PingAuthorize

User profile availability in policies

In a policy, you might need to make a decision based on something about the requesting identity, meaning the access token subject or token owner. PingAuthorize can automatically look up the token owner’s attributes and provide them in the policy request using a token resource lookup method.

Token resource lookup methods

PingAuthorize provides built-in support for retrieving token owner data using paz_token_resource_lookup.adoc#SCIM_token_resource_lookup. Using a SCIM token resource lookup method requires a SCIM resource type to be configured, along with its prerequisite configuration objects. For information about SCIM configuration, such as SCIM resource types, store adapters, load-balancing algorithms, and LDAP external servers, see SCIM configuration basics.

For examples that show how to set up a token resource lookup method, see:

User profile data from access tokens

When processing an incoming HTTP request, PingAuthorize Server invokes any applicable access token validators to parse the request’s access token. If an access token validator successfully validates the access token, it then invokes any related token resource lookup methods. If a token resource lookup method succeeds in retrieving the attributes for the token owner, then PingAuthorize Server includes a TokenOwner attribute with the policy request. The contents of the TokenOwner attribute are a JSON object containing the user profile.

The exact structure of the TokenOwner attribute varies from deployment to deployment. When using a SCIM token resource lookup method, the contents of the TokenOwner attribute are a SCIM resource using the schema of the SCIM resource type configured for the token resource lookup method, exactly as if the resource had been retrieved via an HTTP GET without policy restrictions. For example, for a pass-through SCIM resource type for the LDAP inetOrgPerson object class, a TokenOwner value might look like the following.

{
    "cn": [
        "Mark E. Smith"
    ],
    "employeeNumber": "1",
    "entryDN": "uid=mark.e.smith,ou=people,dc=example,dc=com",
    "entryUUID": "8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
    "givenName": [
        "Mark"
    ],
    "id": "8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
    "initials": [
        "MES"
    ],
    "l": [
        "Manchester"
    ],
    "mail": [
        "mark.e.smith@example.com"
    ],
    "meta": {
        "location": "https://example.com/scim/v2/Users/8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
"resourceType": "Users"
    },
    "mobile": [
        "+44 161 872 37676"
    ],
    "modifyTimestamp": "2020-06-03T03:56:54.168Z",
    "objectClass": [
        "top",
        "person",
        "organizationalPerson",
        "inetOrgPerson"
    ],
    "schemas": [
        "urn:pingidentity:schemas:store:2.0:UserStoreAdapter"
    ],
    "sn": [
        "Smith"
    ],
    "uid": [
        "mark.e.smith"
    ]
}

The default Trust Framework includes a TokenOwner attribute as an empty JSON object. If you need to use a user profile attribute from a policy, add the attribute as a child of TokenOwner in the Trust Framework.

For example, the SCIM user profile shown above uses the mail attribute to store a user’s email addresses. To make policy decisions involving the token owner’s email address, you can add an Emails attribute under TokenOwner in the PingAuthorize Policy Editor, as shown in the following Trust Framework image.

Screen capture of the Definitions tab in the Trust Framework, with the Emails attribute selected. The Emails attribute shows TokenOwner as its parent, with an attribute resolver of TokenOwner, a JSON Path processor of type Collection for the mail attribute, and a Default value (enabled) of empty square brackets of Type Collection