- 09 Apr 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
User Access Token
- Updated on 09 Apr 2024
- 6 Minutes to read
- Print
- DarkLight
- PDF
The User Access Token API call is an open-ended question for a specific user, returning the list of allowed assets and their associated actions for a specific application. The API presents a generic request based primarily on the Identity and will return all requested Assets and Actions that are configured for this user in a single token. This API enables the scope to cache the list of authorized Assets for a user within the Application session, thus reducing the overall performance involved in enforcing access.
Notice
When accessing the Authorization APIs, the URL base/prefix, according to your PlainID PDP Location- United States Cloud PDP - `https://tenant-name.us1.plainid.io`
- Canadian Cloud PDP - `https://tenant-name.ca1.plainid.io`
- European Cloud PDP - `https://tenant-name.eu1.plainid.io`
- Local PAA - `https://your-paa.acme.local`
For more information on which Asset Types to use with your PAA or Cloud PDP, refer to Managing Asset Types.
{
"entityId": "string",
"clientId": "string",
"clientSecret": "string",
"entityTypeId": "string",
"assetList": {
"type": [
{
"template": "string",
"path": "string",
"assetAttributes": {
"attribute_1": [
"string"
],
"attribute_2": [
"string"
]
}
}
]
},
"entityAttributes": {
"string": [
"value"
]
},
"contextData": {
"string": [
"string"
]
},
"environment": {
"string": [
"string"
]
},
"remoteIp": "192.168.0.1",
"timeZoneOffset": 0.0,
"resourceTypes": {
"name": "resource_01_name",
"attributeList": "-price -color"
},
"includeContext": false,
"includeAccessPolicy": false,
"includeAccessPolicyId": false,
"includeAssetAttributes": false,
"includeIdentity": false,
"accessTokenFormat": "JSON",
"useCache": true
}
Unique identifier of the Identity
Client ID of the Scope
Client Secret ID of the Scope
Identity Template ID
List of Identity Attributes and their values.
If not defined, Dynamic groups based on virtual attributes will not be considered in the Access Decision.
Identity Context data for this request.
When specifying this parameter, you are requesting information based on a specific parameter and its value.
For example, Location where the contextData equals a specific branch.
If not defined, Dynamic groups based on context data will not be considered in the Access Decision.
Environmental parameters need to be defined in policies as request.
If not defined, parametes based on emviromental data will not be considered in the Access Decision.
IP address to be used when validating a policy. Ensure that your IP Ranges are correct based on an IP calculator.
If not defined, the IP considered in the calculation is taken from the X-Forwarded-For (Request header).
To define the offset from UTC time zone. Used in Time Condition.
Contains a list of the Asset's unique identifier and attributes:
Asset Template ID
Asset Unique Identifier
Because the full payload of the response can be very large, this parameter enables you to decrease the payload size by including a list of Asset Types and their attributes, that will return in the response.
If not specified, all resources from all resource types will be included.
Show/hide the context data in the response.
Show/hide the name of the Policy in the response that has granted the specified access.
Show/hide the external id of the Policy in the response that granted the specified access.
Show/hide the asset attribute of the assets in the response.
Show/hide the identity attribute of the identity in the response.
Determines the format of the response – whether JSON
, JWT
, or StandardJWT
.
The attribute will determine if the response will consider the cache settings or override the cache and preforming full calculation.
Determines the evaluation of Identity Attributes relationship in access decision.
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
These operational filters should affect the Runtime behavior and results by applying additional filtering which is not directly related to Authorization logic.
Input your sourceID/s here. For information on where to locate the sourceID, check out Managing Attribute Sources in our documentation.
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": null
}
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"permission": "Manage consumers accounts in branch",
"permissionId": "p1",
"action": "View"
}
]
}
]
}
],
"contextData": null
}
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
],
"contextData": {}
}
]
}
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"identity": {
"type": "02a89b66-0a15-4b8e-be6d-84cb99da9b13",
"typeName": "User",
"attributes": {
"First_Name": [
"Araldo"
],
"uid": [
"xB724129"
],
"User_Branch": [
"San Jose"
],
"Last_Name": [
"Baudou"
],
"ID": [
"xB724129"
],
"title": [
"Teller"
],
"User_Type": [
"Internal"
]
}
},
"contextData": null
}
{
"tokenValidity": 0,
"response": [
{
"access": [
{
"path": "27iX3j",
"attributes": {
"Path": [
"27iX3j"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "72xQ9i",
"attributes": {
"Path": [
"72xQ9i"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
},
{
"path": "05mZ1f",
"attributes": {
"Path": [
"05mZ1f"
],
"Account Type": [
"private"
],
"Account Branch": [
"San Jose"
]
},
"resourceType": "Bank Accounts",
"actions": [
{
"action": "View"
}
]
}
]
}
],
"contextData": {
"partner_id": "724f9f9b-af24-42fc-b97d-b399042ef00d"
}
}
An auto-generated key to set the correlation between the requested object and the response object (optional). When working with a single assetContext object, use the “singleObjectResponse” value to align to the original structure response.
Bad Request
{
"bank_users1 is not a valid identity type": null
}
Unauthorized
{
"Missing secret": null
}
Forbidden
{
"Invalid secret": null
}
Internal Server Error
{
"Asset provider is missing in config": "Accounts"
}
Example response
{
"errors": [
{
"id": "XXXX",
"code": "YYYY",
"message": "Invalid request"
}
]
}