Example: SPA (Single-page Application) with IAM as OAuth client

Using single-page applications (SPA) in OpenID Connect setups poses some security risks since web browsers insufficiently protect access and refresh tokens.

In this configuration example, we demonstrate how Airlock Gateway and Airlock IAM can be configured to protect access and refresh tokens issued by a third-party authorization server from being stored in the browser.

Solution overview

The solution uses the following components:
The authorization server supports the standard OpenID Connect authorization flow.
The Airlock Gateway receives and stores access tokens.
Airlock IAM acts as an OIDC client towards the authorization server.
The SPA has an authentication session with the authorization server.
The SPA receives session cookies from Airlock IAM.

The following sequence diagram details the authentication flow:

API Service authorization over OAuth 2.0

Configuration

This configuration ensures that a target application receives the access token issued by the authorization server with every request made by the SPA.

Configure at least one of the following Flow Client Settings:

Airlock IAM is configured as a client towards a remote authorization server.
Configure the Authentication Flows settings:

Authentication flow for IAM as OAuth or OIDC client configuration

Airlock IAM now has a Target Application and an Authentication Flow that will use the previously configured OAuth or OIDC client.
Configure the Flow UIs:

Loginapp UI as OAuth or OIDC client configuration

Airlock IAM will now present a UI during the interaction with the user for the previously configured target application.
Airlock IAM now supports authentication with a remote authorization server through the Loginapp UI.

Limitations

Known limitations of this setup are:
This setup only works with access tokens. Airlock IAM as a client does not support refresh tokens.

Additional information (optional)

Internal links:
Multitenancy feature
Role and rights management for tenant-users