Skip to main content

Regular login flow

User login is a two step process.
1

Create a user login challenge

Use POST/auth/login/init : Create Login Challenge.This will generate a challenge to be signed by the user.If the user has a credential of kind PasswordProtectedKey a temporary one time code needs to be passed in the loginCode field. Send this code first by using POST/auth/login/code : Send Login Code. That’s required because the Create Login Challenge endpoint is unauthenticated and returns the encrypted private key of the user. So we need a first step to verify the identity of the user to prevent anybody from fetching the encrypted private key and trying to brute force it offline.If the user has at least one discoverable webauthn credential, username is optional (usernamless flow).
2

Get the user to sign the challenge

Depending on the type of credentials being used, the challenge can be signed in different ways:
  • passkey: the browser or the OS will handle the signing operation using WebAuthn APIs by creating a new passkey on the user device.
  • personal access token: the private key associated with the token can be used to sign the challenge.
  • service account token: the private key associated with the service account can be used to sign the challenge.
3

Complete the user login

Use POST/auth/login : Complete User Login.Completes the login process and provides the authenticated user with their authentication token.The type of credentials used to login is determined by the kind field in the nested objects (firstFactor and secondFactor). Supported credential kinds are:
  • Fido2: Login challenge is signed by a user’s signing device using WebAuthn.
  • Key: Login challenge is signed by a user’s private key.
  • PasswordProtectedKey: Login challenge is signed by the decrypted user’s private key that was sent during Create User Login Challenge step.

SSO login flow

1

Obtain the SSO URL

Use POST/auth/login/sso/init : Initiate SSO Login.This will generate a URL from his SSO provide. Send the user to that URL where he will be prompted to log in.
Important note:Once authenticated, the user will be redirected to the redirect URL you have set up on your SSO provider’s dashboard. Make sure this URL is also whitelisted for your settings. See the SSO set up tutorial for more details.
The redirect URL will contain a code and a state. Use those in the next step!
2

Log the user in

Use POST/auth/login/sso : Complete SSO Login, providing the code and state obtained in the previous step.This will log the user in and respond with the authentication token.

Social login flow

Use POST/auth/login/social to obtain an authentication token for the user. See Social Login for more details.

Delegated Users login flow

A service account should use POST/auth/login/delegated to obtain an authentication token for the end user. Dfns is not taking part of the actual end user authentication, you are responsible for logging them in properly in your application. See Delegated Login for more details.
I