Add user age-based access control

# Add user age-based access control

To control access to your application based on the user's age, you can apply the User Age-Based conditional authentication template. The age of the user is calculated using the date of birth attribute in the user's profile. Users are redirected to an error page if the date of birth is not specified in the user profile or if the user's age is below the minimum age configured in the template.

# Scenario

Consider a scenario where users who are younger than 18 years should be prevented from signing in to an application and redirected to an error message.

# Prerequisites

You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.
Go to the user's profile and update the birth date so that the current age is below 18 years. For instructions, see Manage user profiles.

To enable conditional authentication:

On the Asgardeo Console, click Applications.
Select the relevant application and go to it's Login Flow tab.
Add user-age-based access control using your preferred editor:
Using the Classic Editor

To add user-age-based access control using the classic editor:
1. Click Start with default configuration to define the login flow starting with the username and password login.
2. Turn on Conditional Authentication by switching the toggle on.
3. Select the Access Control > User Age-Based template.
Using the Visual Editor

To add age-based access control using the visual editor:
1. Switch to the Visual Editor tab, and expand Predefined Flows > Conditional Login Flows > Access Control.
2. Click + ADD next to User-Age-Based to add the user-age-based access control script.
3. Click Confirm to replace any existing script with the selected predefined script.
Important

As a security measure, Asgardeo does not allow the usage of two consecutive periods (..) in authentication scripts.

Update the following parameter in the script.

Parameter	Description
`ageLimit`	Minimum age required for the user to log in to the application. For this example scenario, enter `18` as the value.
`errorPage`	The error page to which users are redirected if the age limit is below age limit. The default error page is used if this parameter is not configured.
`errorPageParameters`	Parameters to be passed to the error page. This information will display on the error page.

Click Update to confirm.

# How it works

Shown below is the user age-based conditional authentication template.

// This script will only allow login to application if the user's age is over configured value
// The user will be redirected to an error page if the date of birth is not present or user is below configured value

var ageLimit = 18;

// Error page to redirect unauthorized users,
// can be either an absolute url or relative url to server root, or empty/null
// null/empty value will redirect to the default error page
var errorPage = '';

// Additional query params to be added to the above url.
// Hint: Use i18n keys for error messages
var errorPageParameters = {
    'status': 'Unauthorized',
    'statusMsg': 'You need to be over ' + ageLimit + ' years to login to this application.'
};

// Date of birth attribute at the client side
var dateOfBirthClaim = 'http://wso2.org/claims/dob';

// The validator function for DOB. Default validation check if the DOB is in YYYY-MM-dd format
var validateDOB = function (dob) {
    return dob.match(/^(\d{4})-(\d{2})-(\d{2})$/);
};

var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function (context) {
            var underAge = true;
            // Extracting user store domain of authenticated subject from the first step
            var dob = context.currentKnownSubject.localClaims[dateOfBirthClaim];
            Log.debug('DOB of user ' + context.currentKnownSubject.uniqueId + ' is : ' + dob);
            if (dob && validateDOB(dob)) {
                var birthDate = new Date(dob);
                if (getAge(birthDate) >= ageLimit) {
                    underAge = false;
                }
            }
            if (underAge === true) {
                Log.debug('User ' + context.currentKnownSubject.uniqueId + ' is under aged. Hence denied to login.');
                sendError(errorPage, errorPageParameters);
            }
        }
    });
};

var getAge = function(birthDate) {
    var today = new Date();
    var age = today.getFullYear() - birthDate.getFullYear();
    var m = today.getMonth() - birthDate.getMonth();
    if (m < 0 || (m === 0 && today.getDate() < birthDate.getDate())) {
        age--;
    }
    return age;
};

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

Let's look at how this script works.

The validateDOB function validates whether the provided date of birth is correct.
The getAge function calculates the age based on the configured birth date.
When step 1 of the authentication flow is complete, the onLoginRequest function checks whether the age of the user is above the configured age limit.
If the age is below the configured limit, the user is directed to the configured error page.

Find out more about the scripting language in the Conditional Authentication API Reference.

# Try it out

Follow the steps given below.

Access the application URL.
Try to log in as a user who is above 18 years of age. This user will successfully log in to the application.
Log out of the application.
Log in again with a user who is below 18 years. The user will see the following error.