- \n
- Algorithm: Presently, we offer support for rs256. \n
- Grant Type: Options include authorization code, implicit, password creds, etc. \n
- You can tailor settings for Token Expiry, Refresh Token, and TTL to suit your needs. \n
- Data Mapping: Define fields or properties to be included in the data response. \n
- Metadata: Incorporate static, non-profile values into the data response. \n
- Define the Scope for Management API. \n
This array of configurable options empowers you to fine-tune your OIDC Application according to your specific requirements.
\nWhitelisting the Domain of Your Application
\nTo ensure seamless redirection of requests and successful callbacks to your endpoint, add your application's domain to the whitelist. This will authorize the redirection process and prevent failures when calling the callback endpoint.
\nTo access Web Apps in Deployment, follow these steps:
\n- \n
- Navigate to the Deployment section from the Dashboard. \n
- Once in Deployment, select the Apps tab. \n
- From there, choose Web Apps. \n
Now, to add a new site:
\n- \n
- Click on the Add New Site button. \n
- Enter the domain name of the website (example: \"
https://localhost:8080\"). \n
Whitelisting Domain from OIDC Application Configuration
\nLoginRadius lets you uniquely identify the redirect URLs for individual OIDC applications:
\n- \n
- When setting the configuration of the OIDC Application, you can specify the redirect URL of your backend,\nand it will be whitelisted. \n
- The field name is Login Redirect URL. \n
Setting Up the Provider Object and the OAuthconfig with the Loginradius OIDC App Credentials
\nprovider, err := oidc.NewProvider(ctx, "`https://api.loginradius.com/{oidcappname}")`\nif err != nil {\n // handle error\n}\n\n// Configure an OpenID Connect aware OAuth2 client.\noauth2Config := oauth2.Config{\n ClientID: your-oidc-clientID,\n ClientSecret: your-oidc-clientSecret\n RedirectURL: redirectURL,\n\n // Discovery returns the OAuth2 endpoints.\n Endpoint: provider.Endpoint(),\n\n // "openid" is a required scope for OpenID Connect flows.\n Scopes: []string{oidc.ScopeOpenID, "profile", "email"},\n}When setting up a new provider, you'll need to input the LoginRadius OIDC App URL, typically in this format: https://{siteUrl}/service/oidc/{OidcAppName}
To seamlessly integrate this with your Go backend, create two essential APIs for setting up and configuring go-oidc:
- \n
- Login Endpoint: This endpoint initiates the authentication process and redirects to the callback endpoint with the authorization code. \n
- Callback Endpoint: Here, the authorization code received from the login endpoint is exchanged for an access token. Additionally, this endpoint extracts user claims from the access token. \n
By establishing these APIs, your Go backend efficiently handles the authentication flow, ensuring a smooth user experience while securely managing user identity and access.
\nHandle the Callback Hit
\nHandle the callback hit that exchanged the authorization token for the access token:
\nvar verifier = provider.Verifier(&oidc.Config{ClientID: clientID})\n\nfunc handleOAuth2Callback(ctx *gin.context) {\n // Verify state and errors.\n authCode := ctx.query("code")\n\n oauth2Token, err := oauth2Config.Exchange(ctx, authCode)\n if err != nil {\n // handle error\n }\n\n // Extract the ID Token from the OAuth2 token.\n rawIDToken, ok := oauth2Token.Extra("id_token").(string)\n if !ok {\n // handle missing token\n }\n\n // Parse and verify ID Token payload.\n idToken, err := verifier.Verify(ctx, rawIDToken)\n if err != nil {\n // handle error\n }\n\n // Extract custom claims\n var claims struct {\n Email string `json:"email"`\n Verified bool `json:"email_verified"`\n }\n if err := idToken.Claims(&claims); err != nil {\n // handle error\n }\n}For both endpoints, let's review a sample backend server with implementation in Gin Golang.
\nGin Golang Code
\nFor OIDC integration with the Go backend, you'll implement it using the coreos/go-oidc library (feel free to check it out). This library provides comprehensive support for OIDC, allowing to easily verify tokens, extract user claims, and validate ID tokens. Its features ensure secure authentication and seamless integration with various OIDC providers.
