IDP Webhook for Token Enrichment

IDP  WebHook Overview

The PlainID IDP Web-Hook enables IDP Token Enrichment, by dynamically enriching the IDP JWT with claims from the PlainID PDP response.

For information on IDP Authorizers, click here.

IDP WebHook Workflow

After the IDP generates a JWT token allowing the user to log in, it reaches out to the Authorization Platform, requesting an authorization response to its query. The token is enriched with the decision based on organization-defined criteria such as which users (WHO) can access the specified Asset (WHAT) according to specific Conditions (WHEN). The JWT is enriched with this information and returned to the application, which then ALLOWS or DENIES the user access based not only on the identification of the user (for example password or user name) but also the rules and conditions defined in the organization's Authorization Policies.

This session-based enriched token provides several benefits to the organization. First and foremost is the seamless nature of the interaction between the user who wishes to log in to the Application, and the IDP, which needs to allow access based on specific Policies. These Policies are agnostic, meaning that the user (and even the Application itself) does not need to interact with (or even be aware of) the Authorization Platform's role in implementing the organization's Authorization requirements.

Token Enrichment Workflow

1. User requests to log into the Online Bank Portal.
2. The organization's Online Bank Portal application receives the login requests and sends a query to the IDP. 
3. The IDP sends a query to the PlainID IDP WebHook, which in turn queries the Policy Decision Point (PDP). Claims with the required values are then returned to the PlainID WebHook, which enriches the JWT token and returns it to the organization's IDP.
4. The enriched JWT is returned to the Application, which uses the information in the enriched token to either approve or deny access to the Application.
   

Prerequisites

• A Policy Authorization Agent must be installed and running.
• An Application must be defined.
  • Associate an Asset Type that manages the Claims with the Application
    • With the associated Scope (Client ID + ClientSecret) (this information is used to define the Hook in the IDP
    • claimKey and claimValue Attributes must be defined.
• A Policy must be defined and the Application associated to it.
• IDP Prerequisites: 
  • Existing application
  • At least 1 user associated with the application in the IDP
  • Rule (Access Policy Rule)

Process for Creating and Enriching the Token

1. In the Authorization Platform Tenant , create a new Environment. This automatically creates a default Asset Type called Claims.

1. Select the default Asset Type. The Asset Settings screen opens.
2.  Select the Asset Attributes tab, you will see that three values were automatically created within the new Environment. These include:
   • claimKey
   • claimValue
   • Asset ID 
3. Customize the claimKey and claimValue to your Asset. For example:

• The name of the Asset is: Online Banking Portal.
• The claimKey=bankingPortal.
• The claimValue=bankTeller

These claims can be used to enrich the token. 

The Inline Hook is used to define the connection settings between the organization's IDP and the Authorization Platform's PDP. Using Okta as an example, the following Inline Settings need to be defined:

When users try to login to the web-application (for example using a tool such as https://oidcdebugger.com), they will obtain a JWT that contains the relevant claims (keys and secrets). 

After the settings are configured, click Send Request to test the configuration.

If everything is configured correctly, you should receive a JWT/Response with the relevant claims from the PlainID Access Policy, e.g.:

Using the IDP WebHook from within the Policy Authorization Agent (PAA) allows for more flexibility and delivers a more dynamic approach to configuring the IDP WebHook settings.