All Products
Search

This Product

    Identity as a Service:Overview

    Document Center

    Identity as a Service:Overview

    Last Updated:Mar 29, 2023

    Background

    You can integrate self-developed applications with Identity as a Service (IDaaS) to synchronize IDaaS organizations and accounts to the applications.

    For more information about how to synchronize application accounts to IDaaS, see API operations for application development.

    For more information about how to configure application synchronization, see Synchronize IDaaS accounts on an application in Provisioning. This topic describes how to integrate applications with IDaaS to implement account synchronization.

    • Consistency of dependencies: Related parties may rely on the identity data in your application for marketing or verification. Therefore, you must promptly synchronize IDaaS account changes. For example, when an employee is onboarded, an account is created in IDaaS. To stay on schedule, an account must be created in the HR application at the same time. In this case, you can subscribe to the Create account event.

    • Real-time requirements: Your application must promptly respond to user operations. For example, after a user logs on to the system and changes their mobile number, the mobile number of the user must be updated in your application by using the Update account event.

    Event Callback Mechanism

    The preceding examples are two simple scenarios. Based on different requirements, developers can subscribe to various events to process data accordingly.

    IDaaS provides a convenient and secure method to synchronize IDaaS changes to applications. You can quickly integrate applications with IDaaS to allow the applications to receive synchronization requests.

    This method is implemented by using an event callback mechanism.

    In IDaaS, you can configure an event that you want to follow (such as the Create account event). When the event occurs, a synchronization request is automatically sent to the event subscriber by using HTTP POST.

    The event mechanism consists of the following two parts:

    • Subscribe to an event: Log on to the IDaaS console and configure the IDaaS event that you want to follow.

    • Receive the event callback: The developer must integrate the application with IDaaS to implement account synchronization as required.

    Subscribe to an Event

    After you create an application in IDaaS, click Provisioning to configure account synchronization.

    image

    For more information, see Synchronize IDaaS accounts on an application in Provisioning.

    You can subscribe the application to one or more events. The following figure shows the events that you can follow.

    image

    When a selected event occurs, IDaaS sends a request to the application.

    Receive the Callback

    When a selected event occurs, IDaaS sends a POST request to the configured URL for receiving synchronization requests.

    The following code provides an example on how to configure request parameters:

    Content-Type: application/json;charset=utf-8

// An example of the body of a POST request from IDaaS. After the application obtains the parameters, it verifies the signature.
{
 "event":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

    All the parameters are passed in the event field in the JSON Web Token (JWT) format, which contains the signature. For more information, see RFC 7515: JSON Web Signature (JWS).

    Event Format

    You must use the universal open-source tools for various languages to parse the JWT information.

    For testing purposes, you can also paste the value in the JWT format in the field at https://jwt.io/ to view the content.

    The event value consists of two parts: header and payload.

    Sample header:

    {
    "kid": "KEYH1zR7XLCGcHw1hzhkCqVjnuyaAJUf6yMR",
    "typ": "JWT",
    "alg": "RS256"
}

    Sample payload:

    {
  "iss":"urn:alibaba:idaas:app:event", 
  "sub":"idaas-121313", 
  "aud":"app_12131313",
  "exp":1640966400, 
  "iat":1640966400, 
  "jti": "cNetm9OD5bXqfVfdvqGMYw",
  "dataEncrypted":false,
  "cipherData":"",    
  "plainData":{
    "aliUid":1231313,  // The ID of the Alibaba Cloud account.
    "instanceId":"instance ID",  // The ID of the instance.
    "eventVersion":"V1.0",  // The version number of the event.
    "eventData":[
      {
        "eventId":"",     // The ID of the event.
        "eventType":"",   // The type of the event.
        "eventTime":121313,  // The time when the event occurred.
        "bizId":"business ID",  // The ID of the business. If the business is an organization, the value is the ID of the organization.
        "bizData":{}       // The specific data details. This field value varies with event types. For more information, see address book events.
      }
    ]   
  }
}

    The following table describes the fields contained.

    Parameter

    Position

    Type

    Description

    header

    alg

    header

    String

    Fixed value: RS256.

    The SHA-256 RSA signature that is used.

    kid

    header

    String

    The ID of the public and private key pair issued by IDaaS.

    The public key of the kid is used for signature verification.

    In IDaaS, public and private key pairs can be rotated for synchronization. The synchronized public and private key pairs remain unchanged.

    payload

    iss

    payload

    String

    Fixed value: urn:alibaba:idaas:app:event

    Indicates that the event notification is initiated by IDaaS.

    sub

    payload

    String

    The ID of the IDaaS instance.

    aud

    payload

    String

    The ID of the IDaaS application.

    exp

    payload

    Long

    The expiration time of the event. Unit: milliseconds. The default value is 30 minutes after the creation time.

    If the current time is later than the expiration time, an error occurs when the request is parsed and the application determines that the event is expired.

    iat

    payload

    Long

    The creation time of the event. Unit: milliseconds. If the current time is earlier than the creation time, an error occurs when the request is parsed and the application determines that the event is invalid.

    data_encrypted

    payload

    Boolean

    Indicates whether the event data is encrypted for transmission.

    cipher_data

    payload

    String

    If encryption is enabled, this field is not empty.

