Write a custom authentication script¶
Follow this guide to write a conditional authentication script from scratch and to understand its internals.
Scenario¶
Let's consider the following simplified set of requirements for your business application:
- User tries to log in to an application with username and password authentication.
- If the user belongs to the manager or employee group, they can access the application. Other users should not be allowed to access the application.
Prerequisites¶
-
You need to register an application with WSO2 Identity Server. You can register your own application or use one of the sample applications provided.
-
Customize the login flow in your application and enable
Username and Password
authentication. -
Create two user groups named
manager
andemployee
and assign user accounts to them. For instructions, see the following:
Start with the default script¶
To start off, configure conditional authentication for your application and check the default script once you enable the two steps authentication.
var onLoginRequest = function(context) {
executeStep(1);
};
username and password
.
Implement onSuccess callback¶
Now, let's implement what happens when username and password authentication is successful. You can use the onSuccess eventCallback.
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Implement what to do when Step 1 authentication is success.
}
});
};
Get user object¶
If username and password authentication is successful, let's get the user from the context. You can use context.currentKnownSubject
.
var groups = ['employee', 'manager'];
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated user from the first step.
var user = context.currentKnownSubject;
}
});
};
Check membership of the user¶
Now, let's check whether the user is a member of manager
or employee
. You can use the isMemberOfAnyOfGroups(user, groups) utility function.
Refer the inbuilt functions to get to know more existing functions.
var groups = ['employee', 'manager'];
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated user from the first step.
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given groups.
var isMember = isMemberOfAnyOfGroups(user, groups);
}
});
};
Fail authentication¶
If the user is not a member, fail the authentication and redirect the user to the application with some error code.
var groups = ['employee', 'manager'];
var errorCode = 'access_denied';
var errorMessage = 'You do not have access to login to this app';
var onLoginRequest = function (context) {
executeStep(1, {
onSuccess: function (context) {
// Extracting authenticated user from the first step.
var user = context.currentKnownSubject;
// Checking if the user is assigned to one of the given groups.
var isMember = isMemberOfAnyOfGroups(user, groups);
if (!isMember) {
fail({'errorCode': errorCode, 'errorMessage': errorMessage});
}
}
});
};
You have now written a conditional authentication script for the group-based access control scenario.
Similarly, you can build your own scripts to handle many scenarios using the API references.