Write a custom authentication script
# Write a custom authentication script
Follow this guide to write a conditional authentication script from scratch and to understand its internals.
# Scenario
Let's consider the following simplified set of requirements for your business application:
- User tries to log in to an application with username and password authentication.
- If the user belongs to the manager or employee group, they can access the application. Other users should not be allowed to access the application.
# Prerequisites
You need to register an application with Asgardeo. You can register your own application or use one of the sample applications provided.
Customize the login flow in your application and enable
Username and Password
authentication.Create two user groups named
manager
andemployee
and assign user accounts to them. For instructions, see the following:
# Start with the default script
To start off, configure conditional authentication for your application and check the default script once you enable the two steps authentication.
var onLoginRequest = function(context) {
executeStep(1);
};
2
3
The above scripts do not have any conditional authentication. It allows all users to access the application after successful authentication through username and password
.
# Implement onSuccess callback
Now, let's implement what happens when username and password authentication is successful. You can use the onSuccess eventCallback.
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Implement what to do when Step 1 authentication is success.
}
});
};
2
3
4
5
6
7
# Get user object
If username and password authentication is successful, let's get the user from the context. You can use context.currentKnownSubject
.
var groups = ['employee', 'manager'];
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated user from the first step.
var user = context.currentKnownSubject;
}
});
};
2
3
4
5
6
7
8
9
10
# Check membership of the user
Now, let's check whether the user is a member of manager
or employee
. You can use the isMemberOfAnyOfGroups(user, groups) utility function.
Refer the inbuilt functions to get to know more existing functions.
var groups = ['employee', 'manager'];
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated user from the first step.
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given groups.
var isMember = isMemberOfAnyOfGroups(user, groups);
}
});
};
2
3
4
5
6
7
8
9
10
11
12
# Fail authentication
If the user is not a member, fail the authentication and redirect the user to the application with some error code.
var groups = ['employee', 'manager'];
var errorCode = 'access_denied';
var errorMessage = 'You do not have access to login to this app';
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated user from the first step.
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given groups.
var isMember = isMemberOfAnyOfGroups(user, groups);
if (!isMember) {
fail({'errorCode': errorCode, 'errorMessage': errorMessage});
}
}
});
};
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
You have now written a conditional authentication script for the group-based access control scenario.
Similarly, you can build your own scripts to handle many scenarios using the API references.