Azure Token Authentication for EmpowerID APIs
- Aarthi Raghavendra
This document provides a comprehensive overview of how EmpowerID integrates Azure Token Authentication to facilitate secure and efficient access to its APIs. This process encompasses initial authentication using Azure tokens, an internal token exchange mechanism, and robust identity verification and access management.
Step 1: Initial Receipt of Azure Token
When a request is made to EmpowerID, it arrives with an Azure access token. This token is essential for the initial authentication phase and includes additional headers that are key to the process:
Client ID: Used to identify the specific EmpowerID OAuth application that will be used in the subsequent token exchange process.
Scope: This is crucial for determining the extent of access that the request is authorized for within the EmpowerID system.
POST /api/services/v1/testapi HTTP/1.1
Host: <EIDÂ Server>
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Authorization: Bearer <Azure Access Token>
scope: <Scope for the API endpoint>
client_id: <ClientID of the EmpowerID OAuth application>Header Parameter | Required/Optional | Description |
|---|---|---|
| required | Azure access token |
| required | Scope associated with the API endpoint for authorizing the request |
| required | ClientID of the EmpowerID OAuth application that will be used in the internal token exchange process |
Step 2: Internal Token Exchange
Upon authenticating the Azure token, EmpowerID initiates an internal token exchange. During this process:
The Azure token is exchanged for an EmpowerID-specific access token.
This exchange is conducted using the identified EmpowerID OAuth application, ensuring that the right context and permissions are carried forward.
Step 3: Utilizing the EmpowerID Token for API Access
The EmpowerID access token obtained from the exchange is then used to make API calls. This ensures that:
All API interactions adhere to EmpowerID’s access control mechanisms.
The API usage is aligned with the permissions defined by the EmpowerID OAuth application.
Step 4: Identity Verification and Access Management
For each request, EmpowerID conducts a thorough identity verification process:
The
oid(Object ID) from the Azure token is extracted to identify the user.EmpowerID checks this
oidagainst its database to link it with an existing identity or create a new record.
Step 5: Delegating RBAC Checks to API Endpoints
In addition to the token-based authentication and authorization, Role-Based Access Control (RBAC) checks can be further delegated to individual API endpoints.
This ensures that each endpoint independently verifies the user’s roles and permissions, providing an additional layer of security.
This granular approach to access control allows EmpowerID to enforce specific permissions and roles at each endpoint, catering to diverse and complex security requirements.
Please refer to Add OAuth Scopes to REST API Endpoints for setting up scopes and RBAC checks to the EmpowerID APIs.
IN THIS ARTICLE
Â
Â