Events

The OneWelcome Identity platform reports on a variety of events.

See also Access events and the event store in Tulip.

Public events

Public events have a strictly defined payload taxonomy and version. See Public event payload for the list of public events and their payload structure. When breaking changes are made, the payload version of an event is changed accordingly.

The metadata of a public event has the following fields:

Metadata field	Value format	Example value	Presence	Description
agent	String	d725e807-de02-4f70-a271-040e15b62eee	Optional	This is the identifier of the user or machine that this event can be linked to.
aggregateId	String	0b7897ac-3c8f-4067-b23b-d262fc2bffb0	Required	This is the identifier of the aggregate that triggered this event. The concept of aggregates is used to parallelize event processing.
category	String	public	Required	The event category is either `log` or `public`. It is always `public` for public events.
eventId	UUID	3b307680-2f7f-4186-8495-17d4cb82955b	Required	This is the unique identifier for an event.
hostIp	String IPv4 or IPv6	127.0.0.1	Optional	This is the IP address of the client from which this event originated. Normally it's the IP address of the user or machine that generated an event.
metadataVersion	String `<major>.<minor>`	1.0	Required	This is the metadata version of this event.
occurredTime	ISO 8601	2022-07-13T18:59:43.596191+02:00	Required	OffsetDateTime. This is an immutable representation of a date-time with an offset from UTC/Greenwich in the ISO-8601 calendar system
payloadVersion	String `<major>.<minor>`	1.0	Required	This is the payload version of this event.
producerId	String	test-app	Required	This is the service that produced this event.
producerInstanceId	String	test-app	Required	This is the service that produced this event.
producerVersion	String	d921970	Optional	This is the app version of the producer that created this event.
tenantId	UUID	50a7dbf5-ce45-4f57-ab9a-554c23510a01	Required	This is the identifier of the tenant that generated this event.
tags	Array of predefined values	[ "EXPORTABLE" ]	Optional	This is an array of strings that represent the tags for the current event. Allowed values for public events: EXPORTABLE - the event is meant to be exportable outside of the OneWelcome Identity Platform
traceId	String	84e85059-0416-4e4b-85f9-eba03100c7de	Optional	This is a correlation identifier that can be used to trace events originating from the same transaction or request.
type	String	UserSigedInEvent	Required	The event type always ends with `event`.

Example public event:

{
  "metadata": {
    "type": "UserSignedInEvent",
    "category": "public",
    "eventId": "3b307680-2f7f-4186-8495-17d4cb82955b",
    "aggregateId": "d725e807-de02-4f70-a271-040e15b62eee",
    "payloadVersion": "1.0",
    "metadataVersion": "1.0",
    "producerId": "testInstance",
    "producerInstanceId": "testInstance-1",
    "occurredTime": "2022-07-13T18:59:43.596191+02:00",
    "tenantId": "50a7dbf5-ce45-4f57-ab9a-554c23510a01",
    "tags": [
      "EXPORTABLE"
    ],
    "producerVersion": "d921970",
    "hostIp": "127.0.0.1",
    "traceId": "84e85059-0416-4e4b-85f9-eba03100c7de",
    "agent": "d725e807-de02-4f70-a271-040e15b62eee"
  },
  "payload": {
    "userId": "d725e807-de02-4f70-a271-040e15b62eee",
    "identityProviderId": "test-identity-provider",
    "date": "2022-07-13T18:59:43.596191+02:00",
    "destination": "test-service-provider"
  }
}

Log events

A log event largely follows the same format as a public event. It has metadata that depicts the event type, category, and other fields. The most important difference compared to a public event is that the payload in a log event is optional. In addition, the payload is not versioned and does not follow a strictly defined contract. It is mostly used to provide debug information.

