Skip to end of banner
Go to start of banner

Azure Token Authentication for EmpowerID APIs

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This document provides a comprehensive overview of how EmpowerID integrates Azure Token Authentication to facilitate secure and efficient access to its APIs. This process encompasses initial authentication using Azure tokens, an internal token exchange mechanism, and robust identity verification and access management.

Step 1: Initial Receipt of Azure Token

When a request is made to EmpowerID, it arrives with an Azure access token. This token is essential for the initial authentication phase and includes additional headers that are key to the process:

  • Client ID: Used to identify the specific EmpowerID OAuth application that will be used in the subsequent token exchange process.

  • Scope: This is crucial for determining the extent of access that the request is authorized for within the EmpowerID system.

POST /api/services/v1/testapi HTTP/1.1
Host: <EID Server>
Content-Type: application/x-www-form-urlencoded
Cache-Control: no-cache
Authorization: Bearer <Azure Access Token>
scope: <Scope for the API endpoint>
client_id: <ClientID of the EmpowerID OAuth application>

Header Parameter

Required/Optional

Description

Authorization

required

Azure access token

scope

required

Scope associated with the API endpoint for authorizing the request

client_id

required

ClientID of the EmpowerID OAuth application that will be used in the internal token exchange process

Step 2: Internal Token Exchange

Upon authenticating the Azure token, EmpowerID initiates an internal token exchange. During this process:

  • The Azure token is exchanged for an EmpowerID-specific access token.

  • This exchange is conducted using the identified EmpowerID OAuth application, ensuring that the right context and permissions are carried forward.

Step 3: Utilizing the EmpowerID Token for API Access

The EmpowerID access token obtained from the exchange is then used to make API calls. This ensures that:

  • All API interactions adhere to EmpowerID’s access control mechanisms.

  • The API usage is aligned with the permissions defined by the EmpowerID OAuth application.

Step 4: Identity Verification and Access Management

For each request, EmpowerID conducts a thorough identity verification process:

  • The oid (Object ID) from the Azure token is extracted to identify the user.

  • EmpowerID checks this oid against its database to link it with an existing identity or create a new record.

Step 5: Delegating RBAC Checks to API Endpoints

  • In addition to the token-based authentication and authorization, Role-Based Access Control (RBAC) checks can be further delegated to individual API endpoints.

  • This ensures that each endpoint independently verifies the user’s roles and permissions, providing an additional layer of security.

  • This granular approach to access control allows EmpowerID to enforce specific permissions and roles at each endpoint, catering to diverse and complex security requirements.

IN THIS ARTICLE

  • No labels