REST clients must be authenticated to access protector REST APIs in Airlock IAM. This article explains how REST clients are authenticated and where to configure this.
In general, REST request authentication is not about authenticating end-users. It is about authenticating the entity sending REST requests to an Airlock IAM REST API.
The following table shows where REST request authentication is implemented in Airlock IAM and how to find the relevant configuration settings.
REST API | Description | Configuration |
|---|---|---|
Adminapp | All parts of the Admin REST API are accessible only after authenticating the REST client. See Adminapp REST API. | Adminapp >> REST API Configuration >> Request Authentication |
Transaction Approval | Access to the transaction approval requires authenticating the REST client (e.g. e-banking system). | Transaction Approval >> Request Authentication |
Loginapp (protected APIs only) | The Login REST API is divided into two parts: publicly accessible APIs and protected APIs. The protected APIs require upfront authentication, typically by going through an authentication flow. However, a small part of the protected Loginapp REST API is also accessible after successful request authentication. | Loginapp >> Session-less REST Endpoints >> Request Authentication |
The following table lists all supported request authentication types and provides some overview information. For more information, refer to the plugin and property documentation in the Config Editor.
Plugin name | Description |
|---|---|
Basic Auth Request Authentication | Accepts a username and a password in HTTP Basic Auth header and verifies it using configured password repository (e.g. IAM database, MSAD, LDAP) |
Client Certificate (X.509) Request Authentication | Verifies the X.509 client certificate involved in the TLS handshake and extracts user information from it. |
Denying Request Authentication | Used to deny access to the REST API altogether. |
OAuth 2.0 Token Request Authentication | Validates OAuth 2.0 access tokens issued by an IAM authorization server. |
SSO Ticket Request Authentication | Extracts an arbitrary single sign-on (SSO) token from either an HTTP header or a cookie and uses it to authenticate the request. It supports various types of SSO tokens. |
Static Request Authentication | Uses the configured username and roles. May be used for testing or if authentication is implemented at the network level (network access guarantees that the REST client is entitled to access the APIs). |