Application Private Tokens
Basics
Trivore Identity Service (TIS) has the ability to store third party application data as so-called tokens, that consist of three properties. This Token Store may be accessed by Management API Clients. These tokens are private to the API Client. This means that no Management API Client will be able to see the tokens of another Management API Client. However, the user who is the owner of the Management API Client will be able list all tokens in the Web UI in the Application Tokens view.
The token handling is done in the Management API documented earlier. In
the API all the token endpoints are under the /token endpoint. The API
is subject to change, so the reader is advised to refer to the TIS
platform's /apidoc
Application Private Tokens section.
The tokens consist of a related id, key and a value. An example of a token is shown below.
{
"relatedId": "string",
"key": "string",
"value": "string"
}
The relatedId
is a string, which is used as an id reference to other
tokens. The upcoming examples will demonstrate the use of the
relatedId
attribute. The key can be considered the name of the token.
It can be thought to be a field name in a relational database. The
value
attribute contains the actual value of the token. The value is
always encoded as a string so if you want to insert JSON document as a
value you will have to escape it.
Limitations
There are some technical limitations on how application private tokens can be used. Please be aware of them when designing your usage patterns for the tokens.
Maximum token sizes
Maximum token size is 16 MB and there is technically no limit on how many tokens a Management API client can have. However, having lots of large tokens may eventually lead to problems in performance, especially when listing a large number of tokens.
Naming
It is not recommended to use dots (.) in the values of key
and
relatedId
attributes. The dot is a meaningful character in the DBMS
used and may interfere with the underlying filtering mechanism.
Conventions
Keeping consistency across token structures, naming and data structures within tokens is crucial in order to maintain an application utilizing tokens. This section gives some recommendations on how to maintain consistency when using Application Tokens. Still, however, these are only recommendations and in the end the application designers can use whichever conventions they choose.
It is recommended to use the entity ID as the related id. An attribute name should be used as the token key and the attribute's value as the token's value.
When persisting lists, it is recommended to use the JSON syntax. For example a list of words in JSON could be ["apples", "oranges"].
Additionally, tokens can be used to hold complex arbitrary data structures as embedded JSON objects. The JSON objects have to be escaped when persisting.
Example: Mapping an entity relation to tokens
Mapping an entity relation to tokens may not be obvious at first. This
section will walk through a simple example of mapping an entity relation
model to tokens. The TIS Management API token endpoint is documented in
the TIS instance's /apidoc
. See Management API for more detailed instructions on how
to get the most current documentation for the Management API.
Consider the entity relations diagram above. There are projects, which
has one or more products. The projects also have n employees assigned.
Additionally, an employee can be assigned to m
projects. The project
has an id, a human readable name and a list of key words. A product has
an id and a name. An employee has an id, name and an email address.
Creating the project entity
When starting with project creation, the first token to create could be
{
"relatedId": "project1",
"key": "name",
"value": "The project number one"
}
In the token above, for the sake if readability project1 is used as an unique id for the project (underlined). It is up to the application to keep track of related IDs and ensure that they are unique across the token store. One way to ensure this would be to use UUIDs.
After the first token is created the data store has one project with a single attribute. To add another attribute persist a token shown below. Note the JSON escaping in the list.
{
"relatedId": "project1",
"key": "key_words",
"value": "[\"foo\", \"bar\"]"
}
Creating the product entity
We can start creating the product entity by giving it a name.
{
"relatedId": "product1",
"key": "name",
"value": "apples"
}
After creating the product, we can create a token to represent the relation between the product and the project.
{
"relatedId": "product1",
"key": "project",
"value": "project1"
}
Creating the employee entity
The employee is a simple entity with id, name and email address. We will start by creating a token with a name.
{
"relatedId": "employee1",
"key": "name",
"value": "John Doe"
}
After that we may create a token with an email address.
{
"relatedId": "employee1",
"key": "email",
"value": "[email protected]"
}
After we have the basic object created, we can create the relation between the employee and the project:
{
"relatedId": "employee1",
"key": "project",
"value": "[\"project1\"]"
}
If the employee is part of many projects, then we can append the project IDs to the list.
The above steps can be repeated after all project employee info has been saved.
Querying objects
When we want to read the created objects, we will have to query them from the token endpoint.
Listing all tokens
Listing all tokens with filter support will be implemented soon.
Listing tokens based on relatedId and key
Tokens can be listed using the related id. This allows getting all properties for a single entity. For example, we could use the relatedId "employee1" to retrieve the name and email for the employee. Additionally, if we only want to fetch the name of the employee, we can get a single token by relatedId and key. Getting single tokens is extremely useful in situations where the size of the token is more than a few kilobytes.