\nWith the go-oidc library, you can efficiently implement OIDC authentication in the Go backend, guaranteeing users a smooth and secure authentication process.
go get github.com/coreos/go-oidc/v3/oidcpackage main\n\nimport (\n\t"encoding/json"\n\t"fmt"\n\t"io"\n\t"log"\n\t"net/http"\n\t"os"\n\n\t"github.com/coreos/go-oidc/v3/oidc"\n\t"github.com/gin-gonic/gin"\n\t"golang.org/x/oauth2"\n)\n\n// Define global OAuth2 configuration and OIDC provider.\nvar (\n\toauthConfig = &oauth2.Config{\n\t\tClientID: "your-client-id", // Replace with your LoginRadius Client ID\n\t\tRedirectURL: "http://localhost:8080/api/callback",\n\t\tClientSecret: "your-client-secret", // Replace with your LoginRadius Client Secret\n\t\tScopes: []string{"user"},\n\t}\n\tglobalProvider *oidc.Provider\n\tglobalOuthConfig *oauth2.Config\n)\n\n// Server struct holds interfaces like HTTP server, DBHelper, ServerProvider, MongoDB client, etc.\ntype Server struct {\n\n}\n\n// InitializeOAuthConfig sets up the global OAuth2 configuration and OIDC provider.\nfunc InitializeOAuthConfig() {\n\t// Create a new OIDC provider using the OAuth2 endpoint and OIDC provider URL.\n\tprovider, err := oidc.NewProvider(context.Background(), "https://<siteUrl>/service/oidc/<OidcAppName>") // Replace with your OIDC Provider URL\n\tif err!= nil {\n\t\tlog.Fatalf("Failed to create new provider: %v", err)\n\t}\n\tglobalProvider = provider\n\n\t// Set up the OAuth2 configuration with the client ID, secret, redirect URL, and scopes.\n\toauth2Config := &oauth2.Config{\n\t\tClientID: oauthConfig.ClientID,\n\t\tClientSecret: oauthConfig.ClientSecret,\n\t\tRedirectURL: oauthConfig.RedirectURL,\n\t\tEndpoint: provider.Endpoint(),\n\t\tScopes: []string{oidc.ScopeOpenID, "profile", "email"},\n\t}\n\tglobalOuthConfig = oauth2Config\n}\n\n// StartLoginProcess initiates the login process by redirecting the user to the OIDC provider.\nfunc StartLoginProcess(ctx *gin.Context) {\n\t// Generate the authorization URL for the OIDC provider.\n\tauthURL := globalOuthConfig.AuthCodeURL("state", oidc.Nonce(""))\n\t// Redirect the user to the OIDC provider for authentication.\n\thttp.Redirect(ctx.Writer, ctx.Request, authURL, http.StatusFound)\n}\n\n// HandleCallback processes the callback from the OIDC provider after the user has authenticated.\nfunc HandleCallback(ctx *gin.Context) {\n\t// Retrieve the authorization code from the query parameters.\n\tcode := ctx.Query("code")\n\n\t// Exchange the authorization code for an access token.\n\toauth2Token, err := globalOuthConfig.Exchange(ctx, code)\n\tif err!= nil {\n\t\tlog.Printf("Error exchanging code for token: %v", err)\n\t\treturn\n\t}\n\n\t// Extract the ID token from the OAuth2 token.\n\trawIDToken, ok := oauth2Token.Extra("id_token").(string)\n\tif!ok {\n\t\tlog.Println("Missing ID token")\n\t\treturn\n\t}\n\n\t// Verify the ID token using the OIDC provider.\n\tvar verifier = globalProvider.Verifier(&oidc.Config{ClientID: globalOuthConfig.ClientID, SkipClientIDCheck: true})\n\n\tidToken, err := verifier.Verify(ctx, rawIDToken)\n\tif err!= nil {\n\t\tlog.Printf("Error verifying ID token: %v", err)\n\t\treturn\n\t}\n\n\t// Extract claims from the verified ID token.\n\tvar claims interface{}\n\tif err := idToken.Claims(&claims); err!= nil {\n\t\tlog.Printf("Error extracting claims: %v", err)\n\t\treturn\n\t}\n\n\t// Respond with a success message.\n\tctx.JSON(http.StatusOK, gin.H{"message": "success"})\n}\n\n// InjectRoutes sets up the routes for the application, including login and callback endpoints.