Add conditional authentication¶
With conditional authentication, the login flow in an application is dependent on the risk factors associated with the user's login request. This allows you to strengthen the authentication flow when the risk is higher. In Asgardeo, conditional authentication is configured using a script.
Authentication script¶
The authentication script for configuring dynamic authentication flows in Asgardeo uses a functional language similar to Javascript. You can configure the script using the script editor in the Asgardeo Console. You can either use a template or write a custom script.
This scripting language supports a set of inbuilt functions and objects. A simple conditional authentication script will look like the following:
var onLoginRequest = function(context) {
// Some possible initializations...
executeStep(1);
if (doStepUp(context) === true) {
executeStep(2);
}
};
function doStepUp(context) {
// A function that decides whether to enforce second step based on the request context.
return true;
}
Note
Find out more about the scripting language in the Conditional Authentication API Reference.
Script templates¶
The script editor in Asgardeo comes with a set of predefined templates to get you started with some of the most common conditional authentication scenarios. These scripts contain inline comments explaining the conditions that are applied.
The available templates are categorized as follows:
- Access Control - These templates restrict user login to the application based on specified conditions.
- Adaptive MFA - These templates prompt two-factor authentication for login attempts based on specific conditions.
- Passkey Enrollment - These templates allows users to progressively enroll with passkey authenticator.
The pre-defined templates are listed below.
Template | Description |
---|---|
User-Age-Based | This configures a login flow where users can log in only if their age is over the configured value. The user's age is calculated using the date of birth attribute. |
Group-Based (Access Control) | This login flow allows login only for users who belong to any of the given set of groups |
Session Based | This login flow allows login only for users who have less than the configured number of concurrent sessions. |
Sign-In-Option-Based | This login flow prompts two-factor authentication (2FA) only for users who are signing in with a given option. |
New-Device-Based | This login flow sends an email notification and/or prompts two-factor authentication for users who are logged in from a previously unused device. |
Group-Based (Adaptive MFA) | This login flow prompts two-factor authentication (2FA) for users who belong to any of the given set of groups. |
IP-Based | This login flow prompts two-factor authentication for users who log in from outside the given IP range. |
Passkey-Progressive-Enrollment-Based | This login flow allows users to progressively enroll with passkey authenticator. |
If required, you can also use the script editor to introduce new functions and fields to an authentication script based on your requirement. See the instructions on writing a custom authentication script.