Requirements
Component | Requirement | Comments |
---|---|---|
Airlock IAM |
| For licensing: |
Component | Requirement | Comments |
---|---|---|
Airlock IAM |
| For licensing: |
This example shows how to configure and use the REST authentication flow for mobile-only (single device) authentication:
All following procedures are exemplary and will vary according to your setup or needs.
Loginapp >> Applications and Authentication >> Default Application >> Authentication Flow
For simplicity, the configuration instructions and usage examples are given for the default application within the Loginapp REST API's Authentication API Settings. Therefore, no application selection REST calls are shown.
First, the username and password are checked:
Request:
POST /rest/public/authentication/password/check/ { "username" : "jdoe", "password" : "password1" }
If the first authentication step succeeds, the second authentication step - in our example the Airlock 2FA Mobile Only Authentication Step - is initiated. In its response, it asks the REST client to get a mobile-only challenge.
HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2020-08-25T15:17:12.463+02:00" }, "data": { "type": "authentication.session", "id": "722111127646085506", "attributes": { "nextAuthStep": "AIRLOCK_2FA_MOBILE_ONLY_CHALLENGE_RETRIEVAL_REQUIRED" } } }
The following request gets the challenge:
POST /rest/public/authentication/airlock-2fa/mobile-only/challenge/retrieve/
It returns a challenge as in response:
HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2020-08-25T15:19:53.782+02:00" }, "data": { "type": "authentication.airlock-2fa.mobile-only.challenge", "id": "534562829", "attributes": { "mobileAuthUri": "airlock2fa://auth?session_token=RClVS1rViqAmBrr0CYog-9gDAcZe2CDXG9bXAyovPOSk&user_id=f88d7cc1-d34d-4978-87f7-a038a9d4d5af" } } }
The mobileAuthUri is a URI containing an authentication session token and a user ID. Both are either passed to the Airlock 2FA app using app-to-app communication or to the Futurae app SDK.
In both cases, the app directly communicates with the Futurae cloud to perform authentication.
The REST client may repeatedly ask IAM whether the authentication has finished and whether it was successful.
POST /rest/public/authentication/airlock-2fa/status/poll/
As long as the authentication request is still pending, IAM will return:
HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2020-08-25T15:38:02.070+02:00" }, "data": { "type": "authentication.session", "id": "201723161354420478", "attributes": { "nextAuthStep": "AIRLOCK_2FA_POLLING_REQUIRED" } } }
If the user approves the authentication request, the authentication flow successfully ends with:
HTTP/1.1 200 OK { "meta": { "type": "jsonapi.metadata.document", "timestamp": "2020-08-24T10:08:25.196+02:00" }, "data": { "type": "authentication.session", "id": "201723161354420478", "attributes": {} } }