The metadata of a log event contains the following fields:

Metadata field	Value format	Example value	Presence	Description
agent	String	d725e807-de02-4f70-a271-040e15b62eee	Optional	This is the identifier of the user or machine that this event can be linked to.
description	String	A user signed in	Required	The description provides additional information about an event.
category	String	log	Required	The event category is either `log` or `public`. It is always `log` for log events
eventId	UUID	3b307680-2f7f-4186-8495-17d4cb82955b	Required	This is a unique identifier for an event.
hostIp	String IPv4 or IPv6	127.0.0.1	Optional	This is the IP address of the client from which this event originated. Typically, it's the IP address of the user or machine that generated the event.
metadataVersion	String .	1.0	Required	This is the metadata version of this event.
occurredTime	ISO 8601	2022-07-13T18:59:43.596191+02:00	Required	OffsetDateTime. This is an immutable representation of a date-time with an offset from UTC/Greenwich in the ISO-8601 calendar system.
producerId	String	test-app	Required	This is the service that produced this event.
producerInstanceId	String	test-app	Required	This is the service that produced this event.
producerVersion	String	d921970	Optional	This is the app version of the producer that created this event.
tenantId	UUID	50a7dbf5-ce45-4f57-ab9a-554c23510a01	Required	This is the identifier of the tenant that generated this event.
tags	Array of predefined values	[ "ERROR", "EXPORTABLE" ]	Optional	This is an array of strings that represent the tags for the current event. Allowed values for log events: EXPORTABLE - The event is meant to be exportable outside of the OneWelcome Identity Platform. ERROR - The event is part of a non-happy flow. USER_FACING_FUNCTION - The event is part of a business function that is observable by the user (this excludes strictly technical events).
traceId	String	84e85059-0416-4e4b-85f9-eba03100c7de	Optional	This is a correlation identifier that can be used to trace events originating from the same transaction or request.
type	String	UserSigedInEvent	Required	The event type always ends with `event`.

Example log event

{
  "metadata": {
    "type": "UserSignedInEvent",
    "description": "A user signed in"
    "category": "log",
    "eventId": "3b307680-2f7f-4186-8495-17d4cb82955b",
    "metadataVersion": "1.0",
    "producerId": "oneex-test-app-1",
    "producerInstanceId": "e0d42d60-a0b1-406e-8b55-b49bde0fe532",
    "occurredTime": "2022-05-02T12:34:50.747866+02:00",
    "tenantId": "50a7dbf5-ce45-4f57-ab9a-554c23510a01",
    "tags": [],
    "producerVersion": "abcdef",
    "agent": "An Agent",
    "userAgent": "userAgent",
    "hostIp": "127.0.0.1",
    "traceId": "84e85059-0416-4e4b-85f9-eba03100c7de"
  },
  "payload": {}
}

Event publishing options

Every tenant can be individually configured to publish log and public events to either Amazon Kinesis Data Streams or an S3 bucket.

Examples

Clients	Public events	Log events	Notes
Single tenant	Amazon Kinesis Data Streams	S3 bucket
Single tenant	Amazon Kinesis Data Streams	Amazon Kinesis Data Streams	Configure separate data streams for each event category.
Single tenant	S3 bucket	S3 bucket	Configure separate folders for public and log events.
Multiple tenants	Amazon Kinesis Data Streams	Amazon Kinesis Data Streams	The tenant ID distinguishes the events for each tenant.

Amazon Kinesis Data Streams

OneWelcome Identity Platform events are wrapped in a JSON object containing an array of events and stored in the data field of an Amazon Kinesis Data Streams record. The structure of the record is described in AWS documentation.

