The Pull and Push models for Identity

Most Identity Platforms (e.g. Okta, Azure AD, Auth0, etc) support these days two models for passing user identity information to applications. I called those, Push and Pull models.

In the push model, the Identity Provider or Authorization server pushes a set of attributes or claims about the user identity in the identity token (e.g SAML or ID Token/OpenID Connect) to the target application. As this token is cached as part of the user session on the application side, the data to be sent on it has to be minimized. For example, OpenID Connect offers a fixed set of attributes that could be sent in an ID token (JWT) such as given_name, family_name, nickname or email to name a few. SAML 2.0 is more flexible in that aspect. The identity provider can potentially send any attribute in a SAML token. However, Identity Providers usually put some restrictions on the data that can be sent. For example, Azure AD does not let you add more than 25 roles or user groups in the token.

The pull model is quite the opposite. The Identity Provider provides an user profile endpoint or API to retrieve additional identity information about the user. The application can call that endpoint to retrieve any information that was not initially presented in the identity token once the user was authenticated. Each identity provider implement this API in different ways, but offer similar functionality, which includes advanced filtering or profile updates.