Quasr
  • Introduction
    • Welcome to Quasr
    • Concepts
      • Flexible Authentication
      • User-Centric Privacy
      • Modern Development
    • Terminology
    • FAQs
  • Getting Started
    • Sign up with Quasr
    • Setup your tenant
      • Factor Configuration
      • Enrolling additional factors
      • Test with the Sample Client
      • Understanding Scopes & Scores
      • Setting up an API Client (M2M)
    • Connect your app
      • Hosted Login UI
      • Custom Login UI
      • Embedded Login UI
  • Account Administration
    • Introduction
    • Account & Billing
      • Metrics
    • Tenants
    • Usage & Statistics
    • Security
  • Tenant Administration
    • Introduction
    • Dashboard
    • Tenant Settings
    • Your Security
    • Accounts
      • Tenant Admins
    • Factors
      • Factors and Scoring
      • Username (ID)
      • Federation (OAuth2 / OIDC)
        • Apple
        • Facebook
        • GitHub
        • Google
        • LinkedIn
        • Slack
      • Time-based One-time Password (TOTP)
      • One-Time Password (OTP)
      • Password
      • Secret
    • Controls
      • Configuration
      • Permissions
      • Consents
      • Rules
    • Attributes
      • Capturing Claims
      • Sourcing Claims
      • Viewing Claims
      • Searching Claims / Users
      • Sharing Claims
    • Extensions
      • Synchronous
      • Asynchronous
    • Tokens
      • Session Token (OAuth 2.0)
      • Access Token (OAuth 2.0)
      • Refresh Token (OAuth 2.0)
      • ID Token (OIDC 1.0)
      • Consent Token
      • Authorization Code (OAuth 2.0)
    • Hosted Login Page
    • APIs
      • Authentication API
      • Management API (GraphQL)
  • Legal
    • Terms of Service
    • Acceptable Use Policy
    • DPA & Subprocessors
  • More Info
    • Standards
    • Security
      • Vulnerability Disclosure
      • Wall of Recognition
    • Support
    • Status
Powered by GitBook
On this page
  • Injected in identity/access tokens
  • External account access
  • External admin access
  1. Tenant Administration
  2. Attributes

Sharing Claims

There are 3 ways in which claims can be shared:

  1. Automatically in identity or access tokens issued (with user consent if required).

  2. Automatically by an account client via the Management API (with user consent if required).

  3. Automatically by an admin client via the Management API (no user consent).

Injected in identity/access tokens

Account claims can be automatically injected in any identity or access tokens issued by using control configuration. Controls are things a user must pass in order to gain access, for example consenting to Terms & Conditions (T&C's) or granting an application certain API access (scopes).

Claims are injected into tokens using the value of the attribute as the claim key:

{
    // other ID or access token claims
    "<attribute_value>": "<claim_value>"
}

Please note that claims are correctly injected according to their subtype:

  • string* are injected as strings.

  • number* are injected as numbers.

  • boolean* are injected as booleans.

  • json* are injected as JSON objects.

Please note that only attributes with a status ENABLED or PENDING will be injected into tokens, and if the account does not have any enabled or pending claims for an attribute no claim will be populated in the token.

If the attribute requires validation for enablement then an additional verified claim will be injected:

{
    // other ID or access token claims
    "<attribute_value>": "<claim_value>",
    // if attribute requires validation
    "<attribute_value>_verified": true // IF STATUS IS ENABLED
    "<attribute_value>_verified": false // IF STATUS IS PENDING
}

Please note that if an account has multiple claims for the same attribute they'll all be injected as an array:

{
    // other ID or access token claims
    "<attribute_value>": [ "<claim_value1>", "<claim_value2>" ]
    // if attribute requires validation
    "<attribute_value>_verified": [ true, false ] // INDEX MAPPED TO VALUES
}

In the Admin UI admins can configure the attributes included by going to Controls, select the desired control, and go to the Attributes section.

In the example above we have configured a profile scope that if obtained by an application will result in the nickname, middle name, name, family name and given name to be injected into the identity token. In this case the the profile scope requires consent so in case it concerns an external application than the user must explicitly consent the application can obtain the profile scope.

External account access

An account can grant an external application access to their account. This involves granting the default Account Access scope (https://api.quasr.io/scopes/account) which generally requires consent, so if the user wants to grant this scope to an external application, they have to explicitly consent. Once the application has the scope it can access and manage the user's account on their behalf, including seeing all of the users' claims regardless of score.

It's not recommend to allow the account access scope to be granted to an external application as it grants too much control over the user's account. We're looking into adding more fine-grained controls that will allow an application more limited access.

External admin access

An admin can grant an external application access to a tenant. This involves granting the default Admin Access scope (https://api.quasr.io/scopes/admin) which generally requires consent, so in case the admin wants to grant this scope to an external application they first have to explicitly consent. Once the application has the scope it can access and manage the tenant - including seeing all of the users' claims regardless of score and possibly not with their explicit consent (or the sharing needs to be covered by an earlier general consent).

It's not recommend to allow the admin access scope to be granted to an external application as it will grant too much control over the tenant and access to all of the user's personal data. We're looking into adding more fine-grained controls that will allow an application more limited access.

PreviousSearching Claims / UsersNextExtensions

Last updated 18 days ago