Example of an Amazon Kinesis Data Streams record

{
  "events": [
    {
      "metadata": {
        "type": "BEvent",
        "eventId": "73724fb9-ad9b-493e-be98-4aed7a2a6c69",
        "aggregateId": "0b7897ac-3c8f-4067-b23b-d262fc2bffb0",
        "payloadVersion": "1.0",
        "metadataVersion": "1.0",
        "producerId": "oneex-test-app-1",
        "producerInstanceId": "e0d42d60-a0b1-406e-8b55-b49bde0fe532",
        "occurredTime": "2022-05-02T12:34:50.747346+02:00",
        "tenantId": "50a7dbf5-ce45-4f57-ab9a-554c23510a01",
        "tags": [],
        "producerVersion": "local",
        "agent": "An Agent",
        "userAgent": "userAgent",
        "hostIp": "127.0.0.1",
        "traceId": "de943d73-2f71-4f95-bb31-6762ea236aa9"
      },
      "payload": {
        "testProducerInstanceId": "2022-05-02T12:34:42.802332+02:00_e0d4",
        "testProducerEventCounter": 2,
        "testProducerOperationCounter": 2
      }
    },
    {
      "metadata": {
        "type": "BEvent",
        "eventId": "3b307680-2f7f-4186-8495-17d4cb82955b",
        "aggregateId": "0b7897ac-3c8f-4067-b23b-d262fc2bffb0",
        "payloadVersion": "1.0",
        "metadataVersion": "1.0",
        "producerId": "oneex-test-app-1",
        "producerInstanceId": "e0d42d60-a0b1-406e-8b55-b49bde0fe532",
        "occurredTime": "2022-05-02T12:34:50.747866+02:00",
        "tenantId": "50a7dbf5-ce45-4f57-ab9a-554c23510a01",
        "tags": [],
        "producerVersion": "local",
        "agent": "An Agent",
        "userAgent": "userAgent",
        "hostIp": "127.0.0.1",
        "traceId": "84e85059-0416-4e4b-85f9-eba03100c7de"
      },
      "payload": {
        "testProducerInstanceId": "2022-05-02T12:34:42.802332+02:00_e0d4",
        "testProducerEventCounter": 3,
        "testProducerOperationCounter": 2
      }
    }
  ]
}

Thales recommends that you follow the AWS documentation about how to use data from Amazon Kinesis Data Streams.

Configuring Amazon Kinesis Data Streams

To enable the OneWelcome Identity Platform to push events to Amazon Kinesis Data Streams:

Create a data stream. KMS encryption is optional, but recommended, see step 5 for instructions. Thales recommends using on-demand scaling, so capacity doesn’t have to be managed.

Create an IAM policy (IAM / Policies / Create policy / JSON).

Use the contents specified in the following code block. Replace the placeholders $aws-region, $aws-account-no, and $your-stream-name with resources that are created and known by you.

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "Put records role",
          "Effect": "Allow",
          "Action": [
            "kinesis:PutRecord",
            "kinesis:PutRecords"
          ],
          # CHANGE $aws-region, $aws-region and $aws-account-no into meaningful values!
          "Resource": "arn:aws:kinesis:$aws-region:$aws-account-no:stream/$your-stream-name"
      }
  ]
}

Create an IAM Role with a trust policy (IAM / Roles / Create role / Custom trust policy).

The contents are specified in the code block below. 185813010098 is the OneWelcome Identity Platform AWS account. The condition block in this trust policy is optional but recommended. If you provide a token (a random string), it is presented every time the OneWelcome Identity Platform assumes this role to prevent unauthorized access attempts (confused deputy problem).
```
{
  "Version": "2012-10-17",
  "Statement": {
      "Effect": "Allow",
      "Principal": {
          "AWS": "arn:aws:iam::185813010098:root"
      },
      "Action": "sts:AssumeRole",
      # OPTIONAL
      "Condition": {
          "StringEquals": {
              "sts:ExternalId": "some-arbitrary-token"
          }
      }
  }
}
```
Attach the policy from step 2 to the role from step 3.
[Optional] To use a KMS key for record encryption:

The encryption in transit is enabled by default by AWS. Encryption at rest of particular records can be configured using a KMS key. There are two options, AWS managed CMK or customer-managed CMK.

To use a customer-managed CMK for encrypting records in Amazon Kinesis Data Streams, you must allow the put records role to use the key in the KMS key policy. Go to the KMS console and add the following to the KMS key policy:

{
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$aws-account-no:role/$customers-kinesis-put-record-role"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::$aws-account-no:role/$customers-kinesis-put-record-role"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }

Replace the $aws-account-no and $kinesis-put-record-role placeholders with the correct values.

Alternatively, to use an AWS managed CMK, just enable that option. No additional setup is needed.
Share the stream name and IAM role ARN that you created with the OneWelcome Identity Platform.

