Request flow

In this use case, the OAuth 2 client is “public” (it is the mobile app). In this case, for security reasons, always use PKCE (“Pixy”) in this use-case.

See section 1 in https://tools.ietf.org/html/rfc7636 for further information.

To speed up performance, the Airlock Gateway session can be tracked by the Oauth2 Access Token: The Gateway session can then “cache” the decision that the Access Token was valid for a certain amount of time.

If doing so, make sure, that the Airlock Gateway role (credential) issued by the one-shot endpoint of IAM has low timeout (usually only a few minutes), such that the Gateway asks IAM (one-shot) to verify the Access Token from time to time.

Remember that an Access Token does not only become invalid after its expiration time but also if the user retains the consent.