Identity Cloud

The augmentSecurityContext trigger

The augmentSecurityContext trigger, defined in the authentication configuration, can reference a script that is executed after successful authentication. These scripts can populate the security context of the authenticated user. If the authenticated user is not found in the resource specified by queryOnResource, the augmentSecurityContext can provide the required authorization map.

These scripts have access to the following bindings:

  • security - includes the authenticationId and the authorization key, which includes the moduleId.

    The main purpose of an augmentSecurityContext script is to modify the authorization map that is part of this security binding. The authentication module determines the value of the authenticationId, and IDM attempts to populate the authorization map with the details that it finds, related to that authenticationId value. These details include the following:

    • security.authorization.component - the resource that contains the account (by default, this will always be the same as the value of queryOnResource).

    • security.authorization.id - the internal _id value that is associated with the account.

    • security.authorization.roles - any roles that were determined, either from reading the userRoles property of the account or from calculation.

    • security.authorization.moduleId - the authentication module responsible for performing the original authentication.

    You can use the augmentSecurityContext script to change any of these authorization values. The script can also add new values to the authorization map, which will be available for the lifetime of the session.

  • properties - corresponds to the properties map of the related authentication module.

  • httpRequest - a reference to the Request object that was responsible for handling the incoming HTTP request.

    This binding is useful to the augment script because it has access to all of the raw details from the HTTP request, such as the headers. The following code snippet shows how you can access a header using the httpRequest binding. This example accesses the authToken request header:

    httpRequest.getHeaders().getFirst('authToken').toString()

For more information, refer to Roles, authentication, and the Security Context.

Copyright © 2010-2024 ForgeRock, all rights reserved.