MobileFirst Security and LTPA

A lightweight third-party authentication (LTPA) token is a type of security token that is used by IBM® WebSphere® Application Server and other IBM products. LTPA can be used to send the credentials of an authenticated user to back-end services. It can also be used as a single sign-on (SSO) token between the user and multiple servers.

The following image shows a simple client <-> server flow with LTPA:

After a user logs in, the server generates an LTPA token, which is an encrypted hash that contains authenticated user information. The token is signed by a private key that is shared among all the servers that want to decode it. The token is usually in cookie form for HTTP services. By sending the token as a cookie, there is no need for subsequent user interaction.

LTPA tokens have a configurable expiration time to reduce the possibility for session hijacking.

The following image shows a client <-> MobileFirst Server <-> back-end server flow with LTPA:

Your infrastructure can also use the LTPA token to communicate with a back-end server to act on behalf of the user. The user cannot directly access the back-end server. Enterprise environments should use a reverse proxy, such as DataPower® or IBM Security Access Manager, in the DMZ, and place the MobileFirst Server in the intranet. This configuration ensures that access to the MobileFirst Server cannot be obtained until a user authenticates. For more information, see Reverse proxy with LTPA.