Contents x
    Authentication
    • 04 Dec 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Authentication

    • Updated on 04 Dec 2023
    • 1 Minute to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    General

    Authentication to use the PlainID Policy Decision Point APIs can be done by passing the ClientID and ClientSecret in the following methods:

    1. As part of the REST API Request Body.
    2. As part of the REST API Request Header.
    3. As part of a valid JWT that can be verified using the JWT Issuer's JWKS URL.

    Using the Authorization Request Body

    Sample Request Body for the Permit/Deny Endpoint

    Request URL

    https:///acme-finance.us1.plainid.io/api/runtime/permit-deny/v3

    Request Body

    {
    "entityId": "UX-12345",
    "entityTypeId": "bank_users",
    "clientId": "{ClientID}",
    "clientSecret": "{ClientSecret}",
    "responseType": "accessDecision",
    "listOfResources": [
        {
            "resourceType": "Accounts",
            "resources": [
                {
                    "action": "Access",
                    "path": "AS-XX-12575"
                }
            ]
        }
    ]
}

    Using the Authorization Request Header

    By adding the following headers to the Authorization Request:

    Header KeyHeader Value
    X-Client-IdThe PlainID Scope ClientID
    X-Client-SecretThe PlainID Scope ClientSecret

    Using the Authorization Request JWT

    PlainID Policy Decision Point can also authorize access to the Authorization APIs.

    Please note - the clientIdand entityId must be passed as part of the Authorization Request Body or Header.

    The JWT should be valid - the Policy Decision Point will validate the JWT by using the JWKS URL of the JWT Issuer (Authorization Server, IDP, etc.).

    If the JWT is invalid - no identity attributes are extracted to be used in the Policy Decision calculation.

    The JWKS URLs can be configured in the PlainID Policy Administration Point under Tenant Management > Policy Authorization Agents.

    Sample JWT

    {
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "businessData": {
    "department": "Home Loans",
    "branch": "TX"
  },
  "phoneNumbers": [
    {
      "type": "land",
      "number": "0123-4567-8888"
    },
    {
      "type": "mobile",
      "number": "0333-4567-9999"
    }
  ]
}

    Encoding and Decoding of JWT can be done by accessing https://jwt.io

    Using the JWT as Identity Attribute Source

    The Claims from the JWT can be used to obtain information about the Identity (the user).

    The unique identity of the user (entityId) is still required in the request body when using JWT as an identity source.

    In the PlainID Policy Administration Point access the Identity Workspace, and map the relevant claims from the JWT to the corresponding Identity Attributes:
    authentication attribute source.png

    Sample JWT Claims Mapping to Identity Attributes

    Identity AttributeClaim NameJSON PathValue
    Namename$.nameJohn Doe
    Departementdepartment$.businessData.departement
    HomePhonephoneNumbers$.phoneNumbers[:1].number

    The first value from the phoneNumbers array

    		0123-4567-8888
    CellPhonephoneNumbers$.phoneNumbers[?(@.type=='mobile')].number

    The value with the type mobile from the phoneNumbers array

    		0333-4567-9999
    Was this article helpful?
    What's Next