Subsections of Integrations
Admin APIs
Everything that can be done in Admin UI (and a little bit more) can also be done through API calls. This makes it possible to embed administration into other applications and completely customize the UI for administration.
Some of the APIs are limited to a single tenant, for example it is only possible to handle users for a single tenant. The following API:s are bound to a tenant:
- Person
- Users
- Groups
- External systems
- Organisations (depending on permissions)
For external systems and users that have the special permission (manage organisations) to configure tenants it is possible to control which tenant each API call should be handled for by passing the X-IRM-TenantId HTTP Header with the unique identity (UUID) as value.
Within the Users APIs there are special /me endpoints which requires an access token of an actual end-user to be used. Since they represent an actual user, there is no need to pass any Tenant Id.
All other APIs are configuration APIs and instead requires very specific permissions to be used.
Important information about the unique identifiers (GUID:s)
Many APIs allows you to pass a unique identifier in the form of a GUID (UUID), but we recommend you to not do that and instead let Authway create an optimized Id, which is returned in all responses to create APIs. If you need to pass the Id from your code we strongly recommend you to use an algorithm that creates identifiers optimized for the underlying database, or else the performance of the system will be negatively impacted. We can provide you with such algorithm for SQL Server.
Errors from the APIs
We try to use reasonable status codes for different situations in the API. When we return a body with error information, the body follows the Problem Details for HTTP APIs (RFC 7807) standard.
| Status Code | Description | Details |
|---|---|---|
| 400 | Errors in the provided data. | This will always have a problem details body with more information about the error. |
| 401 | Failed to authenticate the call. | |
| 403 | The user or client calling the API is missing the required permission. | |
| 404 | The URL is not matching any API or the id:s in the URL does not match any existing object. | This will often have a problem details body with more information about the error. |
| 500 | An internal server error. | Of course we make our best to not end up with a 500 error, but it could for example be a dead lock situation or that we for some reason couldn’t reach the database at all and so on. |
| 501 | Not implemented or supported. | Very uncommon, but there are scenarios where you can call the API with values that are not incorrect, but still not supported. Another situation is when trying to use an API for a feature that is not part of the bought service. In those cases, we have chosen to give a 501 instead of a 400. This could happen during development, but should never be a case in production if the consumption of the API have been tested correctly, but 400 errors could exist in production and be caused by end-user data. |
| 503 | Infrastructure problem. Most likely temporarily. |
Subsections of Admin APIs
Deprecated APIs
Below is a list of APIs that will be deleted in a future version together with suggestion what to do (if there are any).
2024-10-05
- api/tenants/{tenantId}/modules/{moduleId}/buy is replaced with api/tenants/{tenantId}/modules/{moduleId}/activate
- api/users/{userId}/invitationlink resp. api/users/{userId}/resetlink will retire
{ "initationLink"="https://....." }respectively{ "resetLink"="https://....." }and instead now use a shared model:
{
"link"="https://....."
"validTime"="3.00:00:00"
}2024-07-10 (removed from 1.2.139, 2024-10-16)
This is a breaking change and we have contacted each customer to ensure a quick timeline until this is fixed.
- api/persons will be bound to the current user tenant (or the tenant in HTTP header X-IRM-TenantId). Instead the CreatePersonViewModel contained a TenantId which is still there for compatibility reasons, but should not be used anymore.
2023-05-15 (removed from verison 1.2.110, 2024-09-23)
- api/tenants/{tenantId}/module is replaced with api/tenants/{tenantId}/modules
- api/group/* is replaced with api/groups/*
- api/groups/{groupId}/user is replaced with api/groups/{groupId}/users
OAS 3.0
Events API
Authway has events for many of the things that happens in the service. You can tap into these events and write your own logic by registering a webhook or by using our Event API. Note that webhook feature is only available in the Enterprise edition of the service.
