Show / Hide Table of Contents

    How to write authentication requests and Token issuance access policy scripts

    Introduction

    This document will show you how to use a policy script to do access control at the protocol connection level (aka service provider level) when:

    • An authentication request first comes to Identify.
    • When Identify is about to issue a token to the requesting service provider.

    The samples will address some use cases that our customers usually ask for: whether client IP is or is not within a specific range, whether a specific claim exists, or whether the logged in user comes from a specific service provider.

    Where and how to write the scripts

    Both authentication requests and token issuance access policy scripts are set up for each protocol connection configuration:

    authentication requests and Token issuance access policy scripts

    Or in the Safewhere Admin:

    authentication requests and Token issuance access policy scripts

    You can find all syntax and built-in functions here

    Note: the policy scripts only apply for the passive flow.

    Common use cases

    • Apply authentication request or token issuance access policy for IP Addresses from 192.168.1.15 to 192.168.1.20 and not for IP Addresses from 192.168.1.0 to 192.168.1.14.
    Rules.ApplyIPAddressRange("192.168.1.1 - 192.168.1.20")
        .NotApplyIPAddressRange("192.168.1.17 - 192.168.1.18");
    
    • Apply the authentication request or token issuance access policy for users that have a specific claim.
    Rules.ApplyExpression((RuleContext) => {
        return RuleContext.FirstFactorPrincipal.HasClaim("urn:identify:rest-api:role", "Administrator");
    });
    
    Back to top Generated by DocFX