Airlock IAM 8.3
Improved Usability and Flexibility with OAuth 2.0 / OpenID Connect
With new features in the OAuth 2.0 / OpenID Connect component, Airlock IAM 8.3 offers an enhanced user experience. The authorization code flow now includes a local consent step that stores previously granted scopes and hides unnecessary internal ones. This means fewer interruptions and a more efficient interaction for end users.
Enhanced Security for Your Systems: With FAPI features like PAR, Private Key JWT, and PKCE support, businesses with higher security requirements can further secure their OAuth implementations – a critical factor for companies operating in regulated environments.
More Flexible Static Client Configuration: Airlock IAM 8.3 offers more flexibility for static client configuration, allowing businesses to define client-specific token contents, adjust PKCE settings, and choose target applications more precisely. This enables a more individual design of the authentication and authorization processes.
Extended 2FA Features – Better Protection Against Modern Threats
Airlock 2FA has been enhanced on several levels to address current security threats:
- MFA Fatigue Protection: The new multi-number challenge protects Airlock IAM against MFA fatigue attacks during one-touch logins (Push).
- Push Notifications for Multiple Devices: Notifications can now be sent to all of a user’s devices simultaneously, enabling smoother and more flexible authentication for a wide range of use cases.
- Trusted Session Binding: For organizations with particularly high security requirements, this feature provides enhanced protection during device activation and recovery.
- Extended Airlock 2FA App (available as of approx. 10/2024): The new app offers numerous features previously available only to SDK users with their own mobile apps, expanding the possibilities for mobile authentication.
Security and Control over Devices: The introduction of a cooldown period for newly registered devices minimizes risk by limiting functionality. You can now define and configure which actions are considered low-risk and whether to respect the cooldown in each authentication or verification flow step.
Additionally, a new feature allows the deletion of all devices except the most recently registered one making it easy to enforce a one-device policy for end-users.
Scriptable Steps – Flexibility for Tailored Authentication Flows
Introduced in version 8.2, the Scriptable Flow Step now offers even more flexibility. Two new use cases are described in the documentation:
- User-Specific IP Address Filtering: Uses a context data element to specify an IP address in CIDR format. The script checks whether the current IP of the client matches this pattern. If it matches, the authentication process is successful, if not, it fails – a powerful tool for companies needing strict access controls.
- Password Check Against haveibeenpwnd.com: This function checks passwords against known data breaches, prompting the user to change the password if it has been compromised.
Event Notifications – Even More Targeted
With more flexible event notifications, subscribers can now add filters on flow ID, step ID and flow type to better control user interactions and address end users with more concise messages
Assignments and unassignments of roles now trigger a ‘User Role Changed’ event in the Adminapp, making it easier to track and manage user roles.
Various Features: Correlation IDs and JWKS endpoint
Correlation IDs for Logging and Integration into Microservices Architectures
Airlock IAM 8.3 now supports Correlation IDs, enabling seamless tracking of events across microservices architectures. This ID is used in logs for detailed tracking and is propagated in outgoing calls to third-party services. The Correlation ID is also available in a value provider map for use in OAuth 2.0/OIDC, identity propagation, scriptable steps, and other flow steps. This significantly improves integration and monitoring in microservices-based environments.
New JWKS Endpoint for Simplified Digital Signature Verification
Additionally, Airlock IAM now exposes a JWKS endpoint that provides all public keys for digital signatures, enabling third parties to easily verify signatures without the need to embed a copy of the public key. This simplifies the process of verifying digital signatures and ensures that only the currently valid key is used.
Minor Release
Airlock IAM 8.3 is now available on Quay.io and Airlock Techzone. Existing configurations can be migrated and activated straight away as an update to this minor release does not require any manual adjustments.
Important: Airlock IAM 8.2 is supported until 01/2026. If you are still using IAM 8.0 or older, we recommend planning your upgrade to IAM 8.3 as soon as possible.
Release video English:
Release video German: