Customize User Details Web Hook
The user details customization web hook is meant to be identity-centric, meaning that it should only focus on user-related information. Modifying access control is out of scope.
To get a better understanding please consider the following scenarios:
- There is another service that is a source of user-related information. The returned attributes are complementary to what is provided by the configured identity provider instance.
- The client expects certain claims to be provided in sophisticated format (regardless if it related to the claim name or how the value is represented).
- There is a need for dynamic (based on given factors/state) reduction of some of the user-related information that will be provided to the clients.
The web hook specification
The web hook input parameters include:
- identity of the user
- set of requested scopes
- all available user-related claims
- web hook context (optional custom parameters), i.e.: 'on_behalf_of', 'on_behalf_of_type' when integrating with a
Externalized Authorization
product
Based on the above information the web hook is allowed to filter, change and introduce new user claims.
Please note that the following claims are considered protected and are not allowed to be modified:
- "iss"
- "aud"
- "verified_claims"
- "sub"
- "urn:onegini.com:oidc:*"
- "group_permissions"
The web hook is executed before the id-token and user-info response creation. This way, we can feed the implementor all information that are available, and also ensure a deterministic result.
API Contract
The OpenAPI specification of the web hook can be found here
Web Hook configuration
Before the web hook can be used a few configuration steps are required. First, you need to provide the details about where the web hook API can be reached, including the authentication details. Once that's available, you should be able to link the just-defined web hook instance to your client.
Defining a Web Hook instance
In order to define a new web hook instance login to Access's admin console and navigate to Configuration
-> System
-> Web Hooks
tab.
Next, select Add Web Hook Configuration
option and provide necessary information:
- define the name for the new web hook
- choose
User Details Customization
type - set the base URL. Please note that the base URL will be concatenated with the web hook path that's defined in the API contract. For
example, by setting
https://hooks.onewelcome.com
the Access seek will be calling the following locationhttps://hooks.onewelcome.com/v1/customize-user-details
- choose the desired authentication scheme
Once done, save the configuration and proceed to your client configuration page.
Updating client configuration
Due to its characteristics, it only makes sense to configure the user details customization web hook with clients that are acting as OpenID
Connect (OIDC) Relying Parties (RPs). The web hook can be configured for both, dynamic (represented by mobile applications) and static
(represented usually by web apps/portals) clients. Depending on the type of the client you want to configure navigate to Configuration
->
App Configuration
-> Applications
or Configuration
-> Web clients
respectively.
The web hook configuration is available at OpenID Connect configuration
page that is shown ONLY after enabling openid
scope for that
client.