- The configuration for strong-app is identical to the configuration for weak-app:
- REST target application configuration requires a new Target Application strong-app.
The authentication flow must require multi-factor authentication and set the corresponding tags. - The configuration requires an ACR to Flow Application ID Mapping for
strong-acr
and a Flow Condition Based OIDC ID Token ACR Value plugin that matches the tag set by the authentication flow. - Loginapp UI configuration requires an Authentication & Authorization UI,
Using the strong-app example
Authorize call
https://oidc.airlock.com/auth-login/oauth2/v3/myAS/authorize?response_type=code& redirect_uri=https://app.airlock.com/function& client_id=oidcConformance_clientId& scope=openid& acr_values=strong-acr& state=ee26b0dd4a...28a8ff
- Expected behaviour:
- Use the above URL in a browser. This is required since the Loginapp UI configured depends heavily on javascript and without browser it will not be rendered.
- The login screen will be shown – enter username and password.
- The second login screen is shown – enter mTAN code.
- If local consents are configured, the consent screen is shown.
- The authorization server will now respond with a
302
status code and provide a location parameter with URL, the authorization code and the state parameter on this URL.
Depending on your configuration, this may lead to an error in the browser, if the location cannot be resolved. If you look at the network tab in your browser's developer tools, you will find the redirect URL you are looking for.
Finding the redirect URL
Location: https://app.airlock.com/function? code=msaUh91PAW...KoiHc8ihp6En& state=ee26b0dd4a...28a8ff
Use the code provided in this location parameter to exchange the authentication code for access and refresh tokens:
Redirect URL to weak-app
POST https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS/token Content-Type: application/x-www-form-urlencoded Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ grant_type=authorization_code code=msaUh91PAW...KoiHc8ihp6En redirect_uri=https://app.airlock.com/function state=ee26b0dd4a...28a8ff
In the response there will also be an ID token. Due to the roles to ACR mapping, the acquired role strong-role will be mapped to the strong-acr
ACR value and returned in the ID token.
ID token from response
{ "sub": "mike", "aud": "oidcConformance_clientId", "acr": "strong-acr", "roles": [ "employee", ], "auth_time": 1598100981, "iss": "https://oidc.airlock.com/auth-login/rest/oauth2/authorization-servers/myAS", "exp": 1598101107, "iat": 1598100987, "family_name": "Doe" }