See quickstart Menu

How to authenticate users

OneLogin supports industry standard approaches to authenticate users, but choosing the correct method for your use case is often a challenge if you’re unfamiliar with industry jargon.

This is a summary of OneLogin authentication options, you can read more detail and download language specific sample code for each option below.
  1. Server side Web App using a OneLogin hosted login page

    • Recommended for web apps where the client secret can be hidden from the user
    • Supports SSO, MFA, forced password change & Offline Refresh Tokens out of the box
  2. Single Page App (SPA) using a OneLogin hosted login page

    • For Javascript based apps that may not have a server side component
    • Supports SSO, MFA, & forced password change out of the box.
  3. Full custom login page with MFA support

    • Recommended when building a customized login flow
    • Supports SSO, MFA, & password change but requires additional work
  4. Native or Legacy app

    • Recommended for native apps or when the client is incapable of an advanced interactive login
    • No support for SSO, MFA or forced password changes

Traditional Web App with Hosted Login page 

If you have a traditional server hosted web application that wants to offload user authentication and identity management to OneLogin then our recommened approach is using the OpenId Connect Authentication Flow.

Openid Connect is an industry standard & best practice for securely authenticating users.

In this flow the user is redirected to a customizable login page hosted by OneLogin for authentication. After successful authentication they are redirected to your app which makes a server-side call to verify their authentication and obtain an Access Token. The Access Token is used to make additional server-side calls.

Openid Connect Authentication automatically adjusts to user-based security policies, MFA requirements, and login flows you defined in OneLogin without requiring additional code.

Download a sample app from Github

Benefits

  • Supports Multi-Factor Authentication and Single Sign-On without additional code
  • Automatically supports user-based password policies and forced password resets etc.
  • Supports Refresh Tokens for Offline Access
  • Uses the most secure OpenId Connect flow

Single Page App (SPA) with Hosted Login Page 

If you have a SPA or app written in Javascript, without a server side API, then we recommend using the OpenId Connect Implicit Flow.

This flow is similar to the OpenId Connect Authentication Flow mentioned above, but it doesn’t require the server-side verification to obtain an Access Token.

Download a sample app from Github

Benefits

  • Supports Multi-Factor Authentication, Single Sign-On without additional code
  • Automatically supports user-based password policies and forced password resets etc.
  • Doesn’t require server-side interaction

Customized Login Page 

Use our Administrative API to create a custom login experience if you prefer not to use a OneLogin hosted login page.

It’s requires additional code to address all the login use cases, but the APIs you need are available.

Our APIs indicate if a user requires MFA and we provide tools to verify tokens or reset passwords etc. Ultimately, you are responsible to ensure a secure authentication flow.

If you’re not comfortable with the extra work required, consider using the OpenId Connect Authentication Flow described above.

Download a sample app from Github

Benefits

  • Total control over the login experience
  • Supports Multi Factor Authentication & Single Sign On

Native, Trusted or Legacy Apps 

If you’re working with a native or legacy app that is restricted to using username/password only to authenticate, and doesn’t support an interactive login experience, then your best option is the OAuth2.0 Resource Owner Password Credential Grant.

Similar to the custom login page mentioned above, this authentication method provides a flexible approach to the login experience but lacks the ability to force password resets or require MFA.

No SSO. Using this flow, a Single Sign-On session isn’t established. The user can’t seamlessly access other applications.

Download a sample app from Github

Benefits

  • Flexible support for legacy apps or cases where an interactive login is impossible