\nfunc (srv *Server) InjectRoutes() *gin.Engine {\n\trouter := gin.Default()\n\n\tapi := router.Group("/api")\n\t{\n\t\t// Define the login route that redirects users to the OIDC provider for authentication.\n\t\tapi.GET("/login", StartLoginProcess)\n\t\t// Define the callback route that handles the callback from the OIDC provider.\n\t\tapi.GET("/callback", HandleCallback)\n\t}\n\n\treturn router\n}\n\nfunc main() {\n\t// Initialize the OAuth2 configuration and OIDC provider.\n\tInitializeOAuthConfig()\n\t// Create a new server instance.\n\tserver := &Server{}\n\t// Inject routes into the Gin engine.\n\trouter := server.InjectRoutes()\n\t// Start the HTTP server.\n\tlog.Fatal(http.ListenAndServe(":8080", router))\n}The process described involves several key steps in setting up an OAuth2 flow with OpenID Connect (OIDC) for user authentication.
\nHere's a brief overview of what was done in the code:
\nInitialization of OIDC Provider and OAuth2 Configuration
\n- \n
- The OIDC provider is initialized using the
oidc.NewProviderfunction, which requires the OAuth2 endpoint and the OIDC provider's URL. This step is crucial for establishing a connection with the OIDC provider, enabling the application to authenticate users through the provider. \n - The OAuth2 configuration (
oauthConfig) is set up with essential details such as the client ID, client secret, redirect URL, and scopes. These credentials are specific to the OIDC application registered with the provider (e.g., LoginRadius). The redirect URL is where the provider will send the user after authentication, and the scopes define the permissions requested from the user. \n
Setting Up the Callback Endpoint
\n- \n
- A callback endpoint is defined in the application, typically as
/api/callback. This endpoint handles the callback from the OIDC provider after the user has been authenticated. \n - When the user authenticates successfully, the OIDC provider redirects the user back to the application with an authorization code included in the query parameters. \n
- The application then exchanges this authorization code for an access token by calling the exchange method on the OAuth2 configuration object. This exchange process is handled securely by the OAuth2 library, ensuring that the application receives a valid access token. \n
Verifying the Access Token and Extracting User Claims
\n- \n
- Once the access token is obtained, the application extracts the ID token from it. The ID token contains claims about the authenticated user, such as their name, email, and roles. \n
- The ID token is then verified using the OIDC provider's verifier. This step ensures that the token is valid and has not been tampered with. Verification involves checking the token's signature and possibly other claims to ensure it matches the expected values. \n
- After verification, the application extracts the claims from the ID token. These claims can be used to identify the user within the application, personalize the user experience, or enforce access control based on the user's roles or permissions. \n
This process leverages the security and standardization provided by OIDC and OAuth2 to implement a secure authentication flow. By following these steps, the application can authenticate users through LoginRadius OIDC provider, ensuring that user credentials are managed securely and that the application can trust authenticated users' identities.
\nConclusion
\nIn this tutorial, you have learned how to implement OIDC SSO with LoginRadius as the Identity Provider. You have also built a simple Golang backend with Gin to understand the implementation.
