/{customer_id}/config/loginPolicies

Login policies help manage the user login experience by doing such things as specifying the exact path to the Capture domain and the user profile entity type and defining the login URL for the associated directory. All OpenID Connect clients (public clients and confidential clients) must be associated with a login policy.

Login policies can also be used to specify custom claims: custom claims provide a way to return user profile attributes that are not returned by any of the predefined scopes. For example, suppose you have a custom attribute – newsletterSubscriber– that isn’t returned by any of your Hosted Login scopes. You cannot add this attribute to an existing scope, nor can you create a new scope. However, in your login policy you can define a custom claim that will return the newsletterSubscriber attribute:

"customClaims": {
       "id_token": 
           {"subscriber": "newsletterSubscriber"}
     }

In the preceding example, a unique claim name (subscriber) is mapped to the newsletterSubscriber attribute. The value id_token indicates that the custom claim should be returned as part of the identity token. For example:

{
  "iss": "accounts.akamai-documentation.com",
  "sub": "8855454e-8146-11e8-adc0-fa7ae01bbebc",
  "aud": "c2a5b7bc-e329-b4e4-dd6b-eb1ae01c22aa",
  "iat": 1530897246,
  "exp": 1530900246,
  "jti": "ID.rWH0iZkhFNxAoDxR5LhLAOqNj2bQvmMaeQiqhH5BcAU",
  "subscriber": true
}

Alternatively, you can replace id_token with userinfo. When you do that, the custom claim is not returned as part of the identity token; instead, it’s returned when you make a call to the userinfo endpoint.

For more information, see the article OpenID Connect Scopes and Claims.

Authentication

This endpoint requires token-based authentication. To obtain an access token, you must use a configuration client (using the client ID as the username and the client secret as the password) to access the /{customer_id}}/login/token endpoint. The access token returned from the token endpoint is then used in the Authorization header of your API call. For example, if you get back the access token Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB then your Authorization header would look like this when using Curl:

-H 'Authorization: Bearer Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB'

In Postman, set the Authorization Type to Bearer and use the access token as the value of the Token field.

Methods

This endpoint supports the following methods:

  • GET
  • POST
GET

Description

Returns information about all the login policies associated with the specified customer.

Path Parameters

The path parameters that must be included in the request are listed in the following table:

Path Parameters
Name Type Required Description

{customer_id}

string

Yes

Unique identifier of the customer associated with the login policy.

Sample Request (Curl)

The following command returns information about the login policies associated with the customer 01000000-0000-3000-9000-000000000000:

curl -X GET \
  https://v1.api.us.janrain.com/01000000-0000-3000-9000-000000000000/config/loginPolicies \
  -H 'Authorization: Bearer Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB'

Responses

200 OK

If your call to this endpoint succeeds, you'll get back information about each of the login policies associated with the specified customer:

{
    "total": 2,
    "_embedded": {
        "loginPolicies": [
            {
                "id": "2dcae965-0d56-4961-a98e-f98583e30bb9",
                "_links": {
                    "self": {
                        "href": "/01000000-0000-3000-9000-000000000000/config/loginPolicies/2dcae965-0d56-4961-a98e-f98583e30bb9"
                    }
                }
            },
            {
                "id": "b8097975-93c7-46db-8cfe-19609e67eadb",
                "_links": {
                    "self": {
                        "href": "/01000000-0000-3000-9000-000000000000/config/loginPolicies/b8097975-93c7-46db-8cfe-19609e67eadb"
                    }
                }
            }
        ]
    }
}
POST

Description

Creates a new login policy, and associates that policy with a customer. This endpoint only creates a login policy; it does not assign that policy to an OIDC client. Instead, you assign a login policy when the client is created.

Path Parameters

The path parameters that must be included in the request are listed in the following table:

Path Parameters
Name Type Required Description

{customer_id}

string

Yes

Unique identifier of the customer associated with the login policy.

