The augmentSecurityContext
Trigger
The augmentSecurityContext
trigger, defined in the authentication configuration, can reference a script that is executed after successful authentication. Such scripts can populate the security context of the authenticated user. If the authenticated user is not found in the resource specified by queryOnResource
, the augmentSecurityContext
can provide the required authorization map.
Such scripts have access to the following bindings:
security
- includes theauthenticationId
and theauthorization
key, which includes themoduleId
.The main purpose of an
augmentSecurityContext
script is to modify theauthorization
map that is part of thissecurity
binding. The authentication module determines the value of theauthenticationId
, and IDM attempts to populate theauthorization
map with the details that it finds, related to thatauthenticationId
value. These details include the following:security.authorization.component
- the resource that contains the account (this will always will be the same as the value ofqueryOnResource
by default).security.authorization.id
- the internal_id
value that is associated with the account.security.authorization.roles
- any roles that were determined, either from reading theuserRoles
property of the account or from calculation.security.authorization.moduleId
- the authentication module responsible for performing the original authentication.
You can use the
augmentSecurityContext
script to change any of theseauthorization
values. The script can also add new values to theauthorization
map, which will be available for the lifetime of the session.properties
- corresponds to theproperties
map of the related authentication module.httpRequest
- a reference to theRequest
object that was responsible for handling the incoming HTTP request.This binding is useful to the augment script because it has access to all of the raw details from the HTTP request, such as the headers. The following code snippet shows how you can access a header using the
httpRequest
binding. This example accesses theauthToken
request header:httpRequest.getHeaders().getFirst('authToken').toString()