S3 bucket

The data in the S3 bucket is written by the S3 target of Amazon Kinesis Data Firehose in the Amazon S3 Object name format. Records are pushed into the S3 bucket with a UTC time prefix and the event category, as follows:

YYYY/MM/dd/HH/<Event Category(public or log)>

Amazon Kinesis Data Firehose writes files using the JSON lines format. Every file contains multiple JSON value objects separated by a line break.

Example of a file in an S3 bucket

{"events":[{"metadata":{"category":"public","type":"CEvent","eventId":"b85dca63-064e-4687-8a20-424662e30686","aggregateId":"5241cf5a-e75c-4e76-ad90-5ee345cb07a8","payloadVersion":"1.0","metadataVersion":"1.0","producerId":"oneex-test-app-1","producerInstanceId":"1e40c34f-a439-494a-9782-bd78e615af9b","occurredTime":"2022-07-14T10:38:45.962266+02:00","tenantId":"50a7dbf5-ce45-4f57-ab9a-554c23510a11","tags":["EXPORTABLE"],"producerVersion":"local","agent":"An Agent","userAgent":"userAgent","hostIp":"127.0.0.1","traceId":"42bbfa71-e120-4019-bb3b-1bac895d6085"},"payload":{"testProducerInstanceId":"2022-07-14T10:38:38.913027+02:00_1e40","testProducerEventCounter":1,"testProducerOperationCounter":1}},{"metadata":{"category":"public","type":"CEvent","eventId":"adfdc313-65d6-4c34-9ac2-4ed15d631d01","aggregateId":"ef043115-e0c1-4192-8799-838e67d30bd2","payloadVersion":"1.0","metadataVersion":"1.0","producerId":"oneex-test-app-1","producerInstanceId":"1e40c34f-a439-494a-9782-bd78e615af9b","occurredTime":"2022-07-14T10:38:45.941957+02:00","tenantId":"50a7dbf5-ce45-4f57-ab9a-554c23510a11","tags":["EXPORTABLE"],"producerVersion":"local","agent":"An Agent","userAgent":"userAgent","hostIp":"127.0.0.1","traceId":"aac71e65-8ba5-48f5-bf6c-218166c441c8"},"payload":{"testProducerInstanceId":"2022-07-14T10:38:38.913027+02:00_1e40","testProducerEventCounter":3,"testProducerOperationCounter":1}}],"exportSequence":"1657787927925000001"}
{"events":[{"metadata":{"category":"public","type":"CEvent","eventId":"9088e089-d7a4-4dfa-9e94-7d8c05856fdd","aggregateId":"4527fa7c-08af-4784-a937-2371705cf921","payloadVersion":"1.0","metadataVersion":"1.0","producerId":"oneex-test-app-1","producerInstanceId":"1e40c34f-a439-494a-9782-bd78e615af9b","occurredTime":"2022-07-14T10:38:46.494584+02:00","tenantId":"50a7dbf5-ce45-4f57-ab9a-554c23510a11","tags":["EXPORTABLE"],"producerVersion":"local","agent":"An Agent","userAgent":"userAgent","hostIp":"127.0.0.1","traceId":"c4655afa-abb4-479a-b8cd-07e0a331b21d"},"payload":{"testProducerInstanceId":"2022-07-14T10:38:38.913027+02:00_1e40","testProducerEventCounter":12,"testProducerOperationCounter":3}},{"metadata":{"category":"public","type":"CEvent","eventId":"579d6996-dbc5-4422-86b4-0b2f9b0c456c","aggregateId":"e15ebe05-b633-4b14-a4bc-dbc1499aa5ee","payloadVersion":"1.0","metadataVersion":"1.0","producerId":"oneex-test-app-1","producerInstanceId":"1e40c34f-a439-494a-9782-bd78e615af9b","occurredTime":"2022-07-14T10:38:46.651749+02:00","tenantId":"50a7dbf5-ce45-4f57-ab9a-554c23510a11","tags":["EXPORTABLE"],"producerVersion":"local","agent":"An Agent","userAgent":"userAgent","hostIp":"127.0.0.1","traceId":"93eb21aa-8778-495d-8bf8-c9c291b3465f"},"payload":{"testProducerInstanceId":"2022-07-14T10:38:38.913027+02:00_1e40","testProducerEventCounter":14,"testProducerOperationCounter":4}}],"exportSequence":"1657787928184000001"}

Each line contains a JSON value object with an events attribute that contains an array of events.