Request Parameters

Request parameters for this endpoint must be formatted as a JSON object and included in the body parameter of your API call. For example:

{
    "identityStoreDetails": {
        "type": "janrainCapture",
        "connectionDetails": {
            "domain": "dev-app.janraincapture.com",
            "applicationId": "kfcmdfudasmx9wkay7463vpdsy",
            "entityType": "user",
            "clientId": "96by2t9dav337mvzbybqdfcjmrsd7bn4",
            "clientSecret": "tedywcxnevb6feyb88585f466dp8nsqc"
        }
    },
    "loginURL": "http://akamai-documentation.com/login",
    "title": "Additional Scopes Policy"
}

The key values used in the body parameter include the following:

Keys and Key Values
Key Description

type

Must be set to janrainCapture:

"type": "janrainCapture"

domain (connectionDetails)

URL of your Identity Cloud Capture domain. Your Akamai representative will supply you with domain names available for your use.

For example:

"domain":"dev-app.janraincapture.com"

applicationId (connectionDetails)

Unique identifier of the application associated with the login policy. For example:

"applicationId": "kfcmdfudasmx9wkay7463vpdsy"

clientId (connectionDetails)

Unique identifier of the owner client associated with the Capture application. The owner client is used to access the directory for configuration and user data access.

For example:

"clientId": "96by2t9dav337mvzbybqdfcjmrsd7bn4"

clientSecret (connectionDetails)

Client secret of the owner client associated with the Capture application.

For example:

"clientSecret": " jiu62gun9wkkmi7fgnqx4ppe1476amh99"

entityType (connectionDetails)

Name of the entity type where the user profiles associated with this client are stored. For example:

"entityType": "user"

loginURL

URL of the web page used for Hosted Login logins and registrations. For example:

"loginURL": "http://akamai-documentation.com/login"

title

Friendly name for the new login policy. Note that login policy names do not have to be unique. For example:

"title": "Akamai Documentation Login Policy"

customClaims

Provides a way to return user profile attributes that are not returned by any of the allowed scopes. For example:

"customClaims": {
       "id_token": 
           {"subscriber": "newsletterSubscriber"}
     }

See the discussion at the beginning of this article for more information.

Note that you must include all the keys (with the exception of customClaims) in your request body or your API call will fail. For example, if you leave out the title your call will fail with a 400 Bad Request error and the following error message:

{
  "errors": "('title',) field required"
}

Sample Request (Curl)

The following command creates a new login policy (Documentation Login Policy) associated with the customer 01000000-0000-3000-9000-000000000000:

curl -X POST \
  https://v1.api.us.janrain.com/01000000-0000-3000-9000-000000000000/config/loginPolicies \
  -H 'Authorization: Bearer Ki712dpGq5GPQcsxMHY6ShHY7wU_iTs0o9dPx4TEzf5yLIvddjnDVBJxjPDucf5YVB' \
  -H 'Content-Type: application/json' \
  -d '{
    "identityStoreDetails": {
        "type": "janrainCapture",
        "connectionDetails": {
            "domain": "dev-app.janraincapture.com",
            "applicationId": "kfcmdfudasmx9wkay7463vpdsy",
            "entityType": "user",
            "clientId": "96by2t9dav337mvzbybqdfcjmrsd7bn4",
            "clientSecret": "jiu62gun9wkkmi7fgnqx4ppe1476amh99"
        }
    },
    "loginURL": "http://akmamai-documentation.com/login",
    "title": "Documentation Login Policy"
}'

Responses

201 Created

If your call to this endpoint succeeds, you'll get back the policy ID for the newly-created login policy:

"d4308c4d-f5d5-403f-bbb4-403dbdb3efe6"

Response Codes

The following table includes information about some of the response codes that you might encounter when calling this endpoint.

Response Codes
Response Code Description

400

Bad request. Typically indicates a syntax error; for example, you might have left off a parameter or misspelled a parameter name. Often-times the error description will help you pinpoint the problem; for example:

{
    "errors": {
        " title": [
            "Missing data for required field."
        ]
    }
}