UNLOQ as the identity provider
An application that uses username and password for its login mechanism, generally trusts a store (database, 3rd party service, etc) to verify the fact that the user-password combination exists and fetches the associated information. Keeping the store and its data safe is a challenge that many companies struggle to achieve.
With UNLOQ, you do not have to store any kind of password, except the identity of a user (e-mail, username, etc) and trust UNLOQ to authenticate the user for you (either via push notifications or secondary mechanisms). Use this system and passwords will be completely removed from the equation.
The UNLOQ authentication process can be handled in two ways: using our JavaScript widget or performing server-to-server API calls.
-
Using the UNLOQ login widget - on your login page, include the
login widget. Once a user is authenticated, they will
be redirected to the
login widget's URL of your application, along with a
token inside the query string.
On the server-side, fetch the token from the query string and perform an API call to /v1/token to request the user information. Since UNLOQ validates and authenticates all the user information, if the token call is a success, you can then start the user's session, essentially log him in.
In a user-password application, this would be the equivalent of querying the database for the username and password.
// Pseudo-code on GET /uauth/login // or the equivalent login web hook authToken = request.query.token if authToken does not exist redirect back to /login // or equivalent else tokenData = call api-authenticator.iwelcome.com/v1/token with { token: authToken } including X-Api-Key and X-Api-Secret headers generate session using tokenData.user // object containing information about the user. redirect user to home page // dashboard or equivalent endif
-
Performing server-to-server API calls - In this scenario, you have full control over the UI and UX of your login or on-boarding forms. In your application's route (or controller)
that handles login functionality (POST /login or equivalent) instead of doing a query on your database, you perform an API call to
/v1/authenticate
sending in the request's payload, the user's e-mail address. UNLOQ will validate the credentials and ask for the user's approval. When the user accepts the login request,
a token will be generated and returned to your server. You will then use that token to perform a call to
/v1/token, in order to retrieve the user's information (similar to the situation above) and start the session.
// Pseudo-code on POST /login result = call api-authenticator.iwelcome.com/v1/authenticate with { email: body.email } including X-Api-Key and X-Api-Secret headers if result.type == success then tokenData = call api-authenticator.iwelcome.com/v1/token with { token: result.token } including X-Api-Key and X-Api-Secret headers generate session using tokenData.user // object containing information about the user. redirect user to home page // dashboard or equivalent else if result.error.code == "APPROVAL.DENIED" ask the user to supply the One-Time Password (under the "Tokens" app menu) else render result.message // tell the user why the authentication request fail endif endif
Both cases above rely on the UNLOQ distributed authentication mechanism to verify the identity of users in order for them to gain access to your application, and in both cases, your users are no longer required to use a password!
Have a question? You can always send us an email at support@unloq.io, or contact us on chat.
For security related concerns, please visit our Security page.