Authorize call
https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize
response_type=code&
redirect_uri=https://app.airlock.com/function&
client_id=oidcConformance_clientId&
scope=openid&
acr_values=weak-acr&
state=ee26b0dd4a...28a8ff
- Expected behavior:
- Use the above URL in a browser. This is required since the Loginapp UI configured depends heavily on javascript and without a browser, it will not be rendered.
- The login screen will be shown – enter username and password.
- If local consents are configured, the consent screen is shown – grant consent.
- The authorization server will now respond with a
302
status code and provide a location parameter with the URL, the authorization code, and the state parameter on this URL.
Depending on your configuration, this may lead to an error in the browser if the location cannot be resolved. If you look at the network tab in your browser's developer tools, you will find the redirect URL you are looking for.
Finding the Redirect URL
Location: https://app.airlock.com/function?
code=msaUh91PAW...KoiHc8ihp6En&
state=ee26b0dd4a...28a8ff
Use the code provided in this location parameter to exchange the authentication code for access and refresh tokens:
Redirect URL to weak-app
POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token
Content-Type: application/x-www-form-urlencoded
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ
grant_type=authorization_code
code=msaUh91PAW...KoiHc8ihp6En
redirect_uri=https://app.airlock.com/function
In the response, there will also be an ID token with all the required acr
and role information:
ID token from the response
{
"sub": "mike",
"aud": "oidcConformance_clientId",
"acr": "weak-acr",
"roles": [
"employee"
],
"auth_time": 1598097477,
"iss": "https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS",
"exp": 1598097602,
"iat": 1598097482,
}