Authentication

Authentication concerns the confirmation of user identity. The Noumena platform delegates user authentication to an OpenID Connect-compliant Identity and Access Management (IAM) service (e.g. Keycloak). Further details on IAM configuration can be found here. JSON Web Tokens (JWTs) should be obtained from the IAM and attached to all platform requests.

JWT specification

JWTs must be issued by an Identity and Access Management (IAM) provider that is compliant with the OpenID Connect Core 1.0 specification.

Since the authentication is provided by an external provider and the JWT is a standardized specification, its fields and structure are not managed by the engine.

Example of a valid JWT

    {
        "iss": "http://www.noumenadigital.com/",
        "sub": "12345",
        "exp": 1630497600,
        "iat": 1630490400,
        "org": "Noumena Digital AG",
        "department": [
            "it"
        ],
        "roles": [
            "engineer"
        ]
    }

Reserved claims

Some claims defined by the JWT standard do not make sense for controlling party assignments. For example, claims like iat (issued at) will have a different value whenever the JWT is refreshed. The required fields will be enforced by the OpenID Connect-compliant IAM. To prevent accidental use of such claims, the following claims are actively ignored:

acr
allowed-origins
auth_time
azp
exp
iat
nbf
jti
realm_access
resource_access
session_state
sid
typ

Warning

Creating a protocol instance with a claim contained in the aforementioned ignore list will result in a InvalidEntityClaimsRuntimeErrorException being thrown.