\n","frontmatter":{"date":"May 30, 2024","updated_date":null,"description":"In this tutorial, you will learn how to implement Single Sign-On (SSO) using OpenID Connect (OIDC) with LoginRadius as your Identity Provider.","title":"How to Implement OpenID Connect (OIDC) SSO with LoginRadius?","tags":["SSO","OIDC","LoginRadius"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/4509bd963b39d84ce554829099fba02f/ee604/implementing-oidc-sso.png","srcSet":"/static/4509bd963b39d84ce554829099fba02f/69585/implementing-oidc-sso.png 200w,\n/static/4509bd963b39d84ce554829099fba02f/497c6/implementing-oidc-sso.png 400w,\n/static/4509bd963b39d84ce554829099fba02f/ee604/implementing-oidc-sso.png 800w,\n/static/4509bd963b39d84ce554829099fba02f/f3583/implementing-oidc-sso.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Sanjay Velu","github":"SanjayV0","avatar":null}}}},{"node":{"excerpt":"First, let's understand some basic terminology. Basic Terminology Brute-force attack: A method where every possible combination of…","fields":{"slug":"/engineering/bruteforce-lock-and-unlock/"},"html":"First, let's understand some basic terminology.
\nBasic Terminology
\n- \n
- Brute-force attack: A method where every possible combination of characters or values is systematically tried to gain unauthorized access to a system, application, or data. \n
- Brute-force lock: Brute-force lock is a type of account lock made to prevent a bruteforce attack. \n
- Brute-force lockout: Brute-force lockout is a security mechanism that blocks access after a certain number of failed authentication attempts to prevent unauthorized access through repeated trial and error. \n
- CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart): CAPTCHA is a method used to determine whether a user is human by presenting a challenge that is easy for humans to solve but difficult for bots. \n
- Multi-Factor Authentication (MFA): MFA is a security method that requires multiple forms of identification to grant access, typically combining something the user knows, has, and is. \n
In LoginRadius, you can implement brute-force lockout using APIs.
\n\n\nTo implement brute-force lockout, please register in the LoginRadius Admin Console.
\n
Let's go through the API implementation of brute-force lockout and user unlock.
\nAPI Implementation for Brute-force Lockout
\nCreating a Basic Application
\n- \n
- To implement brute-force lockout using API, create a simple app with login and registration features. \n
- This can be done by using Admin Console. \n
- Navigate through Deployment > Identity Experience Framework. \n
- You can design the required application using theme, customization, preview, and implement options. \n
- You can also customize the predefined templates if needed. \n
\n\nYou can view the created app using the link https://
\n<app-name>.hub.loginradius.com/auth.aspx in the implement section of the Identity Experience Framework or from the preview section.
Brute-force Lockout
\nEnabling
\nIn LoginRadius, the brute-force lockout feature can be enabled from the Admin Console.
\n- \n
- Now, log out and try to log in with incorrect credentials. \n
- If the password is incorrect successively till the lockout threshold, the account gets locked. \n
- Therefore, brute-force lockout is achieved. \n
\n\nIn the Admin Console, you can set the brute-force lockout threshold, lockout type, and suspend effective period.
\n
Lockout Types in LoginRadius
\nLoginRadius supports the following lockout types:
\n- \n
- Suspend: Suspends further login attempts after multiple failed tries for a certain amount of time, deterring automated attacks and enhancing system security by limiting access from suspicious sources. \n
- \n
CAPTCHA:
\n- \n
- A security measure used to unlock a locked account on entering valid credentials by presenting a challenge to solve. \n
- This challenge is often easy for humans to solve but difficult for the bots. \n
\n
\nRefer CAPTCHA in miscellaneous section to learn more.
\n \n - Security Questions: A personalized query set up by the user to verify identity to unlock a locked account with valid credentials. \n
- Block: Restricts login attempts from a specific source (email ID or username) after multiple failed tries, enhancing security against unauthorized access. \n
Unlocking an Account Locked through Brute-force Lockout
\nYou can unlock the locked user account in two ways, using:
\n- \n
- Account Update API from the LoginRadius Account API collection. \n
- Auth Unlock Account by Access Token from the LoginRadius Authentication API collection. \n
\n\nFor more understanding on Auth Unlock Account, refer Auth Security Configuration
\n
Account Update API from the LoginRadius Account API Collection
\nCalling the Account Update API with the provided endpoint, using the given method, providing the apisecret and apikey, and formatting the given body will unlock the account.
