In a policy, you might need to make a decision based on something about the requesting identity, meaning the access token subject or token owner. PingAuthorize can automatically look up the token owner's attributes and provide them in the policy request using a token resource lookup method.
Token resource lookup methods
PingAuthorize provides built-in support for retrieving token owner data using SCIM token resource lookup methods. Using a SCIM token resource lookup method requires a SCIM resource type to be configured, along with its prerequisite configuration objects. For information about SCIM configuration, such as SCIM resource types, store adapters, load-balancing algorithms, and LDAP external servers, see SCIM configuration basics.
User profile data from access tokens
When processing an incoming HTTP request, PingAuthorize Server invokes any applicable access
token validators to parse the request's access token. If an access token validator
successfully validates the access token, it then invokes any related token resource
lookup methods. If a token resource lookup method succeeds in retrieving the
attributes for the token owner, then PingAuthorize Server includes a
TokenOwner
attribute with the policy request. The contents of
the TokenOwner
attribute are a JSON object containing the user
profile.
The exact structure of the TokenOwner
attribute varies from
deployment to deployment. When using a SCIM token resource lookup method, the
contents of the TokenOwner
attribute are a SCIM resource using the
schema of the SCIM resource type configured for the token resource lookup method,
exactly as if the resource had been retrieved via an HTTP GET without policy
restrictions. For example, for a pass-through
SCIM resource type
for the LDAP inetOrgPerson object class, a TokenOwner
value might
look like the following.
{
"cn": [
"Mark E. Smith"
],
"employeeNumber": "1",
"entryDN": "uid=mark.e.smith,ou=people,dc=example,dc=com",
"entryUUID": "8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
"givenName": [
"Mark"
],
"id": "8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
"initials": [
"MES"
],
"l": [
"Manchester"
],
"mail": [
"mark.e.smith@example.com"
],
"meta": {
"location": "https://example.com/scim/v2/Users/8ac3d8b5-4f17-33fa-a4b4-854599ed9a89",
"resourceType": "Users"
},
"mobile": [
"+44 161 872 37676"
],
"modifyTimestamp": "2020-06-03T03:56:54.168Z",
"objectClass": [
"top",
"person",
"organizationalPerson",
"inetOrgPerson"
],
"schemas": [
"urn:pingidentity:schemas:store:2.0:UserStoreAdapter"
],
"sn": [
"Smith"
],
"uid": [
"mark.e.smith"
]
}
The default Trust Framework includes a TokenOwner
attribute as an
empty JSON object. If you need to use a user profile attribute from a policy, add
the attribute as a child of TokenOwner
in the Trust Framework.
For example, the SCIM user profile shown above uses the mail
attribute to store a user's email addresses. To make policy decisions involving the
token owner's email address, you can add an Emails
attribute under
TokenOwner
in the PingAuthorize
Policy Editor, as shown in the following Trust
Framework image.