Introduction
Authentiq Connect is an easy-to-use OpenID Connect Identity Provider (IdP) that makes it easy for websites and apps to move beyond usernames and passwords while safeguarding the end-user’s privacy.
Continue reading to explore features, integrations, to browse use cases and frequently asked questions.
Alternatively, learn more about Authentiq first, or check out a code example by signing into the Dashboard straight away.
The basics
Authentiq Connect…
- is hosted in Europe and GDPR-friendly;
- is built on top of OpenID Connect, supporting many open standards;
- leverages scopes to request identity scopes from end users;
- supports both passwordless authentication (Authentiq ID) and two-step verification (TOTP); and
- works well with server side, JavaScript (SPA’s), native (desktop or mobile) and hybrid applications.
It is usually a matter of minutes to configure your favorite OAuth 2.0 or OIDC client library or framework for Authentiq Connect. Try it now, or continue reading first…
OpenID Connect
Supported standards
Authentiq Connect is based on OpenID Connect and a growing list of supplementary standards to support integrating any type of application with the best possible user experience.
| Standard | Status | Description |
|---|---|---|
| OAuth 2.0 | Supported | Authentiq supports all classic OAuth 2.0 flows. |
| OIDC Core | Supported | Authentiq supports all server side, JavaScript, native and hybrid app flows defined by OIDC. |
| OIDC Discovery | Supported | The Authentiq Connect Provider Configuration can be found here, with WebFinger support on the road map. |
| OIDC Dynamic Client Registration | Supported | Authentiq Connect’s Client Registration Endpoint is described in the API Reference. |
| OIDC Session Management | Supported | Authentiq’s JavaScript snippet supports OIDC Session Management via iframes out of the box. |
| OIDC Back-Channel Logout | Supported | As an alternative logout mechanism, simply enter the URL of your app’s logout endpoint in the Authentiq Dashboard. |
| OAuth 2.0 Multiple Response Types | Supported | Fine tune your users’ authentication experience by using these response types for hybrid (server+browser) apps. |
| OAuth 2.0 Form Post Response Mode | Supported | Authentiq Connect is able to POST back the authentication response in case your app requires that. Contact support to learn how to enable it. |
| Proof Key for Code Exchange | Planned | Mitigate some attack vectors for your native app. Contact us for more details. |
| Security Event Tokens | Planned | Respond to authentication events in a customized fashion. Contact support if you are interested in participating in the beta. |
| Decentralized Identifiers | Planned | Decentralized Identifiers (DIDs) are a new type of identifier for verifiable, “self-sovereign” digital identity, designed to work well with distributed ledgers. |
Identity scopes
Authentiq Connect leverages predefined and custom scopes to request identity details from the end user.
| Scope name | Claims | Description |
|---|---|---|
openid |
N/A | Required to indicate support for OIDC |
profile |
name, family_name, given_name, middle_name, nickname, preferred_username, zoneinfo, locale |
A user’s typical profile, including name |
email |
email, email_verified |
A user’s verified email address |
phone |
phone_number, phone_number_verified |
A user’s verified phone number |
address |
address |
A user’s home address |
aq:name |
name, family_name, given_name, middle_name, nickname |
A user’s full name |
aq:location |
aq:location |
A user’s current location |
aq:username |
preferred_username |
A user’s preferred username |
aq:locale |
locale |
A user’s preferred locale |
aq:zoneinfo |
zoneinfo |
A user’s preferred timezone |
aq:push |
N/A | To enable one-click sign in |
Requested scopes are optional by default, leaving the choice of providing any of the details to the end-user, who will be able to opt out of the requested scopes on the Authentiq ID consent screen.
It is possible to mark essential scopes as required by appending ~r.
Individual scopes are concatenated in a space separated list. A typical scope parameter might look like:
openid profile email~r aq:locale aq:zoneinfo aq:pushFeatures
Authentiq ID
The Authentiq ID mobile app (available on Android and iOS) are the key to your end-user’s privacy. It acts as a mobile identity wallet that can be used to identify to websites. A user’s Authentiq ID can be seen as their personal cryptographic passport that holds profile information.
When signing in, the user decides what information will be shared. Phone number and email address will already have been verified by Authentiq so that the website doesn’t have to.
Authentiq ID is also a TOTP secret manager, like Google Authenticator, but with many extra features, such as backing up TOTP secrets online and on paper.
One click Sign-In
One Click Sign-In lets users sign into your website by just tapping a notification on their phone on subsequent logins.
To enable it, simply include the aq:push value in the scope parameter.
Single Sign-On
On intranets authentication is often synchronized between applications. Contact us to configure Authentiq Connect for Single Sign-on to support this.
Dashboard support for Single Sign-on is planned. In the mean time, let us know how you would like to configure your apps.
Remote Sign-Out
When a user signs in with Authentiq ID, the website’s authentication session is linked to the mobile app. Authentiq lets you sign out from a website remotely, and in the future just by walking away from a computer.
To enable this feature, either
- use the Authentiq JS snippet;
- include OIDC-compatible RP iframe on your website; or
- enter a Backend Logout URL for your client in the Authentiq Dashboard.
Webhooks
Create rich integrations by listening to Authentiq’s Security Event Token webhooks. Use a webhook, for instance, to add new users to your newsletter easily. Coming soon!
Use cases
By enabling Authentiq you make the following authentication methods available to your site’s users.
| Authentication Method | Application | Type | Support |
|---|---|---|---|
| Passwordless | Authentiq ID | QR code, PN, Handle | Supported |
| Virtual 2FA | Authentiq ID, Google Authenticator | TOTP | Supported |
| Physical 2FA | YubiKey | USB Token | Coming soon |
| One-time authentication | Magic link | Coming soon |
These methods can work in addition to or conjunction with your existing login system.
We often see sites that already integrate with social login providers adding passwordless authentication via Authentiq ID, this way providing their users with a privacy-aware alternative to signing in with Google or Facebook.
Another common pattern is to use Authentiq Connect to effortlessly add two-step verification on top of usernames and passwords that are kept in-house.
Integrations
Your favorite OAuth 2.0 or OIDC client library should work out of the box with Authentiq Connect. Do let us know if this is the case, or not.
Below is a list of frameworks that we have native integrations for, or that are otherwise known to work well.
| Name | Language |
|---|---|
| ASP .NETCore | C# |
| ForgeRock | Java |
| Authentiq JS | JavaScript |
| Meteor JS | JavaScript |
| Passport JS | JavaScript |
| Nginx / Jenkins | LUA |
| HybridAuth | PHP |
| OAuth2 Client | PHP |
| WordPress native | PHP |
| WordPress Social Login | PHP |
| Zend | PHP |
| Django AllAuth | Python |
| Django OIDC | Python |
| Flask | Python |
| Flask-Dance | Python |
| Flask OIDC | Python |
| OAuthlib | Python |
| Requests-OAuthlib | Python |
| GitLab | Ruby |
| OmniAuth | Ruby |
| SalesForce | Other |
Also check our GitHub pages for supported integrations and examples.
Support
What do you think?
A penny for your thoughts… Get in touch with us on support@authentiq.com.
Please report security issues to security@authentiq.com.