Common Properties in all events
Each event payload also contains properties unique to the event. You can find the unique properties in the individual event documentation.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the aggregate (information entity) that the event happended for. |
| OwnerId | UUID | The unique identifier of the owner (tenant) that the event belongs to. |
| EventId | UUID | The unique identifier for the event. Can be used for idempotency, logging and more. |
| Occured | DateTime | The date and time (in UTC) when the event occurred. |
| CausedByPersonId | UUID | The unique identifier of the user that caused the event (if any). |
| CausedBy | string | The name of the user that caused the event (if any). |
| TraceId | string | The trace id that can be used to trace different actions that is going on in a system. |
IpAddressLocation Properties
Depending on environment and configuration some events will include location information based on the IP address. Sources for this information can also be different when hosting your-self compared to Authway IDaaS.
| Name | Type | Description |
|---|---|---|
| CountryCode | string | The two-letter country code (3166-1) representing the country. |
| Country | string | The name of the country. |
| Region | string | The name of the region. |
| City | string | The name of the city. |
| Latitude | decimal | The latitude. |
| Longitude | decimal | The longitude. |
When an IpAddressLocaiton exist in the event, we garuantee that the CountryCode and Country is set, but the other properties will depend on information availability in the source.
Available Events
Organisation Events
To retrieve all organisation events you use the topic “organisation”.
- OrganisationCreated
- OrganisationUpdated
- OrganisationDeleted
- OrganisationClaimAdded
- OrganisationClaimRemoved
- TrustedDomainAdded
- TrustedDomainRemoved
Person Events
To retrieve all organisation events you use the topic “person”.
User Events
To retrieve all organisation events you use the topic “user”.
- UserCreated
- UserUpdated
- UserDeleted
- UserInvited
- UserLoginAdded
- UserLoginRemoved
- UserUsernameChanged
- UserPasswordChanged
- UserPasswordRemoved
- UserRoleAdded
- UserRoleRemoved
- UserSignInAssociated
- UserSignedIn
- UserSignedOut
- UserSignInFailed
- UserLockedout
- UserUnlocked
- UserConfirmedEmail
- UserConfirmedPhoneNumber
- UserClaimAdded
- UserClaimRemoved
Organisation module Events
To retrieve all organisation module events you use the topic “organisationmodule”.
- ModuleActivatedForOrganisation
- ModuleInactivatedForOrganisation
- ModulePayedForOrganisation
- ModuleUnpayedForOrganisation
Module Events
To retrieve all module events you use the topic “module”.
Subsections of Events API
Organisation Events
Subsections of Organisation Events
OrganisationClaimAdded
An organisation got an organisation claim added. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.organisationclaimadded”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the organisation. |
| ClaimType | string | The type of claim. |
| ClaimValue | string | The claim value. |
OrganisationClaimRemoved
An organisation got an organisation claim removed. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.organisationclaimremoved”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the organisation. |
| ClaimType | string | The type of claim. |
| ClaimValue | string | The claim value. |
OrganisationCreated
An organisation is created. It is a new tenant if the ParendId does not have any value (and GroupMotherId and AggregateId is equal). To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.organisationcreated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the organisation. |
| GroupMotherId | UUID | The id of the group mother (root organisation) in the organisation tree. For the group mother, this value will be the same as Id. |
| ParentId | UUID | The identity of this tenants parent, if any. |
| Name | string | The name of the organisation |
| IdentityNumber | string | The identity number for the organisation. |
TrustedDomainRemoved
An organisation got a trusted domain removed. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.trusteddomainremoved”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the organisation. |
| Domain | string | The domain that was removed. |
TrustedDomainAdded
An organisation got a trusted domain added. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.trusteddomainadded”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the organisation. |
| Domain | string | The domain that was added. |
OrganisationUpdated
An organisation is updated. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.organisationupdated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the organisation. |
| Name | string | The name of the organisation |
| IdentityNumber | string | The identity number for the organisation. |
OrganisationDeleted
An organisation is deleted. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.organisationdeleted”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the organisation. |
Person Events
Subsections of Person Events
PersonCreated
A person is created. It is common for UserCreated to be created at the same time, but it is possible to create a person who are not a user. To retrieve only this event you use the topic “person/irm.aspnetcore.identity.events.personcreated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the person. |
| OrganisationId | UUID | The id of the organisation that the person is added to. |
| FirstName | string | The first (given) name of the person. |
| LastName | string | The last (family) name of the person. |
| string | The email for the person. This can be a different email than the username and/or user email. |
PersonDeleted
A person is deleted. When a person is deleted, so is all user and person events for that person. The metadata is preserved, but no payload data will be available again. To retrieve only this event you use the topic “person/irm.aspnetcore.identity.events.persondeleted”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the person. |
