Restrict User Login for Your Application

Learn how to restrict users from logging in to your application with a specific email domain.

In this scenario, you aim to enable passwordless login exclusively for specific email addresses, such as those within your company. By updating the default Presentation Definition and modifying the PEX query with a filter, you can restrict access to your application.

Before you begin

Set up Affinidi Vault account. Follow the guide below if you haven’t set it up yet.

Set up Affinidi Vault

Set up an Affinidi Vault account using the web app or install the mobile app .

The same installation steps for mobile app.

Click on Start if you are creating a new account, or click on Restore from Backup if you have an existing backup of your Affinidi Vault.

Use this guide to learn how to migrate your existing Affinidi Vault account.

Secure your Vault by providing a passphrase. Use this passphrase to unlock your Vault.

Provide your Email Address to verify with OTP.

After successfully providing the OTP, you are redirected to your Affinidi Vault dashboard.

Vault Passphrase

Remember to keep your passphrase in a secure location since it cannot be retrieved if forgotten, even with your backup. If you forget it, you must setup a new Vault.

Get the Redirect URL of your application for OIDC. This URL is configured on your Login Configuration to receive the idToken after successful authorisation.
Optionally, install the Affinidi CLI. Follow the guide below if you haven’t installed yet.

Set up Affinidi CLI

Download and install NodeJS on your machine if you haven’t set it up yet.

Node Version

Affinidi CLI requires Node version 18 and above.

Install Affinidi CLI using Node Package Manager (npm).

npm install -g @affinidi/cli

Verify that the installation is successful.

affinidi --version

To create a Login Configuration, you can either use Affinidi CLI or Affinidi Portal.

Expand the section below for your preferred method:

Using Affinidi CLI

affinidi start

Once you have successfully logged in, create the Login Configuration by running:

affinidi login create-config \
--name='<Name>' \
--redirect-uris='<Redirect URIs>'

--name is what you want your login configuration to be called.
--redirect-uris is the URL on your application where the user gets redirected after the successful authentication.

Sample response:

{
  "ari": "ari:identity:ap-southeast-1:687b8872-a618-dt63-8978-e72ac32daeb1:login_configuration/c4f74d936cd31bde1c1fd3c1050bb76s",
  "projectId": "687b8872-a618-4e52-8978-e72ac32daec2",
  "configurationId": "c4f74d936cd31bde1c1fd3c1050bb62d",
  "name": "...",
  "auth": {
    "clientId": "<AUTH.CLIENT_ID>",
    "clientSecret": "<AUTH.CLIENT_SECRET>",
    "issuer": "https://<PROJECT_ID>.apse1.login.affinidi.io"
  },
  "redirectUris": [
    "..."
  ],
  "clientMetadata": {
    "name": "Login Config Name",
    "logo": "https://login.affinidi.com/default-client-logo.svg",
    "origin": "https://example.com"
  },
  "creationDate": "2023-08-11T06:26:37Z",
  "tokenEndpointAuthMethod": "client_secret_post"
}

Learn more on how to manage your Login Configurations using Affinidi CLI.

Using Affinidi Portal

Go to Affinidi Login under the Services section.
Click on the Create Login Configuration and provide the required details.

Name is the string that describes your login configuration.
Redirect URIs is the URL on your application where the user gets redirected after the successful authentication.

Click on create and confirm if all the details are correct.

After confirming the details, another popup shows the Client ID and Client Secret for your Login Configuration. Copy the generated Client Credentials and use them to integrate with Affinidi Login.
After copying the Client ID and Client Secret and closing the popup, you are redirected back to the Affinidi Login page.

Login Configuration uses a default Presentation Definition (presentationDefinition) and ID Token Mapping (idTokenMapping) to request the user’s email address during the authentication flow.

You can modify these defaults using Affinidi Portal and Affinidi CLI to have additional authentication requirements and request other data from the user. See this documentation.

Important

Safeguard the Client ID and Client Secret diligently; you'll need them for setting up your IdP or OIDC-compliant applications. Remember, the Client Secret will be provided only once.

Update Presentation Definition

To restrict users who can log in to your application based on the email address domain using Affinidi Login, you need to update the default presentation definition of the Login Configuration previously created and add a data filter.


{
  "id": "vp_token_with_email_vc",
  "input_descriptors": [
    {
      "id": "email_vc",
      "name": "Email VC",
      "purpose": "Check if data contains necessary fields",
      "constraints": {
        "fields": [
          {
            "path": [
              "$.type"
            ],
            "purpose": "Check if VC type is correct",
            "filter": {
              "type": "array",
              "contains": {
                "type": "string",
                "pattern": "Email"
              }
            }
          },
          {
            "path": [
              "$.credentialSubject.email"
            ],
            "purpose": "Check if VC contains email field",
            "filter": {
              "type": "string",
              "pattern": ".+@companyemail.com$"
            }
          },
          {
            "path": [
              "$.issuer"
            ],
            "purpose": "Check if VC Issuer is Trusted",
            "filter": {
              "type": "string",
              "pattern": "^did:key:zQ3shtMGCU89kb2RMknNZcYGUcHW8P6Cq3CoQyvoDs7Qqh33N"
            }
          }
        ]
      }
    }
  ]
}

Based on the above Presentation Definition, we have added a filter only to accept email addresses from specific domains when authenticating users.

To update the Presentation Definition, you can either use Affinidi Portal to edit the Login Configuration using the PEX query editor found in the Additional Configuration section or use Affinidi CLI using the following command:

affinidi login update-config \
--id=<LOGIN_CONFIG_ID> \
--file=<JSON_PAYLOAD>

Copy the JSON payload above and replace the email address pattern where you want to restrict the login.

See this documentation to learn more about modifying the Presentation Definition to define additional user requirements.

Set up Your Application

Go to your application’s OIDC settings and configure the following details to integrate Affinidi Login into your application’s login flow:

{
  "clientId": "<AUTH.CLIENT_ID>",
  "clientSecret": "<AUTH.CLIENT_SECRET>",
  "scope": "openid offline_access",
  "authorizationUrl": "<AUTH.ISSUER>/oauth2/auth",
  "tokenUrl": "<AUTH.ISSUER>/oauth2/token"
}

If you are using libraries or plugins to enable OIDC flow on your application, please refer to their documentation on configuring these details and allowing OIDC login.

Once you have completed the set-up of your application with client credentials and enabled the Affinidi Login, only users with an email address domain that matches the pattern defined in the Presentation Definition from their Vault are allowed to log in.

You can explore our labs to learn more about ways to integrate Affinidi Login using other frameworks and IDP solutions.

Was this page helpful?

Glad to hear it! Please tell us how we can improve more.

Sorry to hear that. Please tell us how we can improve.

Thank you for sharing your feedback so we can improve your experience.