Page Comparison

...

As of Version 2019 Winter

HTTP Method GET

Response Format JSON

Parameter

String tenant, String userID

Description

Excerpt
Retrieves roles and any additional available information about the current user logging in to the authentication system from the URL.

As of 2023 Summer, an optional abac section can be specified to allow for attribute-based access control. If specified, the abac section has to be a map with single string keys and a list of strings as value for each key. Find an example below.

In the predicate, the tenant of the user who sent the request can be referenced to formulate a condition.

Requirements for External Endpoint The target URL must return the JSON structure shown in the example response below.

Called by Service Authentication service

Example Response

Code Block

language	yml

{
	"username": "111a222b-3c44-5d66-7777-8e999f0000a1",
	"id": "222a333b-4c55-6d77-8888-9e000f1111a2",
	"domain": "dd",
	"tenant": "default",
	"authorities": [
		"TENANT_ADMIN",
		"SYSTEM_INTEGRATOR",
		"ACCESS_FOREIGN_JOURNAL_OBJECTS"
	],
	"accountNonExpired": true,
	"accountNonLocked": true,
	"credentialsNonExpired": true,
	"enabled": true
}

With abac section (available as of 2023 Summer):

Code Block

language	yml

{
	"username": "111a222b-3c44-5d66-7777-8e999f0000a1",
	"id": "222a333b-4c55-6d77-8888-9e000f1111a2",
	"domain": "dd",
	"tenant": "default",
	"authorities": [
		"TENANT_ADMIN",
		"SYSTEM_INTEGRATOR",
		"ACCESS_MAILBOXES"
	], 
    "abac": {
      "mailGroups": [
           "mailbox_sales",
           "mailbox_pm"
       ],
       "sap_permissions": [
           "sap_read",
           "sap_write"
       ]
    },
	"accountNonExpired": true,
	"accountNonLocked": true,
	"credentialsNonExpired": true,
	"enabled": true
}

Example Predicate

Check if the calling user belongs to the default tenant:

spel:'default'.equals(options['tenant'])

...

Versions Compared

Old Version 29

New Version Current

Key