IAM as an OAuth 2.0 client example

This example shows how a mobile application will use Airlock IAM as an OAuth 2.0 client for a remote authorization server to authenticate a user. The mobile application will obtain a bearer token and use it to access a protected resource.

IAM_as_OAuth_client_REST
  1. The mobile app tries to access the protected resource.
  2. The access fails since the mobile app is not authorized.
  3. The mobile app starts an authentication flow with Airlock IAM.
  4. The flow is configured with an SSO (single sign-on) step and therefore requests an authorization request from the OAuth 2.0 client.
  5. The authorization request is delivered to the SSO step.
  6. The SSO step sends a response to the mobile app with the nextStep set to OAUTH2_CLIENT_AUTHORIZATION_REQUIRED. This response includes the authorization request and URL of the remote authorization server.
  7. The mobile app opens a system browser with the URL of the remote authorization server and the authorization request.
  8. The system browser connects to the remote authorization server and the user is authenticated.
    In this step, the remote authorization server will also obtain the consent of the user for the requested scopes.
  9. The authorization server provides the system browser with the authorization response. This response contains the authorization code.
  10. The system browser forwards the authorization response to the mobile client.
  11. The mobile client forwards the authorization response to the SSO step.
  12. The SSO step forwards the authorization response to the OAuth 2.0 client.
  13. The OAuth 2.0 client connects to the remote authorization server to trade the authorization code for the tokens.
  14. The remote authorization server returns access, refresh, and optionally ID token to the OAuth 2.0 client.
  15. The OAuth 2.0 client reports success to the SSO step.
  16. The SSO step completes the authentication flow and triggers identity propagation for the target application.
  17. The mobile application receives the propagated identity and once again accesses the protected business service.