Configuring the reauthorize anonymous user flow
An anonymous user can create an account and start a submission, but not bind the submission within the same session. This could happen because:
- The original session expired (the user left the session with the intent to finish the work later).
- The user switched to a different device.
When an anonymous user wants to return and complete a submission, they must first find
the incomplete submission, and then obtain a new self-signed JWT to authenticate with
PolicyCenter. The POST /job/v1/recover-new-jobs endpoint is designed
for this use case.
- The request body contains search criteria that Cloud API can use to identify incomplete submissions associated with the anonymous account.
- The response contains the incomplete submissions matching those criteria along with a new self-signed JWT.
With the response, the third-party application can identify which submission the anonymous user wishes to complete, and it can use the self-signed JWT to start a new session.
Base configuration behavior
Submission search criteria varies for each line of business and typically depends on
custom aspects of each line of business. Therefore, in the base configuration, the
/recover-new-jobs endpoint always returns 0 results. The
insurer must configure Cloud API to identify the valid search criteria properties
and how to construct a query using those criteria. For more information, see Implementing the /recover-new-jobs endpoint.
Once the endpoint has been configured, it has the following additional behaviors:
- A job cannot be recovered if it is more than 7 days old.
- The endpoint can return a maximum of 5 jobs.
These threshold values can also be configured. For more information, see Configuring general new job recovery behavior.
Configured and implicit criteria
The /recover-new-jobs endpoint has two levels of criteria:
configured and implicit. The configured criteria consist of the criteria
added by the insurer during implementation. For example, an insurer could configure
the endpoint so that searches by first name and last name are supported.
The implicit criteria consist of criteria that are automatically applied to
all /recover-new-jobs searches. This criteria cannot be configured.
The implicit criteria are:
- The job type must be Submission.
- The job status must be Draft or Quoted.
- The account cannot have any bound jobs associated with it.
- The criteria cannot match submissions from multiple accounts. (If it does, the endpoint returns 0 results.)
Returning zero results
There are several circumstances under which the /recover-new-jobs
endpoint returns 0 results.
If there are no jobs matching the specified criteria, the endpoint returns 0 results. This is because no matching job could be found.
If there are one or more submissions matching the specified criteria, but these submissions belong to different accounts, the endpoint returns 0 results. This is because the endpoint is unable to identify which account and which submissions are associated with the caller.
If there are one or more submissions matching the specified criteria, but the account has at least one bound submission or one other non-submission job (such as a renewal), the endpoint returns 0 results. This is because an account with a bound submission or a non-submission job is related to an external user, not an anonymous user. The caller must use the external user auth flow to execute additional calls.
Whenever the /recover-new-jobs endpoint returns 0 results, the
response header does not contain any JWT.
Risk assessment
By design, the /recover-new-jobs
endpoint returns account and job information to an anonymous user. For any endpoint
of this nature, there is a risk that personal information could be returned to a
caller who is not authorized to access that information.