augmentSecurityContext trigger, defined in the authentication configuration, can reference a script that is executed after successful authentication. These scripts can populate the security context of the authenticated user. If the authenticated user is not found in the resource specified by
augmentSecurityContext can provide the required authorization map.
These scripts have access to the following bindings:
security- includes the
authorizationkey, which includes the
The main purpose of an
augmentSecurityContextscript is to modify the
authorizationmap that is part of this
securitybinding. The authentication module determines the value of the
authenticationId, and IDM attempts to populate the
authorizationmap with the details that it finds, related to that
authenticationIdvalue. These details include the following:
security.authorization.component- the resource that contains the account (by default, this will always be the same as the value of
security.authorization.id- the internal
_idvalue that is associated with the account.
security.authorization.roles- any roles that were determined, either from reading the
userRolesproperty of the account or from calculation.
security.authorization.moduleId- the authentication module responsible for performing the original authentication.
You can use the
augmentSecurityContextscript to change any of these
authorizationvalues. The script can also add new values to the
authorizationmap, which will be available for the lifetime of the session.
properties- corresponds to the
propertiesmap of the related authentication module.
httpRequest- a reference to the
Requestobject that was responsible for handling the incoming HTTP request.
This binding is useful to the augment script because it has access to all of the raw details from the HTTP request, such as the headers. The following code snippet shows how you can access a header using the
httpRequestbinding. This example accesses the
For more information, refer to Roles, authentication, and the Security Context.