Example JSON value object from the file in the S3 bucket

{
  "events": [
    {
      "metadata": {
        "category": "public",
        "type": "CEvent",
        "eventId": "b85dca63-064e-4687-8a20-424662e30686",
        "aggregateId": "5241cf5a-e75c-4e76-ad90-5ee345cb07a8",
        "payloadVersion": "1.0",
        "metadataVersion": "1.0",
        "producerId": "oneex-test-app-1",
        "producerInstanceId": "1e40c34f-a439-494a-9782-bd78e615af9b",
        "occurredTime": "2022-07-14T10:38:45.962266+02:00",
        "tenantId": "50a7dbf5-ce45-4f57-ab9a-554c23510a11",
        "tags": [
          "EXPORTABLE"
        ],
        "producerVersion": "local",
        "agent": "An Agent",
        "userAgent": "userAgent",
        "hostIp": "127.0.0.1",
        "traceId": "42bbfa71-e120-4019-bb3b-1bac895d6085"
      },
      "payload": {
        "testProducerInstanceId": "2022-07-14T10:38:38.913027+02:00_1e40",
        "testProducerEventCounter": 1,
        "testProducerOperationCounter": 1
      }
    },
    {
      "metadata": {
        "category": "public",
        "type": "CEvent",
        "eventId": "adfdc313-65d6-4c34-9ac2-4ed15d631d01",
        "aggregateId": "ef043115-e0c1-4192-8799-838e67d30bd2",
        "payloadVersion": "1.0",
        "metadataVersion": "1.0",
        "producerId": "oneex-test-app-1",
        "producerInstanceId": "1e40c34f-a439-494a-9782-bd78e615af9b",
        "occurredTime": "2022-07-14T10:38:45.941957+02:00",
        "tenantId": "50a7dbf5-ce45-4f57-ab9a-554c23510a11",
        "tags": [
          "EXPORTABLE"
        ],
        "producerVersion": "local",
        "agent": "An Agent",
        "userAgent": "userAgent",
        "hostIp": "127.0.0.1",
        "traceId": "aac71e65-8ba5-48f5-bf6c-218166c441c8"
      },
      "payload": {
        "testProducerInstanceId": "2022-07-14T10:38:38.913027+02:00_1e40",
        "testProducerEventCounter": 3,
        "testProducerOperationCounter": 1
      }
    }
  ],
  "exportSequence": "1657787927925000001"
}

Configure the S3 bucket

To set up an S3 bucket in your AWS account so that OneWelcome Identity Platform can push events to it:

Create a KMS key:
- Key type: “Symmetric”
- Key usage: “Encrypt and decrypt”
- Key material origin: “KMS”, Regionality: doesn’t matter

Add a KMS key policy statement allowing access to the key from the Onewelcome AWS account:

{
    "Version": "2012-10-17",
    "Id": "key-consolepolicy",
    "Statement": [
        {
            "Sid": "Allow an external account to use this KMS key",
            "Effect": "Allow",
            "Principal": {
            # CHANGE THIS
                "AWS": "arn:aws:iam::185813010098:role/events-mycustomer-production"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}

The Statement.Principal.AWS[1] role is the Amazon Kinesis Data Firehose role, ARN, that is created by OneWelcome Identity Platform. Replace the current value in the snippet above with the value supplied by OneWelcome Identity Platform.

Create the S3 bucket with the following policy:

{
  "Version": "2012-10-17",
  "Id": "PolicyID",
  "Statement": [
    {
      "Sid": "StmtID",
      "Effect": "Allow",
      "Principal": {
      # CHANGE THIS
        "AWS": "arn:aws:iam::185813010098:role/events-mycustomer-production"
      },
      "Action": [
        "s3:AbortMultipartUpload",
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:PutObject",
        "s3:PutObjectAcl"
      ],
      "Resource": [
      # CHANGE THIS
        "arn:aws:s3:::customers_bucket",
        "arn:aws:s3:::customers_bucket/*"
      ]
    }
  ]
}

The Statement.Principal.AWS role is the Amazon Kinesis Data Firehose role, ARN, that is created by OneWelcome Identity Platform. Replace the current value with the value provided by the OneWelcome Identity Platform.
Verify that the Statement.Resource reflects the bucket name created and known by you.

