Overview of authentication for external users

Authentication includes credentials and authorization. Authentication information for external users is specified in JWTs, and information from these JWTs is recorded in the logs.

Credentials

An external user's credentials consist of a user name and password. This information is stored in the IdP.

Before an external user can make an API call, the caller application sends a request to the appropriate IdP to authenticate the user. This typically consists of confirming that the provided username and password are correct.

For more information on how to configure the IdP, see Configuring the IdP.

Authorization

Endpoint access for external users

Endpoint access defines the aspects of an endpoint's behaviors that are available to a caller. This includes:

  • What endpoints and resource types are available to the caller?
  • What operations can a caller call on the available endpoint?
  • What fields can the caller specify in a request payload or get in a response payload?

Endpoint access is controlled by API roles. An API role is a list of endpoints, operations, and fields that are available to a set of callers through API calls. API roles act as allowlists. By default, a caller has no endpoint access. When the caller is associated with one or more API roles, they gain access to the endpoints, operations, and fields allowlisted in each of those API roles.

When an external user makes a Cloud API call, the call has an associated token map. This consists of information stored in the JWT that came with the call, as well as any information added to the map by the IExpandTokenPlugin plugin. The token map includes a list of one or more API roles. The user is given endpoint access to all API roles whose names correspond to the roles listed in the token map. For example, suppose that Ray Newton is a policyholder. Ray Newton triggers a Cloud API call. The token map identifies the Insured role. Ray Newton is given the endpoint access defined in the API role named "Insured".

For more information on how API roles are configured, see Endpoint access.

Resource access for external users

Resource access defines, for a given type of resource, which instances of that resource the caller can access. For example, suppose there is a GET /claims endpoint that is available to policyholders, underwriters, adjusters, and service vendors. All of these callers can use the endpoint to access resources whose type is claim, but none of the callers can access all of the claims. For example:

  • A policyholder may be able to see only the claims associated with the policies they hold.
  • An underwriter may be able to see only the claims for policies assigned to them.
  • An adjuster may be able to see only the claims assigned to them.
  • A service vendor may be able to see only the claims that have a service request assigned to them.

A resource access strategy is a set of logic that identifies the meaning of a resource access ID. The base configuration includes the following resource access strategies for external users:

Strategy name Persona using this strategy The resource access ID is assumed to be... Grants access to...
bc_contactAuthorizationIds Account holders, alternate payers, and producers An array of contact authorization IDs Resources where at least one of the specified contacts has an appropriate business relationship with the resource

When an external user makes a Cloud API call, BillingCenter checks for a resource access token claim.

  • If the resource access token is bc_contactAuthorizationIds, the resource access IDs are treated as a list of IDs for one or more contacts. The user is given access to accounts and information related those accounts where the contact has an appropriate business relationship with the data.

Cloud API requires that the token map have no more than one resource access strategy token.

  • If no resource strategy token is present, the caller is assigned the "default" resource access strategy. In the base configuration, this resource strategy grants access to metadata endpoints only.
  • If multiple resource strategy tokens are present, the call is rejected.

For more information on how resource access behaves, see Resource access.

Proxy user access for external users

When a caller makes a Cloud API call, the internal BillingCenter logic may trigger checks that are unrelated to endpoint access or resource access. For example:

  • A caller may attempt to assign an activity to themselves. BillingCenter must check to see if the caller has sufficient permission to own an activity.
  • A caller may attempt to create a disbursement for $2000. BillingCenter must check to see if the amount of the disbursement exceeds the caller's authority limit.

External users are not listed in the BillingCenter operational database, and therefore do not have any system permissions or authority limits tied to them. To execute these checks, Cloud API makes use of proxy users. A proxy user is an internal user that is assigned to an external user or service when the API call is made. Whenever internal BillingCenter logic must check to see if the caller has sufficient access, the proxy user is checked.

For more information on how proxy user access behaves, see Proxy user access.

JWTs for external users

JSON Web Tokens (JWTs) contain token claims. (In standard JWT parlance, these are referred to simply as "claims". To avoid confusion with claims in the property and casualty insurance sense, this documentation sometimes refers to JWT claims as "token claims".) A token claim is a piece of information asserted about the bearer of the token, such as the bearer's name. For bearer token authentication, authentication information is stored in token claims.

JWTs for external users can include the following token claims:

  • groups - The API roles to assign to the external user.
    • In this token claim, the group name is prefixed by "gwa.<planetclass>.<xc>.", where <planetclass> is set to either "prod", "preprod", or "lower", and where <xc> is the application code (such as "cc" or "pc").
  • scp - The resource access strategy to apply to the resource access IDs
  • bc_contactAuthorizationIds - The resource access IDs (when scp includes cc_contactAuthorizationIds)

For example, the following JWT is for a external user who is a contact whose authorization ID is cc:33544. (Information that is not relevant to Cloud API authorization has been omitted.)

{
    "groups" : [
        "gwa.prod.bc.Account_Contact"
    ],
    "scp": [
        "bc_contactAuthorizationIds"
    ],
    "bc_contactAuthorizationIds": [
        "bc:33544"
    ]
}

Note the following:

  • Based on the groups token claim, this caller will be given endpoint access as defined in the role named "Account_Contact".
  • Based on the scp token claim, this caller's resource access IDs will be interpreted as contact authorization IDs.
  • Based on the bc_contactAuthorizationIds token claim, this caller will have access to information that is accessible to contact bc:33544. For example, if the user is accessing an account and if contact bc:33544 is the account owner, they have view and edit access to the account. But, if contact bc:33544 is only an account payer and not the account owner, they have view only access to the account.

Logging

For each call, information about the caller is logged. The following table lists the fields that provide information about who the caller is, and where the logged value comes from.

Field Value
sub The value of the sub token claim from the JWT
clientId The value of the cid token claim from the JWT
user The user name of the external user