PersonUpdated
A person is updated. To retrieve only this event you use the topic “person/irm.aspnetcore.identity.events.personupdated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the person. |
| OrganisationId | UUID | The id of the organisation that the person belongs to. |
| FirstName | string | The first (given) name of the person. |
| LastName | string | The last (family) name of the person. |
| string | The email for the person. This can be a different email than the username and/or user email. |
User Events
- UserCreated
- UserActivated
- UserUpdated
- UserUsernameChanged
- UserDeleted
- UserDeviceAdded
- UserDeviceCountryAdded
- UserInvited
- UserLoginAdded
- UserLoginRemoved
- UserPasswordAdded
- UserPasswordChanged
- UserPasswordRemoved
- UserRoleAdded
- UserRoleRemoved
- UserSignInAssociated
- UserSignedIn
- UserSignedOut
- UserSignInFailed
- UserLockedout
- UserUnlocked
- UserDeactivated
- UserReactivated
- UserConfirmedEmail
- UserConfirmedPhoneNumber
Subsections of User Events
UserCreated
A user is created. This can happen multiple times for the same user id, since it is possible to delete only the user and then re-create the user. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.usercreated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| Username | string | The username which is unique within the tenant, but can exists for multiple tenants. |
| string | The email address of the user. This is typically the same as Username, but the service can be configured to use PhoneNumber or any username and in thoose cases it can differ. | |
| EmailConfirmed | bool | True if the email is confirmed; otherwise false. |
| PhoneNumber | string | The phone number of the user. In a default configuration phone number is not visible and collected, so it is common for this to be null. |
| PhoneNumberConfirmed | string | True if the phone number is confirmed; otherwise false. |
| ValidFrom | DateTime | The date and time (in UTC) when the user is valid (aka the earliest point in time when the user is allowed to sign-in). |
| ValidTo | DateTime | The date and time (in UTC) when the user is valid (aka the latest point in time when the user is allowed to sign-in). Commonly null. |
| IsSystemUser | bool | True if this user represents a system (aka an external system); otherwise false. |
| SendInvitation | bool | True if an invitation will be send to the user; otherwise false. |
| AdditionalInvitationParameters | string | Additional parameters that should be added to the invitation link. Typically it can contain for example a client id to brand the create account page for a specific client. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserActivated
A user account have been activated, which can be immediately or at Valid from. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.useractivated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
Note that there can be a delay until the event is pushed, but it will always be pushed in correct order.
UserUpdated
A user is updated. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userupdated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| Username | string | Obsolete.Use UserUsernameChanged event to handle changes of the username instead. |
| string | The email address of the user. This is typically the same as Username, but the service can be configured to use PhoneNumber or any username and in thoose cases it can differ. | |
| EmailConfirmed | bool | True if the email is confirmed; otherwise false. |
| PhoneNumber | string | The phone number of the user. In a default configuration phone number is not visible and collected, so it is common for this to be null. |
| PhoneNumberConfirmed | string | True if the phone number is confirmed; otherwise false. |
| ValidFrom | DateTime | The date and time (in UTC) when the user is valid (aka the earliest point in time when the user is allowed to sign-in). |
| ValidTo | DateTime | The date and time (in UTC) when the user is valid (aka the latest point in time when the user is allowed to sign-in). Commonly null. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserUsernameChanged
The username of a user is changed. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userusernamechanged”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| Username | string | The username which is unique within the tenant, but can exists for multiple tenants. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserDeleted
A user is deleted. The user can be deleted, without deleting the person, which also results in that it is possible to re-create the user with the same id. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userdeleted”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
UserDeviceAdded
An user signed in from a new device. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userdeviceadded”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| DeviceId | string | The unique identifier of the device. |
| FromIpAddress | string | The IP Address of the user that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
UserDeviceCountryAdded
An user signed in from a known device, but a new country. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userdevicecountryadded”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| DeviceId | string | The unique identifier of the device. |
| FromIpAddress | string | The IP Address of the user that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
UserInvited
A user is invited to create an account. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userinvited”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserLoginAdded
An user added an external login to the account. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userloginadded”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| LoginProvider | string | The login provider added. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserLoginRemoved
