Prior to the authorization process the application generally wants to know more information about the user logging in to use in authorization decisions (and in some cases, also for personalization of the application).

The attributes required for authorization and application functionality can be handled in different ways:

  • Application stores the attributes in its local store
  • Application can store the attributes in a remote store
  • Attributes can be provided along with the authentication request

After the application has received the information that it needs about the user (i.e. groups / roles) we can continue to the next step.