The augmentSecurityContext Trigger

The augmentSecurityContext trigger, defined in authentication.json, can reference a script that is executed after successful authentication. Such scripts can populate the security context of the authenticated user. If the authenticated user is not found in the resource specified by queryOnResource, the augmentSecurityContext can provide the required authorization map.

Such scripts have access to the following bindings:

  • security - includes the authenticationId and the authorization key, which includes the moduleId.

    The main purpose of an augmentSecurityContext script is to modify the authorization map that is part of this security binding. The authentication module determines the value of the authenticationId, and IDM attempts to populate the authorization map with the details that it finds, related to that authenticationId value. These details include the following:

    • security.authorization.component - the resource that contains the account (this will always will be the same as the value of queryOnResource by default).

    • - the internal _id value that is associated with the account.

    • security.authorization.roles - any roles that were determined, either from reading the userRoles property of the account or from calculation.

    • security.authorization.moduleId - the authentication module responsible for performing the original authentication.

    You can use the augmentSecurityContext script to change any of these authorization values. The script can also add new values to the authorization map, which will be available for the lifetime of the session.

  • properties - corresponds to the properties map of the related authentication module.

  • httpRequest - a reference to the Request object that was responsible for handling the incoming HTTP request.

    This binding is useful to the augment script because it has access to all of the raw details from the HTTP request, such as the headers. The following code snippet shows how you can access a header using the httpRequest binding. This example accesses the authToken request header:

Read a different version of :