Log in
Skip to sidebar
Skip to main content
Linked Applications
Loading…
Confluence
Spaces
Create
Create
Hit enter to search
Help
Online Help
Keyboard Shortcuts
Feed Builder
What’s new
Available Gadgets
About Confluence
Log in
Profile-API documentation
Pages
Profile-API documentation Home
Profile api configuration
Login flow configuration
Login flow configuration
search
attachments
weblink
advanced
image-effects
image-attributes
Paragraph
Paragraph
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Preformatted
Quote
Bold
Italic
Underline
Colour picker
More colours
Formatting
Strikethrough
Subscript
Superscript
Monospace
Clear formatting
Bullet list
Numbered list
Task list
Outdent
Indent
Align left
Align center
Align right
Page layout
Link
Table
Insert
Insert content
Files and images
Link
Markup
Horizontal rule
Task list
Date
Emoticon
Symbol
Insert macro
User mention
Jira Issue/Filter
Info
Status
Gallery
Table of Contents
Other macros
Page layout
No layout
Two column (simple)
Two column (simple, left sidebar)
Two column (simple, right sidebar)
Three column (simple)
Two column
Two column (left sidebar)
Two column (right sidebar)
Three column
Three column (left and right sidebars)
Undo
Redo
Find/Replace
Keyboard shortcuts help
You are not logged in. Any changes you make will be marked as
anonymous
. You may want to
Log In
if you already have an account.
This page is also being edited by
. Your changes will be merged with theirs when you save.
<h3 style="text-align: left;">Prerequisites</h3><p style="text-align: left;">The main idea of this project is to create application which manages user's profiles and its bunch of <strong>back-end</strong> and <strong>front-end</strong> are configured<br /> via configuration of <strong>back-end</strong>. So if certain properties are changed on <strong>back-end</strong> side, then <strong>front-end</strong> is changed in appropriate way <br />to match configuration of <strong>back-end</strong>. One of such configured flows is <strong>Login flow </strong>which is described in this documentation.</p><p style="text-align: left;">There are two possible login flows: one-step login and several steps login. The flow depends on property<br /><em style="letter-spacing: 0.0px;">systemBehaviorConfigurations/multifactorAuthentication/multifactorAuthSystemEnabled. </em>Hence, if it's set to <strong>true</strong>,<br />then several step login flow is chosen for the system (both on <strong>front-end</strong> and <strong>back-end</strong> sides). Otherwise, one-step<br />login is performed. Also login as one-step action performed in case of using third-parties (Google, Facebook etc.)</p><p style="text-align: left;">Firstly, login via third-parties is described.</p><h2 style="text-align: left;">Login via third-party (Google, Facebook etc.)</h2><hr /><p>An ability to login into the system can be performed in several different ways depending on configuration of back-end.<br /><em><strong>Default configuration</strong></em><strong> </strong>allows to perform login:</p><ul><li>via email;</li><li>via phone number;</li><li>via Google;</li><li>via Facebook;</li><li>via Okta;</li><li>via Twitter. </li></ul><p>Login via third-parties (Facebook, Google etc.) can be disabled for the system. In such case <br />there are no appropriate buttons on <strong>front-end</strong> and also <strong>back-end </strong>doesn't process requests for appropriate endpoints.</p><p>To <strong>disable</strong> desired option, e.g. Facebook, an appropriate property must be set to desired value in <em><strong>application.yaml</strong></em><strong> <br /></strong>in section <em>systemBehaviorConfiguration/oauth2</em>. For Facebook it's <em>systemBehaviorConfiguration/oauth2/facebook</em> <br />and the value <strong>false</strong>.<br /><br /><img class="confluence-embedded-image" draggable="false" width="456" src="/download/attachments/74645544/Screenshot%202023-10-20%20at%2003.11.11.png?version=1&modificationDate=1697762967000&api=v2" data-image-src="/download/attachments/74645544/Screenshot%202023-10-20%20at%2003.11.11.png?version=1&modificationDate=1697762967000&api=v2" data-unresolved-comment-count="0" data-linked-resource-id="74645543" data-linked-resource-version="1" data-linked-resource-type="attachment" data-linked-resource-default-alias="Screenshot 2023-10-20 at 03.11.11.png" data-base-url="https://wiki.knubisoft.com" data-linked-resource-content-type="image/png" data-linked-resource-container-id="74645544" data-linked-resource-container-version="5" title="Profile-API documentation > Login flow configuration > Screenshot 2023-10-20 at 03.11.11.png" data-location="Profile-API documentation > Login flow configuration > Screenshot 2023-10-20 at 03.11.11.png" data-image-height="1608" data-image-width="1386"></p><p>As mentioned above, such changes lead to changing of system's behavior both on <strong>front-end</strong> and <strong>back-end </strong>sides.