Copy of Token Assignment Context
Introduction
With the CoreOne Authentication Service, permissions are represented as role_claims
. Those role_claims
are a simple text representation of something, the relying party will understand. A simple example is a role_claim
with the content “Administrator” which will indicate to the relying party, that the current user is an “Administrator”. Those role_claims
can be created within the CoreOne Suite Admin UI and simply follow the requirements of the relying party.
The CoreOne Suite also allows for context aware resource assignments. This means, in addition to simply be in the possession of a permission like a role_claim
, the possesion can have a context. The context itself can be various things like I posses this permission for another user or in the context of an organization or company.
A few examples:
John has the permission to read his own taxes in the tax application → no context
John has the permission to read Sallys taxes in the tax application → user context of Sally
John has the permission to read the taxes of ITSENSE in the tax application → organizational context of ITSENSE
Permission without a context are simply published in the tokens roles
claim by default. Permissions with a context can be requested by requesting the roles_with_context
.
roles_with_context
Whenever you are requesting the roles_with_context
claim, the token will be extend with the appropriate data. Instead of simple string array, you will get a complex object as shown below:
"roles_with_context": [
"{\"Role\":\"Read Tax\",\"Context\":[{\"ContextObjectType\":\"User\",\"ContextObjectIdentifier\":\"3\"}]}",
"{\"Role\":\"Read Tax\",\"Context\":[{\"ContextObjectType\":\"Organizational Unit\",\"ContextObjectIdentifier\":\"7\"}]}"
]
By default it contains the following date
role
The name of the permission / right
Context
A complex object
ContextObjectType
The type of context like user, organizational unit and so on
ContextObjectIdentitfier
The identifier of the context
Context Transformations
By default the internal IDs of the context objects are published in the token. So the combination of the ContextObjectType
and ContextObjectIdentitfier
of the example above point to the CoreOne Suite user with ID 3. Most applications will not be able to process that information. Therefore a context transformation can be configured to transform that data to something, an application will understand. For example could a transformation be applied that will resolve the ID 3 of the user to a username or a tax identifier number. This can be done with an Assignment context transformations.
© ITSENSE AG. Alle Rechte vorbehalten. ITSENSE und CoreOne sind eingetragene Marken der ITSENSE AG.