Token Assignment Context

Owned by Silvan Grüter, created
Last updated: 22. Jul 2024 by Witold Wabik
3 min read

Introduction

With the CoreOne Authentication Service, permissions are represented as role_claims. Those role_claims are a simple text representation of something, the relying party will understand. A simple example is a role_claim with the content “Administrator”, which will indicate to the relying party, that the current user is an “Administrator”. Those role_claims can be created within the CoreOne Suite Admin UI and simply follow the requirements of the relying party.

The CoreOne Suite also allows for context aware resource assignments / permissions. This means, in addition to simply be in the possession of a permission like a role_claim, the possession have a context. The context itself can be various things like I posses this permission for another user or in the context of an organization or company.

A few examples:

  • John (1) has the permission to read his own taxes in the tax application → user context of John

  • John (1) has the permission to read Sallys (3) taxes in the tax application → user context of Sally

  • John has the permission to read the taxes of ITSENSE (7) in the tax application → organizational context of ITSENSE

Permission in the context of the user himself are simply published in the tokens roles claim by default. Permissions with a context can be requested by requesting the roles_with_context scope.

roles_with_context

Whenever you are requesting the roles_with_context scope, the token will be extend with the appropriate claim. Instead of simple string array, you will get a complex JSON object as shown below:

"roles_with_context": [ "{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "2", "ContextObjectIdentifier": "1" } ] }", "{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "2", "ContextObjectIdentifier": "3" } ] }", "{ "Role": "Read Tax", "Context": [ { "ContextObjectType": "1", "ContextObjectIdentifier": "7" } ] }" ]

By default it contains the following date

role The name of the permission / right

Context A complex object

ContextObjectType The type of context as described here Assignment Context | Context Type

ContextObjectIdentitfier The identifier of the context

roles_with_context_min

This feature is available from version 9.1

Whenever you are requesting the roles_with_context_min scope, the token will be extend with the minified version of roles_with_context. Claim is named roles_with_context_min and contains the same data just packed differently. The “Role” string changes to “r”, “Context” becomes “c”, “ContextObjectType” becomes “cot” and “ContextObjectIdentifier“ becomes “coi“. Moreover context bundles relating to the same roles are packed together, so “c” is actually collection of context bundles”

You can see how previous example will look in minified version:

"roles_with_context_min": [ "{ "r": "Read Tax", "c": [[ { "cot": "2", "coi": "1" } ], [ { "cot": "2", "coi": "3" } ], [ { "cot": "1", "coi": "7" } ]] }" ]

Context Transformations

This feature is available from version 8.0

By default the internal IDs of the context objects are published in the token. So the combination of the ContextObjectType and ContextObjectIdentitfier of the example above point to the CoreOne Suite user with ID 3. Most applications will not be able to process that information. Therefore a context transformation can be configured to transform that data to something, an application will understand. For example could a transformation be applied that will resolve the ID 3 of the user to a username or a tax identifier number. This can be done with an Assignment context transformations.

© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.