<br /><br /></p><table class="wrapped confluenceTable"><colgroup><col /><col /></colgroup><tbody><tr><th class="confluenceTh">Changes on front-end</th><th class="confluenceTh">Changes on back-end</th></tr><tr><td class="confluenceTd">If login option (facebook, google etc.) disabled, then <br />an appropriate button disappears<br />from login page</td><td class="confluenceTd">If login option (facebook, google etc.) disabled, then<br />endpoint for appropriate option (e.g. <em>/api/v1/login/facebook</em>)<br />isn't registered and exposed, so an attempt to reach it leads to error <br />with the message "No handler."</td></tr></tbody></table><p style="text-align: left;">Listed login options can be enabled or disabled in any combinations.<br />If you want to add another third-party for login flow, please, refer to the article <a class="confluence-link" href="/pages/viewpage.action?pageId=68190588" data-linked-resource-id="68190588" data-linked-resource-version="14" data-linked-resource-type="page" data-linked-resource-default-alias="Sign in/up with social networks." data-base-url="https://wiki.knubisoft.com">sign in/up with social networks</a>.</p><p style="text-align: left;">Endpoint's path for a third-party has the following pattern: <em>/api/v1/login/thirdParty'sName.</em><br />These endpoints are created and exposed by Spring, but redirect URI can be configured via <em><strong>application.yaml</strong></em>.</p><h2 style="text-align: left;"><strong>Several steps login flow</strong></h2><p>The main difference between one-step login and several steps login is<strong> </strong>requirement to provide a one-time tokens<br />for user's enabled MFA (multi-factor authentication) options for additional security. So, if user has enabled MFA<br />for email, then only one-time token which is sent to user's email should be provided, if both email and phone number<br />MFA enabled, then two one-time tokens should be provided by user to complete login operation.</p><h2 style="text-align: left;">Login flow: the 1st step</h2><hr /><p>To choose several steps login, login operation must be performed via <strong>email</strong> or <strong>phone number</strong>. Also, <em style="letter-spacing: 0.0px;"><strong>application.yaml</strong></em> must have the following configuration:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="04535042-18b7-4c3d-8d68-99e807333a5f" data-macro-parameters="language=yml|title=application.yaml" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9eW1sfHRpdGxlPWFwcGxpY2F0aW9uLnlhbWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>... systemBehaviorConfigurations: multifactorAuthentication: multifactorAuthSystemEnabled: true ...</pre></td></tr></table><p><strong>Path:</strong> <em>/api/v1/login</em></p><p><span style="font-size: 16.0px;font-weight: bold;letter-spacing: -0.006em;">Request and response structures</span></p><p>If login <strong>via email/phone number</strong> are chosen, then request must have the following structure:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="02ebf848-3afe-448a-93e8-0889535bf7b6" data-macro-parameters="language=js|title=request" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVxdWVzdH0&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "userKey": "email/phone number", "password": "user password" }</pre></td></tr></table><p><br /></p><p>In such case, response contains listed below information:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="078524bc-9934-4476-8c7d-4d46290d45e1" data-macro-parameters="language=js|title=response" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVzcG9uc2V9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "processingId": "processing ID of the operation", "email": "user's email", "phoneNumber": "user's phone number", "enabledMfaSteps": { "emailVerificationEnabled": true|false, "phoneNumberVerificationEnabled": true|false, "googleAuthenticatorVerificationEnabled": true|false } }</pre></td></tr></table><h2>Login flow: the 2nd step</h2><hr /><p><strong>Path:</strong><em> /api/v1/token/login</em></p><p>The next step in several steps login flow is to request from the system one-time tokens for user's enabled MFA options.<br />So, depending on enabled MFA options request and response have the following structures:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="cdfffd96-a122-41bd-b129-57552c4750c0" data-macro-parameters="language=js|title=request" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVxdWVzdH0&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "destination": "EMAIL|PHONE_NUMBER", "processingId": "processing ID from the previous step" }</pre></td></tr></table><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="fe3e7950-5576-4248-937a-b6ae7bbdd248" data-macro-parameters="language=js|title=response" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVzcG9uc2V9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "destination": "user's email or phone number, depends on destination chosen in request", "expiration": "30 MINUTES" }</pre></td></tr></table><p><br /></p><p>After requesting and getting one-time tokens for all enabled MFA options, the final step of login can be performed.