Responding to Response Required Triggers

Invocation response modes for response required type triggers

You can specify how your application interacts with a response required (REQUEST_RESPONSE) type trigger service by selecting an invocation response mode in the Response Type dropdown when editing or creating a REQUEST_RESPONSE subscription. There are three response modes to choose from: SYNC, ASYNC, and DYNAMIC. These response modes are only available when the subscription type is set to HTTP.

Response Modes	Description
SYNC	This type of response creates a synchronous flow between the trigger service and the custom application. Once a trigger has been invoked, the custom application is expected to respond within 10 seconds. If the application takes longer than 10 seconds to respond, the trigger invocation will terminate without making any decisions.
ASYNC	This type of response creates an asynchronous flow between the trigger service and the custom application. When a trigger is invoked, the custom application does not need to respond immediately. The trigger service will provide a URL and a secret that the custom application can use to complete the invocation at a later time. The application must complete the invocation before the configured deadline on the subscription.
DYNAMIC	This type of response gives the custom application the ability to choose whether it handles the invocation request synchronously or asynchronously on a per-event basis. In some cases, the application may choose SYNC mode because it is able to respond quickly to the invocation. In other cases, it may choose ASYNC because it needs to run a long running task before responding to the invocation.

Responding to response required triggers

SYNC Response

The custom application responds to the trigger invocation with an appropriate payload. For example, the application may receive a request from the Access Request Dynamic Approver trigger. The application will have 10 seconds to analyze the event details and respond with a 200 (OK) status code and a response payload that contains the identity to add to the approval chain. For example, the response may look like this:

200 (OK)

{
  "id": "2c91808b6ef1d43e016efba0ce470906",
  "name": "Adam Adams",
  "type": "IDENTITY"
}

ASYNC Respose

The custom application only needs to acknowledge that it has received the trigger invocation request by returning an HTTP status of 200 (OK) with an empty JSON object (ex. {}) in the response body within 10 seconds of receiving the event. It then has until the configured deadline on the subscription to provide a full response to the invocation. For example, the application may receive a request from the Access Request Dynamic Approver trigger. An example of the request payload that the application might receive is as follows:

{
  "_metadata": {
    "callbackURL": "https://{tenant}.api.identitynow.com/beta/trigger-invocations/e9103ca9-02c4-bb0f-9441-94b3af012345/complete",
    "responseMode": "async",
    "secret": "c1c60493-3347-4550-9c00-123cdde",
    "triggerId": "idn:access-request-dynamic-approver",
    "triggerType": "requestResponse"
  },
  "accessRequestId": "4b4d982dddff4267ab12f0f1e72b5a6d",
  "requestedBy": {
    "id": "2c91808b6ef1d43e016efba0ce470906",
    "name": "Adam Admin",
    "type": "IDENTITY"
  },
  "requestedFor": {
    "id": "2c91808b6ef1d43e016efba0ce470909",
    "name": "Ed Engineer",
    "type": "IDENTITY"
  },
  "requestedItems": [
    {
      "comment": "Ed needs this access for his day to day job activities",
      "description": "Engineering Access",
      "id": "2c91808b6ef1d43e016efba0ce470904",
      "name": "Engineering Access",
      "operation": "Add",
      "type": "ACCESS_PROFILE"
    }
  ]
}

The application will immediately respond to the invocation with a 200 (OK) status code and an empty JSON object.

200 (OK)

{}

Once the application has made a decision about how to respond, it will use the callbackURL and secret provided in the _metadata object from the original request to complete the invocation. An example response might look like this:

POST https://{tenant}.api.identitynow.com/beta/trigger-invocations/e9103ca9-02c4-bb0f-9441-94b3af012345/complete

{
  "secret": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "output": {
    "id": "2c91808b6ef1d43e016efba0ce470906",
    "name": "Adam Adams",
    "type": "IDENTITY"
  }
}

DYNAMIC Response

The custom application determines arbitrarily whether to respond to the trigger invocation as SYNC or ASYNC. If the application is supposed to respond as SYNC, it should follow the SYNC response type directions, responding within 10 seconds of the invocation. In the case of ASYNC, the custom application only needs to acknowledge that it has received the trigger invocation request with a 202 (Accepted) within 10 seconds of receiving the event. It must complete the invocation at a later time by using the callbackURL and secret provided in the _metadata object.

An example of the request payload that the application might receive is as follows:

{
  "_metadata": {
    "callbackURL": "https://{tenant}.api.identitynow.com/beta/trigger-invocations/e9103ca9-02c4-bb0f-9441-94b3af012345/complete",
    "responseMode": "async",
    "secret": "c1c60493-3347-4550-9c00-123cdde",
    "triggerId": "idn:access-request-dynamic-approver",
    "triggerType": "requestResponse"
  },
  "accessRequestId": "4b4d982dddff4267ab12f0f1e72b5a6d",
  "requestedBy": {
    "id": "2c91808b6ef1d43e016efba0ce470906",
    "name": "Adam Admin",
    "type": "IDENTITY"
  },
  "requestedFor": {
    "id": "2c91808b6ef1d43e016efba0ce470909",
    "name": "Ed Engineer",
    "type": "IDENTITY"
  },
  "requestedItems": [
    {
      "comment": "Ed needs this access for his day to day job activities",
      "description": "Engineering Access",
      "id": "2c91808b6ef1d43e016efba0ce470904",
      "name": "Engineering Access",
      "operation": "Add",
      "type": "ACCESS_PROFILE"
    }
  ]
}

To respond as SYNC, simply respond to the invocation within 10 seconds.

200 (OK)

{
  "id": "2c91808b6ef1d43e016efba0ce470906",
  "name": "Adam Adams",
  "type": "IDENTITY"
}

To respond as ASYNC, start by responding to the invocation with a 202 (Accepted).

202 (Accepted)

{}

Then, use the callbackURL and secret to send a POST request to the invocation with the decision.

POST https://{tenant}.api.identitynow.com/beta/trigger-invocations/e9103ca9-02c4-bb0f-9441-94b3af012345/complete

{
  "secret": "0f11f2a4-7c94-4bf3-a2bd-742580fe3bde",
  "output": {
    "id": "2c91808b6ef1d43e016efba0ce470906",
    "name": "Adam Adams",
    "type": "IDENTITY"
  }
}

---

Trigger invocation status

To check the status of a particular trigger invocation, you can use the list invocation statuses endpoint. The status endpoint works for both REQUEST_RESPONSE and FIRE_AND_FORGET triggers. However, the status of FIRE_AND_FORGET trigger invocations will contain null values in their completeInvocationInput since FIRE_AND_FORGET triggers don't need a response to complete.