This article describes how to configure Airlock IAM and Airlock Gateway for using JWT bearer tokens with one-shot authentication.
Client authentication and identity propagation in Airlock IAM
- Use flow-based authentication: Authentication REST API
- Enable header-based session tracking in Airlock Gateway
To enable header-based session tracking in Airlock Gateway, consider the following example (expert settings in a mapping):
Session.Tracking.HeaderToken.Enable "TRUE" Session.Tracking.HeaderToken.Response.Header.Name "Access-Token" Session.Tracking.HeaderToken.Request.Header.Name "Authorization" Session.Tracking.HeaderToken.Request.Header.Value.Pattern "^Bearer ([[:graph:]]+)$" Session.Tracking.HeaderToken.Request.Header.Value.IgnoreCase "TRUE" Session.Tracking.HeaderToken.Request.Header.Value.Template "$1"
- Add a target application for the protected service and configure it (authentication flow, Airlock Gateway roles/credentials).
- In the target application configuration, configure identity propagation such that a JWT is sent to the REST client:
- Use an HTTP Response Header Identity Propagator plugin (within the REST Identity Propagator).
- Headers: use plugin Encoded User Data Response Header.
- Header name: do not use the same header as configured for session tracking in Airlock Gateway (see above).
- Ticket Service: use the Mapping Ticket Service and add the desired information to it (remember that it gets sent to the REST client!)
- Ticket Encoder: use the JWT Ticket Encoder with adequate cryptographic protection (signature and/or encryption). Choose a reasonably short validity period.
One-Shot end-point in IAM
Go to: Loginapp >> One-Shot Authentication
Add a target application for the protected service and configure it as follows:
- Credential Extractor: use plugin HTTP Header Token Extractor (as SSO Credential) with the JWT Ticket Encoder.
- Authenticator: use the plugin SSO Credential Authenticator.
- Failure Responses: configure responses as desired - always use responses of type FINAL_RESPONSE
- Identity Propagator: as required by back-end application
- URL pattern: according to the back-end application
- Header Value Conversion Pattern and Header Value Conversion Replacement: optionally configure a string conversion of the header (i.e. to remove the token name).
Shared One-Shot Configuration
The one-shot settings can be used for multiple protected services. Choose the URL pattern property to match all services for which the same settings apply.
Airlock Gateway Configuration
- Make sure there is an IAM mapping and One-Shot Functionality is enabled in the allow rule list.
- Add a Gateway mapping for the service/API to be protected
- Set Denied access URL to
/<iam-mapping-entry-path>/login-oneshot. - From the Authentication flow drop-down, select One-Shot.
- Enable Bearer Token Session Tracking on the IAM mapping and on the mappings of the protected services: see above
JWTs can become quite large. Therefore it is advisable to increase the maximum length of the session tracking header in the Airlock Gateway (Mapping Security Gate Expert Settings):
Session.Tracking.ExternalToken.MaxLength "1024"