How OIDC & hosted authentication works

User authentication can be used to protect your application or only specific resources. The authentication process will identify the user, and grant them access (based on roles, permissions, scopes, etc.).

Note

Use a redirect-based approach to authentication if you're interested in social login, Mosaic's hosted login experience, or an OIDC-based integration. Otherwise, you can consider a backend-to-backend integration (see Backend Authentication).

Login preferences

Choose from a wide variety of authentication methods, including WebAuthn-based biometrics, email magic links, SMS one-time passcodes, social login, and more. Consider which methods work best for your customers and use case. For example, biometric login is the most secure way to login users into their bank account, whereas social login is fast and convenient for signing up customers to a retail app.

Your login preferences configure the methods you'd like to use, such as branding email templates for magic link authentication, or setting up the OAuth credentials for a social login provider. You can manage your login preferences from the Admin Portal or using Administration APIs.

Authentication flow

Regardless of method, every authentication flow includes:

  1. User authenticates using the chosen method
  2. Upon successful authentication, a code is returned to your app
  3. Your app securely exchanges this code for tokens that identify the user and grant them access
  4. Optionally, a new user is created (if you allow authentication to implicitly onboard new users)

Identity data

Upon authentication, user data is returned in the ID token. Aside from the default claims that are always returned, custom claims can be returned by requesting them. For a complete list and structure of the ID token claims, see our Token reference.

For example, the ID token may include the following (depending on what you request):

  • User's identifier in your Mosaic tenant
  • User's external identifiers in your system
  • User's name, emails, phone numbers, address, etc.
  • Authentication method that was used
  • Whether a new user was created as part of the flow
  • User's groups, roles, and permissions
  • Any of the custom user data that you've set for this user

User access

A user access token is returned upon each successful authentication. It describes the access that was granted, including requested scopes (scope) and which resource the user is allowed to access (based on what was requested). The token also includes the expiration, which should be validated before each use. User access tokens are returned together with a refresh token that can be used to prolong the access without requiring the user to re-authenticate. For the claims and structure of the access token, see our Token reference.

Hosted login

Mosaic offers a hosted solution for user login that enables you to provide users with secure, frictionless, and UX-friendly authentication flows—without investing expensive resources in design, development, and implementation efforts outside their core business activity.

In addition to leveraging OIDC secured flows, hosted login allows you to choose which authentication methods to use, design your authentication flow, and customize the appearance of the authentication screens. An extra layer of security is provided by the possibility of enabling multi-factor authentication, that not only secures authentication, but also verifies the legitimacy of the sensitive actions on your application (e.g., password changes and payments). With hosted login, users can manage their authentication preferences, manage their identification information, and perform account recovery. The hosted login supports WebAuthn biometrics, password, SMS OTP, Email OTP, email magic links.

For more about hosted login, see How hosted login works.

What's next?

Once you've identified the user, you can leverage our identity management capabilities to:

  • Enrich the user's profile with verified data
  • Authorize access based on the user's role and permissions
  • Use the created session to keep them logged in until it expires or they logout