The auth.profile.json File

In some circumstances, you may wish to create a temporary role for users who are in the middle of progressive profile completion, such as if you wish to enable access to an endpoint, while prohibiting access to other parts of the End User UI (as well as the rest of IDM).

To do this, you may optionally define an authenticationRole in auth.profile.json, which you can use as a role assignment in access.json or elsewhere.

For example, if you wished to assign access to a custom endpoint for users who have incomplete profiles, you could modify auth.profile.json to include a custom authenticationRole called incomplete-profile:

{
    "profileEnhancementProcesses": [
        "selfservice/termsAndConditions",
        "selfservice/kbaUpdate",
        "selfservice/profile"
    ],
    "authenticationRole": "incomplete-profile",
    "authorizationRole": "internal/role/openidm-authorized"
}

You could then give access to this role to your custom endpoint in access.json:

{
    "pattern"    : "endpoint/extra-steps",
    "roles"      : "incomplete-profile",
    "methods"    : "read",
    ...
},

Access for these and other roles is governed by the access.json script. For more information, see "Configure Access Control in access.json".

The role specified in authenticationRole can be an existing role, or it can be a placeholder string. If it is a placeholder, it will not function as a real role, but can still be used for access in access.json, and will appear in access and authentication log files in the openidim/audit directory.

Read a different version of :