Use Case – Weak authentication

  1. REST target application configuration
  2. Go to:
    Loginapp >> Applications and Authentication
  3. Create and edit a Target Application plugin:
    1. Create an Application ID plugin with the ID set to weak-app.
    2. Create and edit an Authentication Flow plugin with:
      • Username/password authentication.
      • A consent step.
    3. Create an OAuth 2.0/OIDC ID Propagator plugin.
  4. The target application will choose the correct authentication flow and complete it with OIDC identity propagation.
  1. Authorization server configuration
  2. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code / Hybrid Flow
  3. In the section Flow Settings configure an ACR to Flow Application ID Mapping plugin:
    1. ACR Value is set to weak-acr.
    2. Flow Application ID is an Application ID plugin with the ID set to weak-app.
  4. The authorization code flow will select the correct target application if the client requests an acr_values of weak-acr.
  5. In the section ID Token create and edit a Flow Condition Based OIDC ID Token ACR Value plugin:
    • Create and edit an OIDC Flow Condition To ACR Value Mapping plugin
      • Flow Condition – has tag Weak Authentication Tag.
      • ACR Value – set value to weak-acr.
  6. The authorization code flow will return an acr with the value weak-acr based on the tag set in the flow.
  1. Loginapp UI configuration
  2. Go to:
    In Loginapp >> UI Settings >> Authentication UIs
  3. Create an Authentication & Authorization UI plugin:
    1. Create an Application ID plugin with the ID set to weak-app.
    2. Create a Target URI Resolver plugin that allows redirection to the client after the flow is completed successfully.
  4. The authorization code flow will now use the Loginapp UI for authentication.

Using the weak-app example

Authorize call

https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize
    response_type=code&
    redirect_uri=https://app.airlock.com/function&
    client_id=oidcConformance_clientId&
    scope=openid&
    acr_values=weak-acr&
    state=ee26b0dd4a...28a8ff
  1. Expected behavior:
  2. Use the above URL in a browser. This is required since the Loginapp UI configured depends heavily on javascript and without a browser, it will not be rendered.
  3. The login screen will be shown – enter username and password.
  4. If local consents are configured, the consent screen is shown – grant consent.
  5. The authorization server will now respond with a 302 status code and provide a location parameter with the URL, the authorization code, and the state parameter on this URL.

Depending on your configuration, this may lead to an error in the browser if the location cannot be resolved. If you look at the network tab in your browser's developer tools, you will find the redirect URL you are looking for.

Finding the Redirect URL

Location: https://app.airlock.com/function?
    code=msaUh91PAW...KoiHc8ihp6En&
    state=ee26b0dd4a...28a8ff

Use the code provided in this location parameter to exchange the authentication code for access and refresh tokens:

Redirect URL to weak-app

POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token
    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ

    grant_type=authorization_code
    code=msaUh91PAW...KoiHc8ihp6En
    redirect_uri=https://app.airlock.com/function

In the response, there will also be an ID token with all the required acr and role information:

ID token from the response

{
 "sub": "mike",
 "aud": "oidcConformance_clientId",
 "acr": "weak-acr",
 "roles": [
 "employee"
 ],
 "auth_time": 1598097477,
 "iss": "https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS",
 "exp": 1598097602,
 "iat": 1598097482,
 }