Introduction

Authentiq Connect is an easy-to-use OpenID Connect Identity Provider (IdP) that makes it easy for websites and apps to move beyond usernames and passwords while safeguarding the end-user’s privacy.

Continue reading to explore features, integrations, to browse use cases and frequently asked questions.

Alternatively, learn more about Authentiq first, or check out a code example by signing into the Dashboard straight away.

The basics

Authentiq Connect…

  • is hosted in Europe and GDPR-friendly;
  • is built on top of OpenID Connect, supporting many open standards;
  • leverages scopes to request identity scopes from end users;
  • supports both passwordless authentication (Authentiq ID) and two-step verification (TOTP); and
  • works well with server side, JavaScript (SPA’s), native (desktop or mobile) and hybrid applications.

It is usually a matter of minutes to configure your favorite OAuth 2.0 or OIDC client library or framework for Authentiq Connect. Try it now, or continue reading first…

OpenID Connect

Supported standards

Authentiq Connect is based on OpenID Connect and a growing list of supplementary standards to support integrating any type of application with the best possible user experience.

Standard Status Description
OAuth 2.0 Supported Authentiq supports all classic OAuth 2.0 flows.
OIDC Core Supported Authentiq supports all server side, JavaScript, native and hybrid app flows defined by OIDC.
OIDC Discovery Supported The Authentiq Connect Provider Configuration can be found here, with WebFinger support on the road map.
OIDC Dynamic Client Registration Supported Authentiq Connect’s Client Registration Endpoint is described in the API Reference.
OIDC Session Management Supported Authentiq’s JavaScript snippet supports OIDC Session Management via iframes out of the box.
OIDC Back-Channel Logout Supported As an alternative logout mechanism, simply enter the URL of your app’s logout endpoint in the Authentiq Dashboard.
OAuth 2.0 Multiple Response Types Supported Fine tune your users’ authentication experience by using these response types for hybrid (server+browser) apps.
OAuth 2.0 Form Post Response Mode Supported Authentiq Connect is able to POST back the authentication response in case your app requires that. Contact support to learn how to enable it.
Proof Key for Code Exchange Planned Mitigate some attack vectors for your native app. Contact us for more details.
Security Event Tokens Planned Respond to authentication events in a customized fashion. Contact support if you are interested in participating in the beta.
Decentralized Identifiers Planned Decentralized Identifiers (DIDs) are a new type of identifier for verifiable, “self-sovereign” digital identity, designed to work well with distributed ledgers.

Identity scopes

Authentiq Connect leverages predefined and custom scopes to request identity details from the end user.

Scope name Claims Description
openid N/A Required to indicate support for OIDC
profile name, family_name, given_name, middle_name, nickname, preferred_username, zoneinfo, locale A user’s typical profile, including name
email email, email_verified A user’s verified email address
phone phone_number, phone_number_verified A user’s verified phone number
address address A user’s home address
aq:name name, family_name, given_name, middle_name, nickname A user’s full name
aq:location aq:location A user’s current location
aq:username preferred_username A user’s preferred username
aq:locale locale A user’s preferred locale
aq:zoneinfo zoneinfo A user’s preferred timezone
aq:push N/A To enable one-click sign in

Requested scopes are optional by default, leaving the choice of providing any of the details to the end-user, who will be able to opt out of the requested scopes on the Authentiq ID consent screen.

It is possible to mark essential scopes as required by appending ~r.

Individual scopes are concatenated in a space separated list. A typical scope parameter might look like:

openid profile email~r aq:locale aq:zoneinfo aq:push

Features

Authentiq ID

The Authentiq ID mobile app (available on Android and iOS) are the key to your end-user’s privacy. It acts as a mobile identity wallet that can be used to identify to websites. A user’s Authentiq ID can be seen as their personal cryptographic passport that holds profile information.

When signing in, the user decides what information will be shared. Phone number and email address will already have been verified by Authentiq so that the website doesn’t have to.

Authentiq ID is also a TOTP secret manager, like Google Authenticator, but with many extra features, such as backing up TOTP secrets online and on paper.

One click Sign-In

One Click Sign-In lets users sign into your website by just tapping a notification on their phone on subsequent logins.

To enable it, simply include the aq:push value in the scope parameter.

Single Sign-On

On intranets authentication is often synchronized between applications. Contact us to configure Authentiq Connect for Single Sign-on to support this.

Dashboard support for Single Sign-on is planned. In the mean time, let us know how you would like to configure your apps.

Remote Sign-Out

When a user signs in with Authentiq ID, the website’s authentication session is linked to the mobile app. Authentiq lets you sign out from a website remotely, and in the future just by walking away from a computer.

To enable this feature, either

  • use the Authentiq JS snippet;
  • include OIDC-compatible RP iframe on your website; or
  • enter a Backend Logout URL for your client in the Authentiq Dashboard.

Webhooks

Create rich integrations by listening to Authentiq’s Security Event Token webhooks. Use a webhook, for instance, to add new users to your newsletter easily. Coming soon!

Use cases

By enabling Authentiq you make the following authentication methods available to your site’s users.

Authentication Method Application Type Support
Passwordless Authentiq ID QR code, PN, Handle Supported
Virtual 2FA Authentiq ID, Google Authenticator TOTP Supported
Physical 2FA YubiKey USB Token Coming soon
One-time authentication Email Magic link Coming soon

These methods can work in addition to or conjunction with your existing login system.

We often see sites that already integrate with social login providers adding passwordless authentication via Authentiq ID, this way providing their users with a privacy-aware alternative to signing in with Google or Facebook.

Another common pattern is to use Authentiq Connect to effortlessly add two-step verification on top of usernames and passwords that are kept in-house.

Integrations

Your favorite OAuth 2.0 or OIDC client library should work out of the box with Authentiq Connect. Do let us know if this is the case, or not.

Below is a list of frameworks that we have native integrations for, or that are otherwise known to work well.

Name Language
ASP .NETCore C#
ForgeRock Java
Authentiq JS JavaScript
Meteor JS JavaScript
Passport JS JavaScript
Nginx / Jenkins LUA
HybridAuth PHP
OAuth2 Client PHP
WordPress native PHP
WordPress Social Login PHP
Zend PHP
Django AllAuth Python
Django OIDC Python
Flask Python
Flask-Dance Python
Flask OIDC Python
OAuthlib Python
Requests-OAuthlib Python
GitLab Ruby
OmniAuth Ruby
SalesForce Other

Also check our GitHub pages for supported integrations and examples.

Support

What do you think?

A penny for your thoughts… Get in touch with us on support@authentiq.com.

Please report security issues to security@authentiq.com.