Custom Passwordless Login
This guide details how to set up a passwordless flow. The same flow can be used to configure users to log in with an email address, a phone number, or any other custom flow you might have. You can direct the user to a custom login screen, then use Authress to generate a login code, and then forward the user to that screen to log in with the code. Authress supports this via the Custom connection configuration.
The easiest way to set this up is first configure a custom connection that you own. Instead of adding a custom connection to handle a third party provider that doesn't offer a compliant OAuth2.1 or SAML connection, you can set up a custom connection to handle your additional needs explicitly.
Background: The Authress login flow​
The standard Authress login flow, starts in your web app. The user requests to login, which generates a login request using one of your configured Authress connections. The connectionId and applicationId are passed to the login SDK. This is the same flow your application is already using to login with Authress, and it will be reused for your passwordless flow, so no changes are necessary to your web app. As a reminder these are the relevant SDK methods:
import { LoginClient } from '@authress/login';
const loginClient = new LoginClient({
// Both of these properties can be found and configured at:
// https://authress.io/app/#/manage?focus=applications
authressApiUrl: 'https://auth.yourdomain.com',
applicationId: 'YOUR_APPLICATION_ID'
});
// This will redirect the user to your custom connection UI,
await loginClient.authenticate({
connectionId: 'SERVICE_CLIENT_ID'
});
// The rest of the flow is the same as in other connection provider logins with Authress.
Setup​
The setup for the passwordless flow follows the Authress Custom Identity Provider connection guide. Follow this guide and once completed return to this page. The guide walks through creating new component for handling email collection and email sending. Once completed your flow should look like this:
Start the Email Passwordless Guide.
In that guide where you see the use of the Verified User ID, replace that with the user's email address.
[Optional] Automatic connection linking​
When a user logs in Authress supports automatically linking the current login connection with other login connections if:
- Both identity provider connections are set to enable
Automatic Linking - Both generate user identities contain the
email_verified: trueproperty.
To enable Automatic Linking for both connections, go to Authress > Identity Connections > Select the connection > Advanced Tab > User Identity Linking. And then select: Automatically link identities whenever possible:
Second, Authress will validate that the user identity that is returned from the provider has a trusted contact data. Not all providers return a contact email, and not all emails nor providers are trustworthy. If the provider is trusted via (1) above, and that the provider trusts the contact data from the user, usually the email address, then the user will automatically logged in with their already existing user identity.
As an example, if:
- A user logged in Google previously
- Google set the
email_verifiedproperty totrue - The Authress preconfigured Google connection is set to enable Automatic Linking
And then the user logs into a second connection, such as your custom passwordless or another preconfigured connection AND:
- That connection has Automatic Linking enabled
- The user identity return from the provider includes the
email_verifiedproperty set totrue(This value is automatically set by the Authress SDKs.)
Then the user will automatically be logged in with their previous user identity and the user ID assigned to the user will be the same.
If either connection is set to Explicit Linking or if either connection does not have the email_verified attribute, then users can be linked using the Linking User Identity strategy guide.