CIAM: End-User Management¶
CIAM integration is responsible for providing information to Accedo One on how to register and/or authenticate end-users.
Accedo One does not enforce a specific set of fields or validation rules that user must be presented with. Instead, for each type of action, Accedo One will query CIAM integration for input fields, their type and display information that are applicable for the service in question.
When a user is attempting to authenticate, the following happens:
- Accedo One finds configured integration for this feature and requests
- Integration responds with a list of
InteractiveElements(input fields & associated display information, validation rules, etc).
- Accedo One requests client application to display said elements to the user in a platform-specific way
- End-User inputs information on their device, client application validates it against any applicable validation rules (returned by the integration) and submits this information to Accedo One
- Accedo One passes this information to the integration, wraps response credentials (OAuth2 tokens, session token, etc) into standardized, encrypted Accedo One tokens and provides these to client application.
- At this point application treats user as logged in, and uses Accedo One tokens in further communication with Accedo One
Registration flow is very similar to Authentication flow with the only difference that the initial RPC call is issues to
Development with IDK¶
To start IDK in CIAM mode, simply run
idk up customer-identity
$ idk up customer-identity grpc-mock Done! ui Done! customer-identity-api Done! router Done! Creating network "default-one-idk" with the default driver Creating default_customer-identity-api_1 ... Creating default_router_1 ... Creating default_ui_1 ... Creating default_grpc-mock_1 ... Creating default_grpc-mock_1 ... done Creating default_ui_1 ... done Creating default_router_1 ... done Creating default_customer-identity-api_1 ... done ### IDK environment URLs ### - IDK - Admin UI: http://localhost:49186/
Following APIs must be fulfilled by the integration:
IdentityService- as defined in