Users existing in external authentication provider can be represented inside Jazer through external user (core.external-user) documents. External authentication provider should create an external user for each user that it holds. The provider can for created external user create a token (core.external-user.token) and give it to the client. The client using given token can access Jazer. At any time external authentication provider can delete a token, i.e. revoke access. It is important to note, the client should never be able to directly create an external user/token. The client should always go through external authentication provider (proxy) to create a user/token.
External user document is a fully-featured authentication identity as is in-house user (core.user) document. They can be used in ACL records and can be members of user groups.