Thales

  • Published on May 24, 2026
  • 1 minute(s) read
Prev Next

The integration of PlainID with Thales OneWelcome enables organizations to implement a seamless authentication and authorization process by using webhook-based token enrichment. Thales OneWelcome acts as the Identity Provider (IdP), performing authentication through standard protocols such as OIDC and SAML and issuing tokens or assertions. The PlainID Thales Authorizer complements this process by dynamically calculating and generating authorization claims based on PlainID Policies.

These claims are returned to Thales through webhook responses and are used to enrich the following:

  • Access Tokens (OIDC)
  • SAML Assertions

The result is a continuous and adaptive authorization model in which access decisions reflect real-time Policy evaluation and contextual data.

Token Enrichment Flow

The token enrichment flow dynamically calculates and provides authorization claims during the authentication process.

Example

Explanation

  1. The user signs in to the application.
  2. The application initiates authentication with Thales OneWelcome.
  3. During token or assertion generation, Thales invokes a configured webhook for enrichment.
  4. Thales sends a request to PlainID through the webhook interface.
  5. The PlainID PDP evaluates the relevant Policies.
    • If required, the PIP retrieves additional Attributes from external data sources.
  6. PlainID returns the authorization claims.
  7. Thales enriches the token or assertion with the returned claims.
  8. The application receives the enriched token or assertion.

Supported Flows

The following webhook-based flows are supported:

  • Access Token Webhook (OIDC)
  • SAML Assertion Webhook

Deployment availability includes the PAA (on-premises or hybrid) Environment.

Authentication Model

Webhook calls from Thales to PlainID are authenticated by using JWT bearer tokens.

Token Characteristics

Claim Description
client_id Always onewelcomeAccessWebHookClient
scope onewelcome_webhooks_{webhookName}
iss Thales tenant-specific issuer
aud Webhook endpoint URL
exp Expiration timestamp

Validation Requirements

PlainID validates incoming requests by completing the following steps:

  1. Extract the JWT from the Authorization header.

  2. Resolve the JWKS endpoint by using the following path:

    • {iss}/.well-known/openid-configuration

  3. Verify the token signature.

  4. Validate the claims:

    • client_id matches the expected value.
    • scope matches the configured webhook.
    • iss matches the tenant.
    • The token has not expired.
Related articles

Copyright and Trademark

© 2026 PlainID LTD. All rights reserved.

All intellectual property rights in, related to or derived from this material will remain with PlainID Ltd. Reproduction, modification, recompilation or transfer in whole or in part without written permission is prohibited. This material is made available as-is, without any implied warranties, all of which are hereby disclaimed, and PlainID Ltd. shall have no liability in relation hereto. All brand names, product names and trademarks are the property of their respective owners.

FAQ
Terms of Use
Privacy Policy