This use case example describes a setup where Airlock IAM acts as an OpenID provider (authorization server) for accessing resources in the Azure cloud.
The solution shown here is a minimal configuration for testing purposes and should be considered a starting point for a more complex integration.
The following picture explains the solution setup:
- Authentication steps:
- The user tries to access the web applications. This fails at the Azure Frontdoor because the user is not yet authenticated. Azure AD B2C starts an authorization code flow with Airlock IAM as OP.
- The user authenticates with Airlock IAM and receives an authorization code. Airlock IAM redirects the user back using the URL provided by Azure AD B2C.
- The user connects to the redirect URL and provides the authorization code.
- Azure AD B2C connects to the token endpoint of Airlock IAM to obtain access, refresh, and ID tokens.
- Azure AD B2C has exchanged the access token and now the user session is allowed in Azure Frontdoor to connect to the Web Application.
- The solution has the following properties:
- Airlock IAM holds the user data and all the credentials.
- Airlock IAM handles user authentication using flows and the Loginapp UI.
- Airlock IAM also provides all the services for users to manage their accounts (e.g. self-registration, password reset, etc.).
- Azure AD B2C is configured as an OIDC client and extracts all user information from the ID token provided by Airlock IAM.
- Azure AD B2C uses an on-the-fly token exchange mechanism to transform the token provided by Airlock IAM into a token that Azure AD B2C has issued. Backend applications in the Azure cloud will not be able to immediately discern, where the user has been authenticated.