User Authentication and Login
Authress provides fundamentally a way for your users to log in using any strategy they want. Usually this means one of:
- A federated social provider
- OpenID, OAuth2, SAML, or other standards
- A direct account integration or passwordless using FIDO2 via WebAuthN
- SSO via their corporate identity provider
There are many more but these are the most common ones.
Authress also enables your customers to create applications than can utilize your platform as a login mechanism for their software. In Authress that is called creating a Platform Extension.
Login Configurationโ
To configure login using Authress, start by following the general setup guide for enabling identity provider authentication. After doing so your users will be able to log in using an Authress hosted login screen or a custom one:
API authenticationโ
Alternatively, if you looking for how to configure machine clients or add API keys and configure security your existing API endpoints, see the API authentication guide.
Tenantsโ
Your users' accounts each are grouped into the tenant they belong to. When a customer signs up, you have the opportunity to create a new Authress Tenant. Each Tenant represents a different customer, and each tenant can have its own dedicated SSO login strategy. While most tenants will use one of the common login mechanisms, some will will bring their own corporate IdP. Tenants provides the way to identify and secure these login mechanisms within Authress.
Specifically, when a new tenant is created, the customer owner can also create a new Authress Identity Connection which stores the configuration that tenant needs to log in. Each tenant can have its own strategy for authentication. For how to configure tenants and custom user SSO, see Tenants and organization management.
Depending on your configuration and the user's corporate SSO setup, this will be the default user sign in experience. This is a global configurable screen that enables you to pick your preferred connections and let the user enter their SSO domain. Depending on your customer's preferred integration options you can enable this dialog to fix your needs. With this users can successfully log into your platform directly.
Multifactor and Passkey supportโ
For situations where a single factor authentication is not enough or a user's federated identify provider is not sufficient for the security of your application, you can add multifactor support. Authress supports adding a multifactor hardware or software device to any connection. That means, even for social connections, a hardware device such as a Yubikey can be added to the user's account to require an additional level before completing authentication.
Users can add any number of security keys to their account:
Then, during their login attempt they'll be automatically asked to provide their key.
Configuring user security keysโ
To configure user keys, redirect a login user to the Security Keys page:
import { LoginClient, UserConfigurationScreen } from '@authress/login';
const loginClient = new LoginClient({ authenticationServiceUrl: 'https://auth.yourdomain.com' });
await loginClient.openUserConfigurationScreen({
redirectUrl: window.location.href,
startPage: UserConfigurationScreen.MFA
});