Creating and Enriching the Token

Updated on 01 Sep 2024
1 Minute to read

Print
Dark
Light
PDF

Article summary

Did you find this summary helpful?

Thank you for your feedback

To enrich the token:

In the Platform Tenant, create a new Environment. This automatically creates a default Asset Type called Claims.

Information

In Platform versions prior to 5.0 (January 2023), the Default Asset Type was called Default Asset Type with only the Attribute Asset ID only. If using an existing Environment, you will need to create the Claims Asset Type with the Attributes claimKey and claimValue.

Select the default Asset Type. The Asset Settings screen opens.
Select the Asset Attributes tab, you will see that three values were automatically created within the new Environment. These include:
- claimKey
- claimValue
- Asset ID
Customize the claimKey and claimValue to your Asset. For example:

The name of the Asset is: Online Banking Portal.
The claimKey=bankingPortal.
The claimValue=bankTeller

These claims can be used to enrich the token.

Attribute/Parameter	Description
secret	Secret allows for the IDP to authentication with the IDP Webhook endpoint
loglevel	Error
runtimehost	The server k8s svc IP (e.g. http://10.48.6.97)
runtimeuri	Static value, default: /api/runtime/token/v3
listenport	The port that the IDP Webhook service will be listening to (for example: 8080).

The Inline Hook is used to define the connection settings between the organization's IDP and the Authorization Platform's PDP. Using Okta as an example, the following Inline Settings need to be defined:

Parameter	Value	Description
Name	PlainID Access	Any name can be used
URL	https://[plainid-base-url].plainid.io/hook/okta?appPostfix=-V5	Example: https://acme-finance.us1.plainid.io/hook/okta?appPostfix=-V5
Authentication field	x-plainid-secret	The attribute/header that will contain the value of the PlainID Scope clientSecret (use only: x-plainid-secret)
Authentication secret		The PlaindID Scope clientSecret E.g. TBRQdjeedjmbZxedeidj0mVN5tY1Ty5PLe5OePUHZS
Custom header field	x-plainid-client	Value of the PlainID ClientID - obtained from the PlainID Scope Management. And must be used exactly as given.

When users try to login to the web-application (for example using a tool such as https://oidcdebugger.com), they will obtain a JWT that contains the relevant claims (keys and secrets).

Attribute	Value	Description
Authorize uri	https://dev-344343.okta.com/oauth2/aus7j5bjshdjfhshZNm25d7/v1/authorize	The link to the defined Okta Client
Client ID	0oa7ldghfeskfjIoOii5d7	The Okta Application Client ID
Response Types	Select all available values
Scope	Openid [default]

After the settings are configured, click Send Request to test the configuration.

If everything is configured correctly, you should receive a JWT/Response with the relevant claims from the PlainID Access Policy, e.g.:

{
"sub": "00u7mdjdhdhdhjBky5d7",
"ver": 1,
"iss": "https://dev-344343.okta.com/oauth2/aus7j5bjshdjfhshZNm25d7",
"aud": "0oa7m66nxxZ30CEOg5d7",
"iat": 1673259158,
"exp": 1673262758,
"jti": "ID.fMPCup1auYv4cJWA8h_7rm2RpdWRfQ77uAWQh4OvFyo",
"amr": [
"pwd"
],
"idp": "00o7ifadsdasddXcpgO5d7",
"nonce": "s9r39ftqr7dm",
"auth_time": 1673250531,
"at_hash": "RJasdfadsfSakS7s-YiwQ",
"c_hash": "f3tMasdfasdfz4DDKyyk2QKw",
"claimPortalRole": [
"Administrator"
],
"DepartmentManagerLevel": [
"Senior"
]
}

Using the IDP WebHook from within the Policy Authorization Agent (PAA) allows for more flexibility and delivers a more dynamic approach to configuring the IDP WebHook settings.

Was this article helpful?

What's Next

Istio

Table of contents