 2.0/OIDC Client plugin is configured. |
OAuth 2.0 No Redirect URI | Use this plugin, if the remote authorization server should default to the already registered redirect URI. |
Access Token Request
- HTTP Client must hold an HTTP Client Config plugin that configures the HTTP connection to the remote authorization server.
- Token Endpoint Authentication contains the method, how IAM as a client will authenticate to the remote authorization server. The following methods are supported:
- Token Endpoint URL configures the token endpoint of the remote authorization server, where the authorization code is supplied and access and refresh tokens are obtained.
- Access Token Request Method defines how the request for access and refresh tokens is to be sent to the remote authorization server.
- Airlock IAM can request access and refresh tokens from the remote authorization server.
Plugin | Authentication Method |
---|---|
OAuth 2.0 Basic Auth Client Secret | Basic Auth is used to supplying credentials. |
OAuth 2.0 Header Client Secret | Use this method, if the remote authorization server requires a special header or format to be used. |
OAuth 2.0 No Client Secret Authentication | This will omit authentication with the remote authorization server. |
OAuth 2.0 Parameter Client Secret | Use this method, if the remote authorization server requires the credentials to be supplied as parameters in the request URL. |
Resource Mappings
- Resource Requests holds at least one OAuth 2.0 SSO Resource Request plugin.
- Go to:
OAuth 2.0 SSO Resource Request plugin - Resource URL defines a URL of a remote server where the resource request is to be sent. This is often the remote authorization server.
- Contained Resources defines how attributes, retrieved from the remote server, should be interpreted:
- Request Method defines if a GET or POST method is to be used.
- Access Token Config defines if the access token is sent as an HTTP header or as a parameter to the remote authorization server.
- Airlock IAM can successfully map the attributes retrieved from the remote authorization server to the local user, roles, and context data items.
Plugin | Resource mapping |
---|---|
OAuth 2.0 Remote Username Resource | Must be defined exactly once. Defines which attribute of the remote authorization server is used to identify the local user. |
OAuth 2.0 Remote Context Data Resource | May be defined zero or more times. Defines the mapping of attributes of the remote authorization server to local context data items. Optionally allows strings to be transformed. |
OAuth 2.0 Remote User Role Resource | May be defined zero or more times. Defines which attribute of the remote authorization server is merged with the local roles. If multiple plugins are configured, all the retrieved attributes are merged with the local roles. |
Further information and links
- This feature is a prerequisite for Account linking overview
- Configuration of account linking persister and consistency
- OAuth 2.0 SSO configuration example IAM to IAM (client-centric) provides information on how to configure IAM to be used as authorization server and OAuth 2.0 / OIDC client with Loginapp (JSP).