Token Exchange Policy Workflow

Implementation

This workflow is an extension on the Token Exchange grant (OAuth) in IDHub.

Because the basic process only checks the validity of the tokens and IDP's, it will always return an access token under the Token Exchange grant. However, it may be requested to add additional business logic to whether or not an access token should be granted for the specified audience and/or scopes.

Therefore it's possible to extend the Token Exchange process by providing tailor-made decision policies.

The workflow output will be a simple 'allow' or 'deny.'

Example

Below is a simple example, to demonstrate the return value.

function checkPolicy (workitem) {
   workitem.output=tb.simpleResponse({
        allow: false
	});
}

Update user attributes

This feature is available as of TrustBuilder 9.5.3

In the policy workflow you can also update user attributes, which can then be passed along in the generated token. This can especially be useful if the backend application needs a custom identifier of the user or when application specific roles have to be communicated.

function checkPolicy (workitem) {
   workitem.output=tb.simpleResponse({
        allow: false,
        attributes: {
        	common : {
				applicationRoles: ["read", "write"],
				customIdentifier: ["john.doe"]
			}
        }
	});
}
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.