How to provide user attributes

Preface


In order to provide user attributes with Authlete, you have to consider requirements on how authorization server should handle the information and choose the appropriate method.

Methods for providing user attributes


Authlete supports the following three methods for providing user attributes:
*EP: Endpoint
Method
Providing ID Token from Token EP
Providing ID Token from Authorization EP
Providing response from Userinfo EP
Authorization request parameters
response_type includes "code" and scope does "openid"
response_type includes "id_token"
N/A
Authlete API
/auth/authorization/issue
/auth/authorization/issue
/auth/userinfo/issue
How it works
Once receiving authorization request from client, authorization server authenticates a user, prepares a request including user attributes and ask Authlete to create a response to the client by sending the request data.
Authlete generates both an ID token and a code, responds to the server with the code and stores the token to Authlete's database. The token is to be provided from token EP on receiving the valid code
Once receiving authorization request from client, authorization server authenticates a user, prepares a request including user attributes and ask Authlete to create a response to the client by sending the request data.
Authlete generates an ID token and responds to the server with the token
Once receiving request at Userinfo EP from a client, authorization server prepares a request including user attributes and ask Authlete to create a response to the client by sending the request data. 
Authlete generates Userinfo response including user attributes
Does Authlete keep user attributes?
Yes. Authlete encrypts the ID Token which contains user attributes and stores it temporarily. The token data will be kept until cleanup process for expired authorization codes is completed
No. Authlete doesn't keep any user attributes
No. Authlete doesn't keep any user attributes
Authorization server's tasks
Implement both authorization EP and Token EP and use Authlete as a backend for each EP
Implement authorization EP and use Authlete as a backend for the EP
Implement Userinfo EP as well as other EPs as described on the left columns, and use Authlete 
as a backend for the EPs
  


How to choose the right one


Authlete never keeps user attributes for a long time. In the case where Authlete provides the data from authorization EP or Userinfo EP, the data is removed on memory right after responded. Even if Authlete provides the data via token EP (i.e. using authorization code), the data is removed after completion of cleanup process for expired authorization codes.

If you have some security requirement which prohibits Authlete from keeping user attributes even if they are encrypted and to be removed in a short period of time,  using authorization EP or Userinfo EP is the solution. If sending user attributes to Authlete API is not permitted due to strict security reasons, please consider deploying Authlete's on-premises package so that you can manage the Authlete service.

The other thing to be considered is operational requirement. If it recommends not to support implicit flows or Userinfo EP, the appropriate method would be going to issue authorization code from authorization EP and provide ID Token from token EP.  
How did we do with this article?