The following flow diagram shows how a request sent by a Tech-Client is processed by the Airlock Gateway when applying access control based on API keys.
Prerequisites
- The Tech-Client is in possession of an API key issued by Airlock IAM.
- The API key is not locked.
- The API key is valid.
- The Tech-Client is not locked.
- The Tech-Client has the corresponding plans (rights) to access the protected service.
Request processing
(1) | The Tech-Client sends a request bearing an API key to the Airlock Gateway. |
(2) |
The request may be authenticated in terms of roles (One-Shot, redirect based, or else). Note that this step is independent of the Tech-Client identification based on the API key. |
(3) | The API key is extracted from the request according to the configuration. The API key is looked up in the cache: if the cache contains valid Tech-Client information, steps (4) through (7) are skipped. |
(4) | The API key is sent to the API Policy Service of Airlock IAM in order to retrieve Tech-Client information. |
(5) | The API Policy Service looks up the Tech-Client given the API key and checks if the Tech-Client is locked. |
(6) | The API Policy Service returns Tech-Client attributes: a unique ID and the assigned plans and rate limits. |
(7) | The Airlock Gateway stores the Tech-Client attributes in the cache to optimize performance for subsequent requests. The cache timeout is configurable. |
(8) | The Airlock Gateway applies access restrictions based on the Tech-Client information (plans, Rate-Limits). The Tech-Client ID is used for logging and reporting. |
(9) | The API request is forwarded to the protected service together with the Tech-Client ID. |