How authentication works

User authentication can be used to protect your application or only specific resources. The authentication process will identify the user, and grant them access (based on roles, permissions, scopes, etc.).

Login preferences

Choose from a wide variety of authentication methods, including WebAuthn-based biometrics, email magic links, SMS one-time passcodes, social login, and more. Consider which methods work best for your customers and use case. For example, biometric login is the most secure way to log in users into their bank account, whereas social login is fast and convenient for signing up customers to a retail app.

Your login preferences configure the methods you'd like to use, such as branding email templates for magic link authentication, or setting up the OAuth credentials for a social login provider. You can manage your login preferences from the Admin Portal or using Administration APIs.

Identity data

Upon authentication, user data is returned in the ID token. Aside from the default claims that are always returned, custom claims can be returned by requesting them. For a complete list and structure of the ID token claims, see our Token reference.

For example, the ID token may include the following (depending on what you request):

  • User's identifier in your Mosaic tenant
  • User's external identifiers in your system
  • User's name, emails, phone numbers, address, etc.
  • Authentication method that was used
  • Whether a new user was created as part of the flow
  • User's groups, roles, and permissions
  • Any of the custom user data that you've set for this user

User access

A user access token is returned upon each successful authentication. It describes the access that was granted, including requested scopes (scope) and which resource the user is allowed to access (based on what was requested). The token also includes the expiration, which should be validated before each use. User access tokens are returned together with a refresh token that can be used to prolong the access without requiring the user to re-authenticate. For the claims and structure of the access token, see our Token reference.