Authentication
Authentication refers to how your users will securely identify themselves to your application. It is also a complex topic, as each application will have its own requirements. There will be several important topics to understand so that you can configure your authentication flows to fit your needs.
Testing
If you have not already, it is important to set up a test application such as the debug-app described in the Getting started section. This will provide a mechanism to view and debug your authentication flows, validate that the desired user experience is correct, and the information you want passed to the application is present.
Authentication topics
📄️ Understanding Flows
An authentication flow defines the experience your user will go through in securely identifying themselves to your application. It is a container of challenges, screens, and actions, during log in, registration, and other workflows. When we refer to a named flow in the documentation, we are simply referring to such a container, some of which are built-in, and some can be created and configured by you.
📄️ Username-Password
Username-password authentication is part of the default browser flow. If you select this flow from the Flows tab, you will see the steps that make up the flow.
📄️ Social Login
Given the use of the default browser flow, configured social identity providers will be added to your authentication flow by default.
📄️ Magic Links
Magic links are a type of password-less authentication that allow your users to log in to your application following a link that is emailed to them, rather than typing a username and password. We wrote a blog post with more details and advantages/disadvantages in the Magic Links Guide.
📄️ One-time Passwords
A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session. An OTP is more secure than a static password, especially a user-created password, which can be weak and/or reused across multiple accounts.
📄️ WebAuthn
WebAuthn is a web standard for password-free login. At it's core, it is a browser-based API that allows for web applications to simplify and secure user authentication by using registered devices (phones, laptops, etc) as factors. It uses public key cryptography to protect users from advanced phishing attacks.
📄️ Enterprise SSO
The goal of enterprise SSO is to allow corporate or other organization users to securely access all of the applications and resources available to them with a single authentication. Support for SSO in this context is allowing organizations to use their own identity providers to authenticate with your application.
📄️ Complex Flows
It is possible to create complex authentication flows with many options and conditionals. Each application use case is unique, and it may be necessary to combine some of the examples from the other sections in order to meet your specific needs. While no one guide can be comprehensive in this regard, we present a real-world example to facilitate understand of how different authentication methods can work together in a single flow.