</p><h2>Login flow: the 3rd step</h2><hr /><p><strong>Path:</strong> <em>/api/v1/login/verification</em></p><p>This step is final action which should be performed to successfully finish several steps login flow.<br />On that step one-time tokens for all user's enabled MFA options which the user has got must be provided.<br />The request and response have structures, listed below. Note, that MFA option is disabled for user, then <br /><strong>null</strong> must be passed as its value.</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="d9de24d9-454f-4a33-94b1-b823c7f4e67e" data-macro-parameters="language=js|title=request" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVxdWVzdH0&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "userKey": "user key entered on the first step", "processingId": "processing ID from the first step", "oneTimeTokens": { "emailToken": "email one-time token"|null, "smsToken": "phone number one-time token"|null, "googleAuthenticatorToken": "google authenticator one-time token"|null } }</pre></td></tr></table><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="ae3a2d46-9486-4309-b16c-439b21a842fb" data-macro-parameters="language=js|title=response" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVzcG9uc2V9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "accessToken" : "access token", "refreshToken": "refresh token" }</pre></td></tr></table><p>As access and refresh tokens are handled by <strong>front-end</strong>, then for user after the last step follows redirect to main page.</p><h2><strong>One-step login flow</strong></h2><hr /><p>If additional security isn't required, then one-step login flow can be chosen.<br />For that MFA should be disabled for the system. In such case login flow is changed<br /> to one-step login. <br /><strong>NOTE 1: If you want to have a one-step login flow in the system, then MFA should<br />be disabled for the whole system which affects other operations and makes them <br />less secure, especially User key (email and phone number) recovery flow.</strong></p><p><strong>NOTE 2: Login via third-parties is configured separately from MFA, so it can be<br />performed in both cases.</strong></p><p>So <em><strong>application.yaml</strong></em><strong> </strong>should be configured as following:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="8051eb7f-1cb8-42b5-833e-30d0a093e422" data-macro-parameters="language=yml|title=application.yaml" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9eW1sfHRpdGxlPWFwcGxpY2F0aW9uLnlhbWx9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>... systemBehaviorConfigurations: multifactorAuthentication: multifactorAuthSystemEnabled: false ...</pre></td></tr></table><p>If login is performed via email or phone number with the following configuration, <br />then only one action should be performed for login.</p><p><strong>Path:</strong> <em>/api/v1/login</em></p><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="5d423b6f-a44a-47d8-950c-da8b819fd937" data-macro-parameters="language=js|title=request" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVxdWVzdH0&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "userKey": "email/phone number", "password": "user password" }</pre></td></tr></table><table class="wysiwyg-macro" data-macro-name="code" data-macro-id="03e30ae1-ef28-4cae-9541-27fce19c4fec" data-macro-parameters="language=js|title=response" data-macro-schema-version="1" style="background-image: url(https://wiki.knubisoft.com/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6bGFuZ3VhZ2U9anN8dGl0bGU9cmVzcG9uc2V9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>{ "accessToken" : "access token", "refreshToken": "refresh token" }</pre></td></tr></table><p><br /></p><p><strong>NOTE: As you can see, endpoint with the same path ("/api/v1/login") has different responses <br />depending on system configuration. It's achieved due to custom logic of </strong><span style="color: rgb(255,192,122);">@RegisterEndpointCondition <br /></span><strong style="letter-spacing: 0.0px;">annotation, which allows to map different method to the same path depending on configuration.</strong></p><p><br />If you have any questions regarding login flow or any other questions, feel free to contact <a class="confluence-link confluence-userlink user-mention" data-username="Diakonov Serhii" href="/display/~Diakonov+Serhii" data-linked-resource-id="57180419" data-linked-resource-version="1" data-linked-resource-type="userinfo" userkey="ff808181813d482c01842ee0d073002e" data-linked-resource-default-alias="Diakonov Serhii" data-base-url="https://wiki.knubisoft.com">Diakonov Serhii</a> (s.dyakonov@knubisoft.com) or <a class="confluence-link confluence-userlink user-mention" data-username="Kostenko Vadym" href="/display/~Kostenko+Vadym" data-linked-resource-id="57180421" data-linked-resource-version="1" data-linked-resource-type="userinfo" userkey="ff808181813d482c01842ee0d09a0030" data-linked-resource-default-alias="Kostenko Vadym" data-base-url="https://wiki.knubisoft.com">Kostenko Vadym</a> (v.kostenko@knubisoft.com)</p><p><br /></p><p><br /></p>
Edit
Preview
Save
Close
{"serverDuration": 86, "requestCorrelationId": "9c20db82354782c2"}