About Modifying Login Flow
With Cloudentity Extensions, developers can narrow down or suggest the list of identity sources presented to the end users during the authorization flow. When the user needs to authenticate and there is a large number of identity sources available, it is best to provide them with identity sources that are tailored to the user and their session context. With Cloudentity Extensions, you can:
-
Display selected identity sources based on a specific email domain
-
Display selected identity sources tied to a specific client application
-
Display selected identity sources based on an incoming IP address
-
Display selected identity sources based on the provided username of the end user
Learn more
You can learn more about Cloudentity Extensions and modifying the login flow by reading the Extending Cloudentity Capabilities.
Available Inputs
When creating Extension scripts that modify the login flow for the end users, developers may use the following input objects:
-
request
- to have access to the request information such as headers or query parametersSample input:
-
client
- to have access to information about the client application that initiated the authorization flowClient schema:
-
idps
- to have access to the list of identity sourcesSample input:
Tip
You can see the available input example in the Extensions editor:
Available Output
Extensions modifying the login flow for end users produce one output object:
idps_ids
- an array of identity sources returned by the Extension script. In other words, this object is a list of identity sources that are available for the end user to be used for authentication.
Example Output
{ "idps_ids": [ "c9h7eug70d3tqc8c272g", "70d3tqc8c272gc9h7eug" ] }
Modify Login Flow for End Users
-
When creating the Extension, use available inputs, outputs, and dependencies.
Creating Extensions
For instructions on how to create Cloudentity Extensions, test using test mode, and to learn what are recommended best practices when working with Extensions, see the Creating and Testing Extensions How-to article.
To check how Extensions modifying the login flow for end users work and look, see the Sample Script section.
-
Go to Identity Providers and select the Discovery tab.
-
For the radio buttons, select Script.
-
Assign the Extension that modifies the login flow.
-
-
Verify the login flow using Sandbox IDP and Demo Application/API
Sample Script
module.exports = async function (context) {
var idpIDs = [];
for (var i = 0; i < context.idps.length; i++) {
if (
context.client.client_id === "default-demo" &&
context.idps[i].name === "Default" &&
context.request.headers["Testing"].includes("value") &&
context.request.query_params["login_hint"].includes("myuser")
) {
idpIDs.push(context.idps[i].id);
}
}
return {
idps_ids: idpIDs,
};
};
In the Extension script above, you can see a for
loop that goes through the list of all identity
sources available within the tenant. If an identity source matches the criteria, for example, the
request to the /authorize
endpoint had the login_hint
query parameter included with the value
set to myuser
, identifier of such identity source is added to the list of returned identity
sources (idps_ids
). It means that when the user is going to authenticate, only the identity
sources returned by the script are available to be used.
Verify Modified Login Flow
Besides testing the Extension by running it in the Test Mode, it is possible to test it with the Demo Application.
I Do Not Have Demo Application
If the Demo Application is not available within your workspace, do not worry! You can test your modified login flow using any application connected to the Cloudentity platform and your workspace. Enable the OAuth Authorization Code Grant Type in your client application configuration and call the OAuth 2.0 Authorize Endpoint for your workspace. During the flow, you will need to authenticate with your identity source and it should provide you with a list of identity sources returned by your Extension script.
Prerequisites
-
Identity sources of your choice are connected to the workspace where the Extension Script is available.
-
Extension script is enabled in the Discovery tab of the Identity Providers view.
Test Login Flow
-
Within your workspace, navigate to Dashboards > Overview and select the Launch portal button for the Demo Application (in the Connected portals panel).
Optionally, you can access the Demo Application under the
https://{tid}.authz.cloudentity.io/{tid}/{aid}/demo
URL where the{tid}
variable stands for your tenant identifier and theaid
variable stands for your workspace (authorization server) identifier. -
Select LOGIN TO DEMO APP.
Result
The list of all identity sources available for the workspace should be filtered out and only the identity sources that were returned by the Extension Script should be available for use.