Introducing Asgardeo Try it Application
Asgardeo's Fancy Playground Application
— By Yasin
Recently, folks at Asgardeo released a new feature called the Asgardeo Try it Application for quickly testing various login flows effortlessly. The best part of this feature is that you don't even need a functional application to get started with Asgardeo. How crazy is that, huh?
Alright, now let's get into it.
When you first log in to the Console application using your tenant admin credentials, it will present you with the following landing page.
Once created, it will immediately redirect you to the
Try it application. But for now, you can
close that tab and head back to the Asgardeo Console.
Configuring First-Factor Auth
In every application, you'd either have email/password, social or entirely password-less authentication.
Well, lucky for us; Asgardeo has all these options baked-in, so we can nibble instantly. I'll configure
some social connections along with email & password and biometric authentication. You can refer below
video for adding first-factor authentication to the
Try it application flow.
I already have
GitHub connections configured, and they are available for me to add
to this application. However, if you don't see them, you should refer the official Asgardeo documentation
on configuring social connectors or
refer to my previous article about Asgardeo JIT User
a quick tutorial.
Add a User
Also, note that I have created a Customer User in my default user store. You can easily do this by
navigating to the
Users section by clicking the
+ Add User button. Or you can refer official
Asgardeo documentation on how to add users.
Okay, now we have the first-factor authenticators; it is time for us to Try it! We can instantly try this out by clicking the "Try Login" button.
Alright, You've got me!
I'm not trying out Biometric Authentication because it requires setting up using the self-care portal before we can authenticate users. And on the other hand, I want to expand a bit about Asgardeo's Security Key / Biometrics authenticator in this article.
Also, if you're using an Apple Chip, there's a hint mentioned on making it work in Asgardeo in a password-less fashion using an iPhone & XCode written by Thamindu. Regardless, Asgardeo will seamlessly function with any functional FIDO2-compliant device on the fly.
Security Key and Biometrics 101
Asgardeo lets you configure FIDO2 compliant devices to enable password-less authentication for your Users. In the above figure, we configured it in the first-factor configuration, and you can see that we can easily attach a FIDO authentication to the authentication sequence's first step.
So here's how we configure a device as a first-factor biometric authentication (I don't have a proper Fido2 key, but my machine can act as a biometric authenticator).
The following illustration is the initial authentication flow users go through to set up their devices for authentication using the Asgardeo's My Account self-care portal.
Asgardeo docs also mention that we can configure FIDO2 password-less login for our application using two primary methods: -
Security key/Biometrics: An application user uses a FIDO2-supported authenticator to log in without entering a username or a password.
Identifier first + Security key/Biometrics: An application user enters a username first. Asgardeo verifies the identity from the username and prompts the user to use a FIDO2-supported authenticator to log in.
Configure Second-Factor Auth
Asgardeo allows us to add second-factor authentications such as TOTP and Email OTP to
Try it application's authentication flow.
Guess what? It doesn't require additional configurations to test it. We can directly jump into the playground.
Hmm, Something is Odd
We have configured second-factor authenticators, but we haven't considered the user experience of these authenticating options. Usually, when we configure multi-login options (i.e., email/password along with social connectors), it is best practice to avoid 2FA when a user authenticates from a federated connection. Here's why: -
When you log in through Google/GitHub connection, it usually prompts a notification on a device or email asking for validation whether only you are trying to log in (i.e., one-tap popups, mobile OTP code etc.). Now assume you completed either one of those.
If everything goes as expected, then the flow is validated by Google. So, it doesn't make sense to initiate another 2FA/MFA verification in Asgardeo if you sign in using Google, correct? If we do that, it leads to a poor user experience. So, how can we fix those without making those mistakes in production?
Well, lucky you, Asgardeo has thought about this already!
Adaptive Authentication to the Rescue
In Asgardeo, every application has its adaptive authentication script to manage its
authentication flows. This script allows you to enforce adaptive MFA in the login
flow of your applications. For example, you can control authentication based on Group,
We are particularly interested in the Sign-on-option based script, where we can conditionally
skip 2FA for Google and GitHub. The great thing about Asgardeo is that you can directly
test it within the
Try it application. It mimics what a user would go through,
and you can deploy your application to production with finesse!
Just turn on the
Conditional Authentication switch and paste the above code snippet like the following: -
Once you update the script with the above, you can verify that Asgardeo skips
for FIDO and Social Connectors.
Well, now that we have covered the customization of Sign-in Methods in this
application, we are only left with the User Attributes and Advance Settings to cover.
Specifically, the user attributes are pre-configured for the
Try it application as it is a static
application that aims to test the login flows. However, we can
enable and configure additional user claims/attributes after
integrating our actual application to Asgardeo.
Asgardeo allows you to control and test the User consent screen rendered during the
sign-in and sign-out flow in an application. You can refer the
official Asgardeo documentation on user consent management
for more information. The best part is that you can do this in the
Try it application.
Well, now you know how to try out Asgardeo without an application. Asgardeo makes testing and experimenting with complex logical authentication flows in the application effortless.
Thanks a bunch for reading!