An user removed an external login from the account. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userloginremoved”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| LoginProvider | string | The login provider removed. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserPasswordAdded
An user added a password. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userpasswordadded”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserPasswordChanged
An user changed the password. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userpasswordchanged”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserPasswordRemoved
An user removed the password from the account. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userpasswordremoved”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserRoleAdded
A user is added to a role. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userroleadded”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| NormalizedRoleName | string | The unique and normalized role name that the user was added to. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserRoleRemoved
A user is removed from a role. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userroleremoved”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| NormalizedRoleName | string | The unique and normalized role name that the user was removed from. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserSignInAssociated
A user has associated a sign-in from an invitation to create an account. This also means that the email address is confirmed. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.usersigninassociated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| AuthenticationMethod | string | The type of authentication that the user used when associating an authentication method. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserSignedIn
A user signed in. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.usersignedin”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| Kind | int | Indicates what kind of situation that caused the event. Can be one of these values: 0. Interactive sign-in where user is fully aware; 1. Automatic sign-in where the user is signed-in automatically by single-sign-on; 2. Refresh where an application uses a refresh token to re-new the user sign-in; 3. Impersonate which is when another user impersonates the user. |
| AuthenticationRequirement | string | The requirment of the authentication process for the user, for example “1FA” or “2FA”. This will only be set when Kind is 0 or 3. |
| AuthenticationMethod | string | The type of authentication that the user used when signing in. This will only be set when Kind os 0 or 3. |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. When kind is 2 (Refresh) this will be the IP Address of the server, not the user, since it is performed over a backchannel. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. Will be the user’s web browser user agent for all Kind except when Kind = 2 (Refresh) which happens in a backchannel. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
More about Metadata
Metadata is a dynamic object that can contain different extra properties that might vary on Kind, protocol used or other factors.
When the event occurs as a result of using OpenId Connect it will include these:
| Name | Type | Description |
|---|---|---|
| ClientId | string | The unique identifier of the client that asked to sign-in the user. |
| ClientName | string | The name of the client that asked to sign-in the user. |
The JSON will be like this:
{
...
metadata: {
clientId: "UniqueClientId",
clientName: "The perfect client"
}
}When the event occurs as a result of a user impersonating another user it will include these:
| Name | Type | Description |
|---|---|---|
| ImpersonatedByUserId | UUID | The unique identity of the user impersonating the user. |
The JSON will be like this:
{
...
metadata: {
impersonatedByUserId: "UniqueUserId",
}
}UserSignedOut
An user signed out. This event only happens when a user activly signs out, and not because of a timeout of a valid sign-in. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.usersignedout”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserSignInFailed
An user failed to sign in. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.usersigninfailed”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
| Reason | numeric | One of the following values indicating the reason to why the sign-in failed: 0. Invalid credentials, 1. Locked-out user, 2. Inactive user, 3. Impossible travel, 4. Module not activated for tenant or 5. Module is offline. |
| BreachedPasswordUsed | bool | true if a breached password have been used for this failed sign-in; otherwise false. If password wasn’t used or if breach detection is not configured this will be null. |
UserLockedout
A user account have been locked (commonly because to many sing-in attempts). To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userlockedout”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserUnlocked
A user account have been un-locked. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userunlocked”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserDeactivated
A user account have been de-activated, which is at Valid to. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userdeactivated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
Note that there can be a delay until the event is pushed, but it will always be pushed in correct order.
UserReactivated
A user account have been activated again after beeing de-activated, which can be immediately or at Valid from. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userreactivated”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
Note that there can be a delay until the event is pushed, but it will always be pushed in correct order.
