Authentication of REST requests

REST clients must be authenticated to access protector REST APIs in Airlock IAM. This article explains how REST clients are authenticated and where to configure this.

In general, REST request authentication is not about authenticating end-users. It is about authenticating the entity sending REST requests to an Airlock IAM REST API.

Usage and configuration location

The following table shows where REST request authentication is implemented in Airlock IAM and how to find the relevant configuration settings.





All parts of the Admin REST API are accessible only after authenticating the REST client.

See Adminapp REST API.

Adminapp >> REST API Configuration >> Request Authentication

Transaction Approval

Access to the transaction approval requires authenticating the REST client (e.g. e-banking system).

See Authentication of the delegating entity

Transaction Approval >> Request Authentication

Loginapp (protected APIs only)

The Login REST API is divided into two parts: publicly accessible APIs and protected APIs. The protected APIs require upfront authentication, typically by going through an authentication flow.

However, a small part of the protected Loginapp REST API is also accessible after successful request authentication.

See Session-less protected REST APIs.

Loginapp >> Session-less REST Endpoints >> Request Authentication

Supported request authentication types

The following table lists all supported request authentication types and provides some overview information. For more information, refer to the plugin and property documentation in the Config Editor.

Plugin name


Basic Auth Request Authentication

Accepts a username and a password in HTTP Basic Auth header and verifies it using configured password repository (e.g. IAM database, MSAD, LDAP)

Client Certificate (X.509) Request Authentication

Verifies the X.509 client certificate involved in the TLS handshake and extracts user information from it.

Denying Request Authentication

Used to deny access to the REST API altogether.

OAuth 2.0 Token Request Authentication

Validates OAuth 2.0 access tokens issued by an IAM authorization server.

SSO Ticket Request Authentication

Extracts an arbitrary single sign-on (SSO) token from either an HTTP header or a cookie and uses it to authenticate the request. It supports various types of SSO tokens.

Static Request Authentication

Uses the configured username and roles. May be used for testing or if authentication is implemented at the network level (network access guarantees that the REST client is entitled to access the APIs).