The auth.profile.json
file
To use |
In some circumstances, you may wish to create a temporary role for users who are in the middle of progressive profile completion, such as if you wish to enable access to an endpoint, while prohibiting access to other parts of the End User UI (as well as the rest of IDM).
To do this, you may optionally define an authenticationRole
in auth.profile.json
, which you can use as a role assignment in access.json
or elsewhere.
For example, if you wished to assign access to a custom endpoint for users who have incomplete profiles, you could modify auth.profile.json
to include a custom authenticationRole
called incomplete-profile
:
{
"profileEnhancementProcesses": [
"selfservice/termsAndConditions",
"selfservice/kbaUpdate",
"selfservice/profile"
],
"authenticationRole": "incomplete-profile",
"authorizationRole": "internal/role/openidm-authorized"
}
You could then give access to this role to your custom endpoint in access.json
:
{
"pattern" : "endpoint/extra-steps",
"roles" : "incomplete-profile",
"methods" : "read",
...
},
Access for these and other roles is governed by the access.json
script. For more information, refer to Configure Access Control in access.json.
The role specified in authenticationRole
can be an existing role, or it can be a placeholder string. If it is a placeholder, it will not function as a real role, but can still be used for access in access.json
, and will appear in access and authentication log files in the openidim/audit
directory.