\n- \n
- Endpoint:
https://api.loginradius.com/identity/v2/manage/account/{uid}\n - Method: PUT \n
- Parameters: apisecret, apikey \n
- Body: \n
{\n ...\n "FirstName": "Test",\n "MiddleName": null,\n ...\n}- \n
- Response: \n
{\n ...\n "LoginLockedType": "None",\n "Email": [\n {\n "Type": "Primary",\n "Value": "user1@yopmail.com"\n }\n ],\n ...\n}\n
Conclusion
\n- \n
- Unlocking user accounts previously locked due to brute force lockout using LoginRadius APIs demonstrates the platform's account management and security enhancement efficiency. \n
- Moving forward, leveraging LoginRadius's robust security features ensures uninterrupted user access while fortifying your system against unauthorized access attempts. \n
Miscellaneous
\nCAPTCHA
\nLoginRadius supports the following types of CAPTCHAs:
\n- \n
- reCAPTCHA V2: Users solve challenges like clicking on images or entering text to prove they're human. \n
- reCAPTCHA V3: Operates in the background, assessing user behavior to assign a risk score without user interaction. \n
- hCAPTCHA: Like reCAPTCHA, it offers bot protection with a privacy focus. \n
- QQ Tencent CAPTCHA: A CAPTCHA service by Tencent commonly used in China to verify human users. \n
Multi-Factor Authentication (MFA):
\n- \n
- LoginRadius offers multiple security features, including Multi-Factor Authentication. \n
- This feature can be enabled from the Admin Console to add an additional layer of security. \n
- LoginRadius provides predefined MFA types, which can be enabled further. \n
To understand more about LoginRadius APIs, refer to the API docs.
\n","frontmatter":{"date":"May 29, 2024","updated_date":null,"description":"In this blog, you'll learn about brute-force lockout, the creation of a basic app using Identity Experience Framework, and how to unlock a user account using APIs.","title":"Testing Brute-force Lockout with LoginRadius","tags":["Brute-force","LoginRadius","Authentication"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/1ff36040268e755844bfd2e543baf5b5/ee604/implementing-brute-force-lockout.png","srcSet":"/static/1ff36040268e755844bfd2e543baf5b5/69585/implementing-brute-force-lockout.png 200w,\n/static/1ff36040268e755844bfd2e543baf5b5/497c6/implementing-brute-force-lockout.png 400w,\n/static/1ff36040268e755844bfd2e543baf5b5/ee604/implementing-brute-force-lockout.png 800w,\n/static/1ff36040268e755844bfd2e543baf5b5/f3583/implementing-brute-force-lockout.png 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Gayathri Suresh","github":"gayathrisuresh150501","avatar":null}}}}]},"markdownRemark":{"excerpt":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards…","fields":{"slug":"/identity/developer-first-identity-provider-loginradius/"},"html":"Identity is evolving, and developers are at the forefront of this transformation. Every day brings a new learning—adapting to new standards and refining approaches to building secure, seamless experiences.
\nWe’re here to support developers on that journey. We know how important simplicity, efficiency, and well-structured documentation are when working with identity and access management solutions. That’s why we’ve redesigned the LoginRadius website—to be faster, more intuitive, and developer-first in every way.
\nThe goal? Having them spend less time searching and more time building.
\nWhat’s New and Improved on the LoginRadius Website?
\nLoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve spent the last few months redesigning our interface— making navigation more intuitive and reassuring that essential resources are easily accessible.
\nHere’s a closer look at what’s new and why it’s important:
\nA Developer-Friendly Dark Theme
\n![\"This](\"/f46881583c7518a93bb24e94c32320de/a-developer-friendly-dark-theme.webp\")
Developers spend long hours working in dark-themed IDEs and terminals, so we’ve designed the LoginRadius experience to be developer-friendly and align with that preference.
\nThe new dark mode reduces eye strain, enhances readability, and provides a seamless transition between a coding environment and our platform. Our new design features a clean, modern aesthetic with a consistent color scheme and Barlow typography, ensuring better readability. High-quality graphics and icons are thoughtfully placed to enhance the content without adding visual clutter.