Note

Both the KMS key and S3 bucket must reside in the same region.

Public event payload

This section describes the OneWelcome Identity Platform public events generated by the OneWelcome Identity Platform modules. Events are transmitted in JSON format.

Example event in JSON format

{
  "metadata": {
     "type":"AuthorizationGroupDeletedEvent"
     //other metadata fields, check documentation for details
  },
  "payload": {
     "authorizationGroupId":"a4a474cc-7347-4de1-8f21-9dd2939346dc"
  }
}

Public events access module

Event type	Description	Payload fields
ApplicationCreatedEvent	A web client or SAML service provider is created.	applicationId:String, applicationName:String, applicationType:ApplicationType, SamlApplication:SamlApplication
ApplicationDeletedEvent	A web client or SAML service provider is deleted.	applicationId:String
ApplicationUpdatedEvent	A web client or SAML service provider is updated.	applicationId:String, applicationName:String, applicationType:ApplicationType, SamlApplication:SamlApplication
DeviceDeregisteredEvent	A device with all registered users was revoked.	clientId:String
DeviceRegisteredEvent	A device was registered.	clientId:String, appName:String, platform:String, appVersion:String, osVersion:String
DeviceUpdatedEvent	A device was updated.	clientId:String, appName:String, platform:String, appVersion:String, osVersion:String
UserDeviceDeregisteredEvent	The user's registration was removed from the client.	userId:UUID, clientId:String
UserDeviceRegisteredEvent	The user registered on the client.	userId:UUID, clientId:String

Model objects

Model object	Fields
ApplicationType	One of OAUTH, SAML
SamlApplication	entityId:String

Public events delegated administration module

Event type	Description	Payload fields
AuthorizationGroupAttributesChangedEvent	Attributes are changed for the authorization group.	authorizationGroupId:UUID, attributesAdded:List, attributesUpdated:List, attributesRemoved:List
AuthorizationGroupCreatedEvent	The authorization group is created.	authorizationGroupId:UUID, name:String, parentId:UUID
AuthorizationGroupDeletedEvent	The authorization group is deleted.	authorizationGroupId:UUID
AuthorizationGroupMemberAddedEvent	A member is added to the authorization group.	authorizationGroupId:UUID, userId:UUID
AuthorizationGroupMemberRemovedEvent	A member is removed from the authorization group.	authorizationGroupId:UUID, userId:UUID
AuthorizationGroupPoliciesChangedEvent	The authorization group policies were changed.	authorizationGroupId:UUID, policiesAdded:List, policiesRemoved:List
AuthorizationGroupResourcesChangedEvent	The authorization group resources were changed.	authorizationGroupId:UUID, resourcesAdded:List, resourcesRemoved:List
AuthorizationGroupUpdatedEvent	The authorization group was updated.	authorizationGroupId:UUID, oldName:String, newName:String
AuthorizationMemberPermissionAssignmentsChangedEvent	Member permissions wer changed for the authorization group.	authorizationGroupId:UUID, userId:UUID, permissionsAdded:List, permissionsRemoved:List
AuthorizationMemberPolicyAssignmentsChangedEvent	Member policies have changed for the authorization group.	authorizationGroupId:UUID, userId:UUID, policiesAdded:List, policiesRemoved:List
AuthorizationMemberResourceAssignmentsChangedEvent	Member resources were changed for the authorization group.	authorizationGroupId:UUID, userId:UUID, resourcePrivilegesAdded:List, resourcePrivilegesRemoved:List
AuthorizationPolicyCreatedEvent	A policy was created.	id:UUID, name:String
AuthorizationPolicyDeletedEvent	A policy was deleted.	id:UUID
AuthorizationPolicyUpdatedEvent	A policy was updated.	id:UUID, oldName:String, newName:String
AuthorizationResourceCreatedEvent	A resource was created.	id:UUID, name:String, externalId:String, resourceTypeId:UUID
AuthorizationResourceDeletedEvent	A resource was deleted.	id:UUID
AuthorizationResourceTypeCreatedEvent	A resource type was created.	id:UUID, name:String, policyId:UUID
AuthorizationResourceTypeDeletedEvent	A resource type was deleted.	id:UUID
AuthorizationResourceTypeUpdatedEvent	A resource type was updated.	id:UUID, oldName:String, newName:String
AuthorizationResourceUpdatedEvent	The resource was updated.	id:UUID, oldName:String, newName:String, oldExternalId:String, newExternalId:String