    This field is the encrypted ciphertext of the event data. You must decrypt it to view the content.

    plain_data

    payload

    Object

    If encryption is disabled, this field is not empty.

    This field contains all the event data.

    Signature Verification

    The JWT signature must be verified to confirm that the event information is issued by IDaaS. Signature verification prevents request forgery.

    On the synchronization page, you can obtain the public key endpoint to verify the JWT signature and the source of the event sent to the application. We recommend that you use the open-source JWT toolkit of the programming language for signature verification.

    image

    Data Decryption (optional)

    The encrypted transmission of event synchronization data is supported. The encrypted fields are passed in the cipher_data field in payload. 

    {
    ...
    "cipher_data": "ZePq7ckODWnL54vqZc3kTw0vF7tjvIRZjqqy/gZm9oTEt71WMufD9swlmHzZkniSqyDGQpkmMRLCXz9gzRJ4BY2RroLUPQW8ZDPSfmJKEf2m2w6wY1twoRlnHLoFCVhravsvN0afBqmxd3eK5tHd05Ze6MLOXS3fqxqH61dGAm2mwecvAFPRrKVeg6JXBYUvA2Uu6dmCOP3y938kFdhodD13O05MBIqWghq569wYvVjKMFMcnsZqmGGKXN0vRFhg+SR16sr24b1X/gQDbNqyMDICB9k3QMe09dOodwNEwvgxbf1v4PbyCRX1P9UO74nDQaWROWZFplE7qP/JMy3pBr0pxW+hJS9u/Zpvj/hvLlhBTAZkmhAKDKxlrYztqrgJbr4VOUv8mlqxWjDK4I7VZugODJMSwi1HdjXL+wlMzPMOeH8rkDFU+b5VH3dsxg3hZ64Ukd7exB62QyyeIJpfk0d57xw8UACiSsXadexQYpJPDycVdmJ7FAmIhxbJ8I6w9Kcv9U5sKybUz1YA8tONAw=="
    ...
}

    After you enable the feature, you can enter an encryption key or generate an encryption key. Before IDaaS sends an event callback request, IDaaS uses this key to encrypt all the request data before transmission.

    image

    IDaaS uses the AES-256 algorithm for symmetric encryption and encrypts events in the JSON Web Encryption (JWE) format.

    The application must use the same key for decryption to obtain the synchronization data.

    For more information, see Integrate an application to implement user synchronization by using Java.

    Response

    The application must return the processing result of the event according to IDaaS specifications. IDaaS records the result and processes the data based on the returned information.

    Success response

    If the request is processed, the application must return eventId and the result in the following formats.

    Returned field

    Data type

    Description

    successEvents

    Array

    The synchronization is successful.

    skippedEvents

    Array

    The synchronization is skipped. (Example: The application receives a Delete account event but the user does not exist in the application system.)

    failedEvents

    Array

    The synchronization fails.

    retriedEvents

    Array

    The synchronization is retried up to five times.

    -eventId

    String

    The ID of the event in IDaaS.

    If this field is not sent or an invalid eventId is transmitted, a retry is triggered.

    -eventCode

    String

    The error code returned. IDaaS records the result for troubleshooting. You can customize eventCode.

    -eventMessage

    String

    The error message returned. IDaaS records the cause of the result for troubleshooting. You can customize eventMessage.

    Sample success responses

    {
    "successEvents": [
        {
            "eventId": "The ID of the event",
            "eventCode": "SUCCESS",
            "eventMessage": "SUCCESS"
        }
    ],
    "skippedEvents": [
        {
            "eventId": "The ID of the event",
            "eventCode": "The error code returned",
            "eventMessage": "The error message returned"
        }
    ],
    "failedEvents": [
        {
            "eventId": "The ID of the event",
            "eventCode": "The error code returned",
            "eventMessage": "The error message returned"
        }
    ],
    "retriedEvents": [
        {
            "eventId": "The ID of the event",
            "eventCode": "The error code returned",
            "eventMessage": "The error message returned"
        }
    ]
}
    Important

    After the application receives the request, it must respond to the request with the HTTP 200 status code within 10 seconds. Otherwise, IDaaS determines that the synchronization fails and tries to push the event again up to five times at the respective intervals of 1s, 5s, 10s, 10s, and 10s.

    Failure response

    If the processing fails, the application must return the HTTP 403, 429, or 500 status code.

    The following parameters are returned if the processing fails.

    Parameter

    Data type

    Description

    error

    String

    The error code returned.

    error_description

    String

    The error message returned.

    Generally, the following error codes are returned.

    Error code

    HTTP status code

    Description

    invalid_token

    403

    The JWS token is invalid.

    too_many_request

    429

    If the business is busy and returns this error code, IDaaS will use throttling policies.

    internal_error

    500

    Indicates an internal error. IDaaS automatically retries the synchronization.

    Sample error responses

    {
     "error": "invalid_token",
     "error_description": "The JWS token is invalid."
}