UserConfirmedEmail
An user confirmed the email address. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userconfirmedemail”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
UserConfirmedPhoneNumber
An user confirmed the phone number. To retrieve only this event you use the topic “user/irm.aspnetcore.identity.events.userconfirmedphonenumber”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the user (always the same as the person id for end-users). |
| FromIpAddress | string | The IP Address of the user (or service) that caused the event. |
| IpAddressLocation | IpAddressLocation | Ip address information if available. |
| UserAgent | string | The user agent string from the browser (or service) that caused the event. |
| Metadata | dynamic | A dynamic object with additional data for the event. |
Organisation module Events
Subsections of Organisation module Events
ModuleActivatedForOrganisation
An organisation got a module activated. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.moduleactivatedfororganisation”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the activated module and organisation combination. |
| OwnerId | UUID | The unique identifier of the organisation. |
| ModuleId | UUID | The unique identifier of the module. |
ModuleInactivatedForOrganisation
An organisation got a module in-activated. To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.moduleinactivatedfororganisation”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the in-activated module and organisation combination. |
| OwnerId | UUID | The unique identifier of the organisation. |
| ModuleId | UUID | The unique identifier of the module. |
ModulePayedForOrganisation
An organisation got a module set as payed (after beeing unpayed). To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.modulepayedfororganisation”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the payed module and organisation combination. |
| OwnerId | UUID | The unique identifier of the organisation. |
| ModuleId | UUID | The unique identifier of the module. |
ModuleUnpayedForOrganisation
An organisation got a module set as un-payed (the effect is that users from that organisation can’t sign-in until set as payed again). To retrieve only this event you use the topic “organisation/irm.aspnetcore.identity.events.moduleunpayedfororganisation”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the unpayed module and organisation combination. |
| OwnerId | UUID | The unique identifier of the organisation. |
| ModuleId | UUID | The unique identifier of the module. |
Module Events
Subsections of Module Events
ModuleWentOffline
A module went offline. To retrieve only this event you use the topic “module/irm.aspnetcore.identity.events.modulewentoffline”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the module. |
ModuleWentOnLine
A module went online. To retrieve only this event you use the topic “module/irm.aspnetcore.identity.events.modulewentonline”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the module. |
FunctionalityDeleted
A functionality is deleted. When a functionality is deleted, the permission is also deleted from Group templates, Groups and External Systems. To retrieve only this event you use the topic “module/irm.aspnetcore.identity.events.functionalitydeleted”.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the module. |
| FunctionalityId | UUID | The unique identifier of the funcitonality. |
| Permission | string | The unique identifier of the permission. |
Webhooks
Authway uses webhooks to automatically notify your application any time certain changes happens in Authway.
Webhooks can be set up per event stream, where a stream is responding to a major information object for examples person, user or organisation. It is possible to set up multiple webhooks for a single stream and naturally it is possible to set up webhooks for different streams. The webhooks are grouped in a webhook system. The webhook system will typically be one for the consuming application. If one webhook is failing for a system, all webhooks for that system is stopped, which can affect how you choose to group your webhooks.
By default you will only be able to receive events that is owned by the same tenant as the Webhook is registered for.
Handling events
Choose event to recieve
When configuring a webhook, you can use the API to choose which events will send you payloads. This is done by setting a topic to the stream or a specific event. Only subscribing to the specific events you plan on handling limits the number of HTTP requests to your application. You can also subscribe to all current and future events. By default, webhooks are only subscribed to the future events. You can change the topic at any time, but for an existing webhook, it will only affect future events.
Advanced Topics
A topic is flexible and you can combine more than one “thing” in a topic by separating each identifier with “,”. For example:
| Topic | Description |
|---|---|
| person, user/irm.aspnetcore.identity.events.usersignedin | All events for person and UserSignedIn event. |
| user/irm.aspnetcore.identity.events.usersignedin, user/irm.aspnetcore.identity.events.usersignedout, user/irm.aspnetcore.identity.events.usersigninfailed | The three events UserSignedIn, UserSignedOut and UserSigninFailed. |
| person, user | All events for both person and user. |
Respond immediately to events
When receiving an event to your webhook, it is strongly recommended to respond with a 200 Ok (or another 2XX status code) as quickly as possible. Failing to do so might trigger re-tries which can increase the load of your application more than necessary.
A common pattern to handle webhook events effectivly is to add the event body on a message queue and immediately respond with a success status code. The internal queue can then be processed by a background worker.
Re-tries of failed events
For a configured webhook we guarantee that subscribed events are delivered at least once and in correct order (per webhook). If we get a timeout, a network failure or if we receive a response with status code 408 or any 5XX we’ll retry to send the payload again. Authway uses an exponential backoff scheme when doing re-tries and if all re-tries fails the webhook system will stopped. When this happens we will notify you by the registered e-mail address. It is your responsibility to re-start a stopped webhook system when your application is ready to handle the events again.
If Authway is causing the failure, we will also re-start the webhook system after we have corrected the issue.