Model objects

Model object	Fields
Attribute	key:String, value:String
Permission	One of GROUP_MANAGE, GROUP_POLICY_MANAGE, GROUP_RESOURCE_MANAGE, PERMISSION_MANAGE, PERSON_POLICY_MANAGE, PERSON_RESOURCE_MANAGE, GROUP_MEMBER_MANAGE, POLICY_MANAGE, RESOURCE_MANAGE
ResourcePrivilege	resourceId:UUID, privilegeId:UUID

Public events credentials module

Event type	Description	Payload fields
PasswordUpdatedEvent	The user's password was updated.	userId:UUID

Public events identity module

Event type	Description	Payload fields
IdentityProviderLinkedEvent	An identity provider was linked to a user.	identityProviderId:String, name:String, authenticationLevel:Integer, userId:UUID
IdentityProviderUnlinkedEvent	An identity provider was unlinked from a user.	identityProviderId:String, name:String, authLevel:Integer, userId:UUID
IdentityUpdatedEvent	An identity was updated.	userId:UUID, gender:Gender, emailAddresses:List, phoneNumbers:List, addresses:List , customAttributes:List, name:Name
InvitationGeneratedEvent	An invitation was generated.	userId:UUID
UserActivatedEvent	A user was activated.	userId:UUID
UserBlockedEvent	A user was blocked.	userId:UUID
UserCreatedEvent	A user was created.	userId:UUID
UserDeactivatedEvent	A user was deactivated.	userId:UUID
UserDeletedEvent	A user was deleted.	userId:UUID
UserSignedInEvent	A user signed in.	userId:UUID, identityProviderId:String, date:OffsetDateTime, destination:String (This is the service provider that initiated the authentication request and to which the user is redirected, unless the flow is interrupted due to custom logic.)
UserUnblockedEvent	A user was unblocked.	userId:UUID

Model objects

Model object	Fields
Address	houseNumber:Integer, houseNumberAddition:String, streetName:String, postalCode:String, city:String, region:String, country:String, primary:Boolean, verified:Boolean
CustomAttribute	name:String, value:Object, valueType:CustomAttributeType
CustomAttributeType	One of SINGLE, LIST, MAP
EmailAddress	value:String, primary:Boolean, verified:Boolean
Gender	type:GenderType, customValue:String (Required only for type=OTHER)
GenderType	One of MALE, FEMALE, OTHER, UNSPECIFIED
Name	givenName:String, familyName:String, displayName:String, initials:String
PhoneNumber	value:String, primary:Boolean, verified:Boolean

Compatibility guidelines

JSON can contain null values. Future versions of the OneWelcome Identity Platform might omit event attributes if no value is available. For compatibility reasons, the OneWelcome Identity Platform advises against depending on any processing logic that relies on the presence of attributes having a null value.
Future releases of the OneWelcome Identity Platform might introduce new events and new event sub-attributes. Any processing of OneWelcome Identity Platform events should anticipate such changes. The OneWelcome Identity Platform considers the introduction of these additional items as being backwards compatible.

Events

Public events

Log events

Event publishing options

Amazon Kinesis Data Streams

Configuring Amazon Kinesis Data Streams

S3 bucket

Configure the S3 bucket

Public event payload

Public events access module

Model objects

Public events delegated administration module

Model objects

Public events credentials module

Public events identity module

Model objects

Compatibility guidelines

On this page

Suggest A Change