Configuration using JWT bearer tokens

This article describes how to configure Airlock IAM and Airlock Gateway for using JWT bearer tokens with one-shot authentication.

Client authentication and identity propagation in Airlock IAM

To enable header-based session tracking in Airlock Gateway, consider the following example (expert settings in a mapping):

Session.Tracking.HeaderToken.Enable                               "TRUE"
Session.Tracking.HeaderToken.Response.Header.Name                 "Access-Token"
Session.Tracking.HeaderToken.Request.Header.Name                  "Authorization"
Session.Tracking.HeaderToken.Request.Header.Value.Pattern         "^Bearer ([[:graph:]]+)$"
Session.Tracking.HeaderToken.Request.Header.Value.IgnoreCase      "TRUE"
Session.Tracking.HeaderToken.Request.Header.Value.Template        "$1"
  • Add a target application for the protected service and configure it (authentication flow, Airlock Gateway roles/credentials). 
    • In the target application configuration, configure identity propagation such that a JWT is sent to the REST client:
      • Use an HTTP Response Header Identity Propagator plugin (within the REST Identity Propagator).
      • Headers: use plugin Encoded User Data Response Header.
      • Header name: do not use the same header as configured for session tracking in Airlock Gateway (see above).
      • Ticket Service: use the Mapping Ticket Service and add the desired information to it (remember that it gets sent to the REST client!)
      • Ticket Encoder: use the JWT Ticket Encoder with adequate cryptographic protection (signature and/or encryption). Choose a reasonably short validity period.

One-Shot end-point in IAM

Go to: Loginapp >> Airlock One-Shot Authentication

Add a target application for the protected service and configure it as follows:

  • Credential Extractor: use plugin HTTP Header Token Extractor (as SSO Credential) with the JWT Ticket Encoder.
  • Authenticator: use the plugin SSO Credential Authenticator.
  • Failure Responses: configure responses as desired - always use responses of type FINAL_RESPONSE 
  • Identity Propagator: as required by back-end application
  • URL pattern: according to the back-end application
  • Header Value Conversion Pattern and Header Value Conversion Replacement: optionally configure a string conversion of the header (i.e. to remove the token name).
  • Shared One-Shot Configuration

    The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.

Airlock Gateway Configuration

  • Make sure there is an IAM mapping and One-Shot Functionality is enabled in the allow rule list.
  • Add a Gateway mapping for the service/API to be protected
    • Set Denied access URL to /<iam-mapping-entry-path>/login-oneshot.
    • From the Authentication flow drop-down, select One-Shot.
  • Enable Bearer Token Session Tracking on the IAM mapping and on the mappings of the protected services: see above
  • JWTs can become quite large. Therefore it is advisable to increase the maximum length of the session tracking header in the Airlock Gateway (Mapping Security Gate Expert Settings):

    Session.Tracking.ExternalToken.MaxLength                  "1024"