Allow to disable 'ActiveAuth' on enterprise Connections #471
Conversation
| * users in from within the Lock widget using their email and password. This is known as | ||
| * Active Authentication, and is not supported for MFA enabled identity providers. | ||
| * By whitelisting the connections here, the Universal Login Page is used instead and the | ||
| * log in is delegated to the browser application. |
There was a problem hiding this comment.
login ... one word for a noun.
Question: this is a very specific use case you're describing. Is it useful in other contexts? In other words: should this description either include other use cases or not be specific about MFA?
There was a problem hiding this comment.
I don't know to be honest. I know about MFA because it was reported now. Should I remove it?
There was a problem hiding this comment.
This whole paragraph just seems like overkill. Maybe just:
Set which enterprise connections should use Web Authentication (redirect to the Universal Login Page) instead of Active Authentication (username and password form).
There was a problem hiding this comment.
I removed that and the MFA mention.
| * log in is delegated to the browser application. | ||
| * Enterprise connections allowed for this client will use Active Authentication by default. | ||
| * | ||
| * @param connections the list of enterprise connections that will use Web Authentication. |
There was a problem hiding this comment.
Should it be explicit about what connections are accepted?
There was a problem hiding this comment.
AuthType.ENTERPRISE is an internal class. I didn't want to get detailed enumerating every enterprise strategy. Maybe I can link to https://manage.auth0.com/#/connections/enterprise ?
There was a problem hiding this comment.
isActiveFlowEnabled has 3 strategies it's checking ... would it be helpful to add those here?
| configuration = new Configuration(connections, options); | ||
|
|
||
| //Connections include 2 'ad' enterprise connections: "MyAD" and "mySecondAD" | ||
| //One of them is tell above to use Web Authentication |
There was a problem hiding this comment.
//The "MyAD" connection is set to use web auth above
... or thereabouts
Some Enterprise Connections can use
Active Authentication(username/ password) to log the user in from within Lock. This unfortunately, breaks scenarios where the SSO identity provider requires MFA.With this PR, users can now select which Enterprise connections of those which are...
...and use the browser instead and perform Web Authentication.
The default behavior remains the same: ActiveAuth will be used on those connections that fulfill what's stated in (2) above. The remainder (Connections without ActiveAuth enabled) will always use the Browser to authenticate.
Process for ActiveAuth enabled connection
Process for ActiveAuth disabled connection
Usage
You need to pass the list of connections that normally use Active Authentication and now will use Web Authentication.