Skip to main content

Get Login Policy

Returns the login settings that should be used for the authenticated user. It is set either on an instance or organization level. This policy defines what possibilities the user has to authenticate and to use in the login, e.g social logins, MFA, passkey, etc.

Responses

A successful response.


Schema
  • policy object
  • details object
  • sequence uint64

    on read: the sequence of the last event reduced by the projection

    on manipulation: the timestamp of the event(s) added by the manipulation

  • creationDate date-time

    on read: the timestamp of the first event of the object

    on create: the timestamp of the event(s) added by the manipulation

  • changeDate date-time

    on read: the timestamp of the last event reduced by the projection

    on manipulation: the

  • resourceOwner resource_owner is the organization an object belongs to
  • allowUsernamePassword boolean

    defines if a user is allowed to log in with his username and password

  • allowRegister boolean

    defines if a person is allowed to register a user on this organization

  • allowExternalIdp boolean

    defines if a user is allowed to add a defined identity provider. E.g. Google auth

  • forceMfa boolean

    defines if a user MUST use a multi-factor to log in

  • passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT

    Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED, PASSWORDLESS_TYPE_ALLOWED]

    Default value: PASSWORDLESS_TYPE_NOT_ALLOWED

    defines if passwordless is allowed for users

  • isDefault boolean

    defines if the organization's admin changed the policy

  • hidePasswordReset boolean

    defines if password reset link should be shown in the login screen

  • ignoreUnknownUsernames boolean

    defines if unknown username on login screen directly returns an error or always displays the password screen

  • defaultRedirectUri string

    defines where the user will be redirected to if the login is started without app context (e.g. from mail)

  • passwordCheckLifetime string
  • externalLoginCheckLifetime string
  • mfaInitSkipLifetime string
  • secondFactorCheckLifetime string
  • multiFactorCheckLifetime string
  • secondFactors string[]

    Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED, SECOND_FACTOR_TYPE_OTP, SECOND_FACTOR_TYPE_U2F]

  • multiFactors string[]

    Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]

  • idps object[]
  • Array [
  • idpId string

    the id of the identity provider

  • idpName string

    the name of the identity provider

  • idpType authorization framework of the identity provider

    Possible values: [IDP_TYPE_UNSPECIFIED, IDP_TYPE_OIDC, IDP_TYPE_JWT]

    Default value: IDP_TYPE_UNSPECIFIED

    the authorization framework of the identity provider

  • ]
  • allowDomainDiscovery boolean

    If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.

  • disableLoginWithEmail boolean

    defines if the user can additionally (to the login name) be identified by their verified email address

  • disableLoginWithPhone boolean

    defines if the user can additionally (to the login name) be identified by their verified phone number

Loading...