Ignoring duplicate events
It is possible to receive the same event more than once, so we recommends that you handle webhook events using idempotent operations. One way of doing this is logging the EventId of the events that you have processed and ignoring subsequent requests with the same EventId.
Order of events
Authway guarantees that events within a webhook is delivered in the same sequence that they are happening. Between webhooks there are no guarantees of ordering, so your logic should handle cases where events are delivered out of order. If you create separate webhook systems, the ordering of the events between these systems is also not guaranteed.
Securing webhooks
Validating events are from Authway
Since the webhook receiver is available on the public Internet it is very important that you validate the incoming request before processing it. We recommend that you start by checking that all three custom HTTP headers are available. From security perspective the X-IRM-Signature header is the important one. Use your secret (that you used during registration) to calculate a HMAC-SHA256 signature of the received body.
C#:
using System;
using System.Security.Cryptography;
using System.Text;
class WebhookSignature
{
public static string ComputeSignature(string data, string secret)
{
HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
byte[] stringBytes = Encoding.UTF8.GetBytes(data);
byte[] hashedValue = hmac.ComputeHash(stringBytes);
return Convert.ToBase64String(hashedValue);
}
public static void Main (string[] args)
{
Console.WriteLine(ComputeSignature("messageBody", "apikey"));
}
} PHP:
function compute_signature($data, $secret) {
return base64_encode(hash_hmac('sha256', $data, $secret, true));
}
echo(compute_signature('messageBody','apikey'));
Require authentication
Authway supports Basic authentication when calling your webhook. You provide the username and password when registering the webhook.
Obfuscating webhook URL
A minor improvment in the security of webhooks is to make the endpoints harder to guess. This can be done by adding a series of random numbers and letters to your endpoint URL. For example https://api.yourapplication.com/webhooks/j490smlkfs034jld94jlae045 is harder to guess than https://api.yourapplication.com/webhooks.
Testing Webhooks
It is not necessary for you to immediately create och deploy a service that can receive webhook payloads. Instead we recommend you to start with ay of the service on Internet that allows you to receive HTTP POST calls, for example https://webhook.site/. That service makes it really easy to get something up and running, and you can easily see the webhook payload directly in your browser.
To start receiving webhooks you must first start (activate) the webhook system by calling api/systems/{systemId}/start. Trigger some events in the source system and you should soon see POST arriving in the browser.
You can also stop the pushing of new events by calling api/systems/{systemId}/stop. If you want to simulate that the system have been stopped because of a failure you can use the same API. Use the source system to create some more events and then start the system again, and you should see all events be posted until it catches up to the last existing event.
You can also get information about the last date/time and event id that have been successfully posted to your webhook by making a get request to api/systems/{systemId}.
Exposing your Local Machine to the Internet
Since all webhooks are pushed over Internet, you’ll have to expose your local machine somehow, if you want to receive webhooks during development. We recommend that you use for example Ultrahook or ngrok to do that.
After configuring a service you’ll have to reconfigure your webhook system to receive payloads on your new URL.
Subsections of Webhooks
Webhook Events and Payload
Webhook Events and Payload
Webhook Common Properties in the Payload
Each webhook event payload also contains properties unique to the event. You can find the unique properties in the individual event documentation.
| Name | Type | Description |
|---|---|---|
| AggregateId | UUID | The unique identifier of the aggregate (information entity) that the event happended for. |
| OwnerId | UUID | The unique identifier of the owner (tenant) that the event belongs to. |
| EventId | UUID | The unique identifier for the event. Can be used for idempotency, logging and more. |
| Occured | DateTime | The date and time (in UTC) when the event occurred. |
| CausedByPersonId | UUID | The unique identifier of the user that caused the event (if any). |
| CausedBy | string | The name of the user that caused the event (if any). |
| TraceId | string | The trace id that can be used to trace different actions that is going on in a system. |
Delivery Headers
The HTTP POST payloads send to your webhook’s configured URL endpoint will contain the following custom HTTP headers:
| Header | Description |
|---|---|
| X-IRM-Signature | A base64 encoded HMAC-SHA256 signature of the body, signed with your API key (secret). |
| X-IRM-Topic | The topic that you registered for this webhook encoded as base64 (UTF8). |
| X-IRM-EventType | A base64 (UTF8) encoded full name of the event, guaranteed to be unique. |
Also, the User-Agent for the requests will be IRM-Webhook.