\nSo, whether you’re navigating our API docs or configuring authentication into your system, our improved interface will make those extended development hours more comfortable and efficient.
\nClear Categorization for LoginRadius Capabilities
\n![\"This](\"/e5358b82be414940f3fb146013845933/capabilities.webp\")
We’ve restructured our website to provide a straightforward breakdown of our customer identity and access management platform capabilities, helping you quickly find what you need:
\n- \n
- Authentication: Easily understand how to choose the right login method, from traditional passwords and OTPs to social login, federated SSO, and passkeys with few lines of code. \n
- Security: Implement no-code security features like bot detection, IP throttling, breached password alerts, DDoS protection, and adaptive MFA to safeguard user accounts. \n
- User Experience: Leverage AI builder, hosted pages, and drag-and-drop workflows to create smooth, branded sign-up and login experiences. \n
- High Performance & Scalability: Confidently scale with sub-100ms API response times, 100% uptime, 240K+ RPS, and 28+ global data center regions. \n
- Multi-Brand Management: Efficiently manage multiple identity apps, choosing isolated or shared data stores based on your brand’s unique needs. \n
This structured layout ensures you can quickly understand each capability and how it integrates into your identity ecosystem.
\nDeveloper-First Navigation
\n![\"This](\"/a8c155c2b6faf3d5f4b4de4e2b14d763/developers-menu.webp\")
We’ve been analyzing developer workflows to identify how you access key resources. That’s why we redesigned our navigation with one goal in mind: to reduce clicks and make essential resources readily available.
\nThe new LoginRadius structure puts APIs, SDKs, and integration guides right at the menu bar under the Developers dropdown so you can get started faster. Our Products, Solutions, and Customer Services are also clearly categorized, helping development teams quickly find the right tools and make informed decisions.
\nQuick Understanding of Integration Benefits
\n![\"This](\"/b2f9a964a2da0ea83e2f8596b833bba7/we-support-your-tech-stack.webp\")
Developers now have a clear view of the tech stack available with LoginRadius, designed to support diverse business needs.
\nOur platform offers pre-built SDKs for Node.js, Python, Java, and more, making CIAM integration seamless across popular programming languages and frameworks.
\nOver to You Now!
\nCheck out our revamped LoginRadius website and see how the improved experience makes it easier to build, scale, and secure your applications.
\nDo not forget to explore the improved navigation and API documentation, and get started with our free trial today. We’re excited to see what you’ll build with LoginRadius!
\n","frontmatter":{"date":"February 21, 2025","updated_date":null,"description":"LoginRadius’ vision is to give developers a product that simplifies identity management so they can focus on building, deploying, and scaling their applications. To enhance this experience, we’ve redesigned our website interface, making navigation more intuitive and reassuring that essential resources are easily accessible.","title":"Revamped & Ready: Introducing the New Developer-First LoginRadius Website","tags":["Developer tools","API","Identity Management","User Authentication"],"pinned":true,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7857142857142858,"src":"/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp","srcSet":"/static/80b4e4fbe176a10a327d273504607f32/61e93/hero-section.webp 200w,\n/static/80b4e4fbe176a10a327d273504607f32/1f5c5/hero-section.webp 400w,\n/static/80b4e4fbe176a10a327d273504607f32/58556/hero-section.webp 800w,\n/static/80b4e4fbe176a10a327d273504607f32/99238/hero-section.webp 1200w,\n/static/80b4e4fbe176a10a327d273504607f32/7c22d/hero-section.webp 1600w,\n/static/80b4e4fbe176a10a327d273504607f32/1258b/hero-section.webp 2732w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Rakesh Soni","github":"oyesoni","avatar":"rakesh-soni.jpg"}}}},"pageContext":{"limit":6,"skip":36,"currentPage":7,"type":"///","numPages":161,"pinned":"ee8a4479-3471-53b1-bf62-d0d8dc3faaeb"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}