Versions Compared

Version Old Version 4 New Version Current
Changes made by

Silvan Grüter

Witold Wabik

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

With the CoreOne Authentication Service, permissions are represented as role_claims. Those role_claims are a simple text representation of something, the relying party will understand. A simple example is a role_claim with the content “Administrator”, which will indicate to the relying party, that the current user is an “Administrator”. Those role_claims can be created within the CoreOne Suite Admin UI and simply follow the requirements of the relying party.

The CoreOne Suite also allows for context aware resource assignments / permissions. This means, in addition to simply be in the possession of a permission like a role_claim, the possesion can possession have a context. The context itself can be various things like I posses this permission for another user or in the context of an organization or company.

A few examples:

  • John (1) has the permission to read his own taxes in the tax application → no user context of John

  • John (1) has the permission to read Sallys (3) taxes in the tax application → user context of Sally

  • John has the permission to read the taxes of ITSENSE (7) in the tax application → organizational context of ITSENSE

Permission without a context in the context of the user himself are simply published in the tokens roles claim by default. Permissions with a context can be requested by requesting the roles_with_context scope.

roles_with_context

Whenever you are requesting the roles_with_context claim scope, the token will be extend with the appropriate dataclaim. Instead of simple string array, you will get a complex JSON object as shown below:

Code Block
 "roles_with_context": [
      "{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "2", "ContextObjectIdentifier": "1" } ] }", 
      "{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "User2", "ContextObjectIdentifier": "3" } ] }",
      "{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "Organizational Unit1", "ContextObjectIdentifier": "7" } ] }"
  ]

...

ContextObjectIdentitfier The identifier of the context

roles_with_context_min

Info

This feature is available from version 9.1

Whenever you are requesting the roles_with_context_min scope, the token will be extend with the minified version of roles_with_context. Claim is named roles_with_context_min and contains the same data just packed differently. The “Role” string changes to “r”, “Context” becomes “c”, “ContextObjectType” becomes “cot” and “ContextObjectIdentifier“ becomes “coi“. Moreover context bundles relating to the same roles are packed together, so “c” is actually collection of context bundles”

You can see how previous example will look in minified version:

Code Block
 "roles_with_context_min": [
      "{ "r": "Read Tax", "c": [[ { "cot": "2", "coi": "1" } ], [ { "cot": "2", "coi": "3" } ], [ { "cot": "1", "coi": "7" } ]] }"
  ]

Context Transformations

Info

This feature is available from version 8.0

...