Using the flow authentication API with Airlock Gateway sessions

This article describes a generic API request flow where a client's mobile application gets authenticated access to an application backend secured by Airlock IAM and Airlock Gateway.

  • The end user (REST client) is authenticated using the REST Auth API (Loginapp). 
  • After successful authentication, Airlock Gateway credentials are stored in the Gateway session. Subsequent calls to the protected REST service are now possible without further interaction with Airlock IAM during the session.
  • After a session timeout, a one-shot call to IAM sends an HTTP 401 response to the client.
  • The example uses username/password authentication (no second factor).

The IAM One-Shot end-point (HTTP request authentication (One-Shot flow)) is only used to return an HTTP 401 response and to make the REST client call the authentication API.

An alternative way to return an HTTP 401 is to overwrite the Gateway 401 error page with an .asis response.