HTTP request authentication (One-Shot flow)
Airlock Gateway provides several authentication procedures, e.g., the redirect-to-login-pages procedure and the one-shot procedure. This section describes the one-shot authentication procedure. In a one-shot authentication workflow, Airlock Gateway calls Airlock IAM directly on a dedicated endpoint, to decide on an incoming request. The usual flow of redirecting to a login page, establishing a session, etc, is bypassed.
One-shot is used especially for REST- and non-browser clients (mobile apps, microservices), where redirects/UI login flows are not appropriate or possible. In these cases, the authentication token is obtained through means other than user interaction, for example from another system. IAM validates the token, extracts user information, such as the assigned roles, and may optionally perform a lookup in the user directory for additional checks or information.
The next table provides an overview of the different authentication procedures.
Note that the one-shot requests are only sent from Gateway to IAM if required roles are missing on the mapping.
Type | Main Usage | Description |
|---|---|---|
Redirect | Web application | Redirects the browser to a login page. |
One-shot | REST clients | Temporarily stops the request and sends the HTTP header directly to IAM for inspection. |
One-shot with body | REST clients | Temporarily stops the request and sends the HTTP header with the HTTP body directly to IAM for inspection. |
Two configuration methods
Currently (Q4 2025), IAM provides two methods for configuring one-shot authentication:
- One method is based on flows. This method was introduced with IAM 8.5. It is the preferred method.
- Dedicated REST API endpoint:
/rest/public/authentication/one-shot/applications/{application id} - For more information, see One-shot authentication with flows.
- Dedicated REST API endpoint:
- The other method is based on authenticators. This is the legacy method.
- Dedicated endpoint:
/login-oneshot - For more information, see One-shot authentication with authenticators.
- Dedicated endpoint:
Both methods can be used in parallel. However, the flow-based method will gradually replace the authenticator-based method, for the following reasons:
- Flows are a core concept of IAM, allowing workflows to be configured as a sequence of steps. This provides greater flexibility, including the ability to use, for example, conditions, non-interactive steps and scriptable steps.
- Where applicable, new features in IAM are based on the flow concept. Using flows for one-shot authentication as well will make IAM more consistent (regarding behavior, logs, messages, etc.).
- Using authenticators is outdated.
If you are still working with one-shot based on authenticators, you should replace this legacy approach as soon as the flow-based approach supports your authentication mechanism.