Grant Block

This block provides the ability to issue a GRANT from AuthScope and also add one or more obligations. Obligations are additional instructions that a resource server must comply by. A scenario where obligation would help is as follows:

A trader must perform step up authentication when the transaction amount for a trade is more than 10,000$.

In this case, following policy can be used:

  • Scope: create_trade
  • Action: POST
  • Resource: /trades
  • Constraint : A constraint chain which check if amount passed in request context is more than 10,000$.
    • If yes, then issue a GRANT with obligation to perform step up authentication.
    • If no, then issue a GRANT.

Name

Specify the name for the block.


Description

Provide a description for this block.


Creating Obligations

Click on "Add New Obligation" button to create a Obligation and fill in the following fields:

Obligation Name *

Specify the Obligation name.

Following fields can be used to compute the Obligation value:


Where is the value Location? *

Select the Obligation value from one of the following options:

  • Headers - System will look for the obligation value from Headers that are passed from resource server. The obligation name that will be searched in headers for the value extraction is specified in field below.
  • Query Parameters - System will look for the obligation value from Query Parameters that are passed from resource server. The obligation name that will be searched in query parameters for the value extraction is specified in field below.
  • Authorization Context - System will look for the obligation value from the authorization Context that is passed from resource server. The obligation name that will be searched in authorization context for the value extraction is specified in field below.
  • Message Context - System will look for the obligation value from the current message context. The obligation name that will be searched in message context for the value extraction is specified in field below.
  • AuthScope Data Services - System will look for the obligation value from AuthScope Data Store. The obligation name that will be searched in AuthScope Data Store for the value extraction is specified in field below.
  • Others - This option can be used to specify the attribute location in the format specified in next field.
  • Value - Use this option if you would like to specify a hard coded value for the obligation. The following field can be used to specify the value.

What is the name of the Attribute that holds the value? *

Specify the attribute name that should be selected from the location above if you selected one of the following options:

  • Headers
  • Query Parameters
  • Authorization Context
  • Message Context

If you selected the "Other" option in above field then enter the attribute value as follows:

Example Inputs Value selected
messageContext.allowedGroups.name {"messageContext": {"allowedGroups": {"name" : "teller"}}} teller
authzContext.amount {"authzContext": {"amount": 10000}} 10000

if you selected the "Value" option above then specify the hard coded attribute value here. Example teller,manager etc.


What is the default value, in case value is not found in the specified attribute?

Specify the default string value that should be set for this Obligation in case the value extracted from above selection is null.

results matching ""

    No results matching ""