LDAP Store attributes in /authenticate call response
search cancel

LDAP Store attributes in /authenticate call response

book

Article ID: 429617

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

I wanted to know if we can return user attributes in Authenticate API response.

See sample response, added new in yellow.

{
    "flowState": "xxxx",
    "userName": "xxxxxxxx",|
    "nextaction": "PASSWORD_AUTH",
    "currentFactors": [
        "PASSWORD"
    ],
    "additional": {
        "userName": "xxxxxxxx",
        "idpName": "ExampleDirectory",
        "idpGuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
        "idpType": "ldap",
        "currentFactorLevel": 1,
        "predicatesForCurrentFactors": [
            {
                "factor": "PASSWORD",
                "predicate": "ExampleDirectory",
                "providerAmr": "PWD"
            }
        ],
        "userLoginIdInputValue": "[email protected]",
        “newAttribute1FromLDAP”: “value”,
        “newAttribute2FromLDAP”: “value”,
        "identityProviders": []
    }
}

Environment

IDSP 3.4.x

Resolution

There are established, standards-based mechanisms for returning user attributes with appropriate access controls. We should be careful not to bypass these controls, particularly since the /authenticate endpoint is accessible by a public client.

For reference, the following supported approaches can be used to retrieve user data:

  • The ID Token (IT) returned by /authenticate can include administrator-defined user attributes embedded as JWT claims.
  • The ID Token (IT) returned by /authenticate can be exchanged by the same client for an Access Token (AT), which can then be used with /oauth2/v1/userinfo or /scim2/v1/Me.
  • The ID Token (IT) returned by /authenticate can be exchanged by a privileged client for an Access Token (AT) to call the /scim2/v1/Users API or /idstore/v1/Users API.
Powered by Wolken Software