Get Login Settings
GET/policies/login
Returns the login settings defined on the organization level. It will trigger as soon as the organization is identified (scope, user identification). The login policy defines what kind of authentication possibilities the user should have. Generally speaking the behavior of the login and register UI.
Request​
Header Parameters
The default is always the organization of the requesting user. If you like to get/set a result of another organization include the header. Make sure the user has permission to access the requested data.
Responses​
- 200
- default
A successful response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
policy
object
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if a user is allowed to log in with username and password
defines if a person is allowed to register a user on this organization
defines if a user is allowed to add a defined identity provider. E.g. Google auth
defines if a user MUST use a multi-factor to log in
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if passwordless is allowed for users
defines if the organization's admin changed the policy
defines if password reset link should be shown in the login screen
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
the id of the identity provider
the name of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
{
"policy": {
"details": {
"sequence": "2",
"creationDate": "2024-11-15T21:46:16.394Z",
"changeDate": "2024-11-15T21:46:16.394Z",
"resourceOwner": "69629023906488334"
},
"allowUsernamePassword": true,
"allowRegister": true,
"allowExternalIdp": true,
"forceMfa": true,
"passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
"isDefault": true,
"hidePasswordReset": true,
"ignoreUnknownUsernames": true,
"defaultRedirectUri": "https://acme.com/ui/console",
"passwordCheckLifetime": "864000s",
"externalLoginCheckLifetime": "864000s",
"mfaInitSkipLifetime": "2592000s",
"secondFactorCheckLifetime": "64800s",
"multiFactorCheckLifetime": "43200s",
"secondFactors": [
"SECOND_FACTOR_TYPE_UNSPECIFIED"
],
"multiFactors": [
"MULTI_FACTOR_TYPE_UNSPECIFIED"
],
"idps": [
{
"idpId": "69629023906488334",
"idpName": "google",
"idpType": [
"IDP_TYPE_OIDC"
]
}
],
"allowDomainDiscovery": true,
"disableLoginWithEmail": true,
"disableLoginWithPhone": true,
"forceMfaLocalOnly": true
},
"isDefault": true
}
- Schema
- Example (from schema)
Schema
Array [
]
policy
object
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if a user is allowed to log in with username and password
defines if a person is allowed to register a user on this organization
defines if a user is allowed to add a defined identity provider. E.g. Google auth
defines if a user MUST use a multi-factor to log in
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if passwordless is allowed for users
defines if the organization's admin changed the policy
defines if password reset link should be shown in the login screen
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
the id of the identity provider
the name of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
{
"policy": {
"details": {
"sequence": "2",
"creationDate": "2024-11-15T21:46:16.395Z",
"changeDate": "2024-11-15T21:46:16.395Z",
"resourceOwner": "69629023906488334"
},
"allowUsernamePassword": true,
"allowRegister": true,
"allowExternalIdp": true,
"forceMfa": true,
"passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
"isDefault": true,
"hidePasswordReset": true,
"ignoreUnknownUsernames": true,
"defaultRedirectUri": "https://acme.com/ui/console",
"passwordCheckLifetime": "864000s",
"externalLoginCheckLifetime": "864000s",
"mfaInitSkipLifetime": "2592000s",
"secondFactorCheckLifetime": "64800s",
"multiFactorCheckLifetime": "43200s",
"secondFactors": [
"SECOND_FACTOR_TYPE_UNSPECIFIED"
],
"multiFactors": [
"MULTI_FACTOR_TYPE_UNSPECIFIED"
],
"idps": [
{
"idpId": "69629023906488334",
"idpName": "google",
"idpType": [
"IDP_TYPE_OIDC"
]
}
],
"allowDomainDiscovery": true,
"disableLoginWithEmail": true,
"disableLoginWithPhone": true,
"forceMfaLocalOnly": true
},
"isDefault": true
}
- Schema
- Example (from schema)
Schema
Array [
]
policy
object
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the first event of the object
on create: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the
defines if a user is allowed to log in with username and password
defines if a person is allowed to register a user on this organization
defines if a user is allowed to add a defined identity provider. E.g. Google auth
defines if a user MUST use a multi-factor to log in
Possible values: [PASSWORDLESS_TYPE_NOT_ALLOWED
, PASSWORDLESS_TYPE_ALLOWED
]
Default value: PASSWORDLESS_TYPE_NOT_ALLOWED
defines if passwordless is allowed for users
defines if the organization's admin changed the policy
defines if password reset link should be shown in the login screen
defines if unknown username on login screen directly returns an error or always displays the password screen
defines where the user will be redirected to if the login is started without app context (e.g. from mail)
Possible values: [SECOND_FACTOR_TYPE_UNSPECIFIED
, SECOND_FACTOR_TYPE_OTP
, SECOND_FACTOR_TYPE_U2F
, SECOND_FACTOR_TYPE_OTP_EMAIL
, SECOND_FACTOR_TYPE_OTP_SMS
]
Possible values: [MULTI_FACTOR_TYPE_UNSPECIFIED
, MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
]
idps
object[]
the id of the identity provider
the name of the identity provider
Possible values: [IDP_TYPE_UNSPECIFIED
, IDP_TYPE_OIDC
, IDP_TYPE_JWT
]
Default value: IDP_TYPE_UNSPECIFIED
the authorization framework of the identity provider
If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
defines if the user can additionally (to the login name) be identified by their verified email address
defines if the user can additionally (to the login name) be identified by their verified phone number
if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login.
{
"policy": {
"details": {
"sequence": "2",
"creationDate": "2024-11-15T21:46:16.396Z",
"changeDate": "2024-11-15T21:46:16.396Z",
"resourceOwner": "69629023906488334"
},
"allowUsernamePassword": true,
"allowRegister": true,
"allowExternalIdp": true,
"forceMfa": true,
"passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
"isDefault": true,
"hidePasswordReset": true,
"ignoreUnknownUsernames": true,
"defaultRedirectUri": "https://acme.com/ui/console",
"passwordCheckLifetime": "864000s",
"externalLoginCheckLifetime": "864000s",
"mfaInitSkipLifetime": "2592000s",
"secondFactorCheckLifetime": "64800s",
"multiFactorCheckLifetime": "43200s",
"secondFactors": [
"SECOND_FACTOR_TYPE_UNSPECIFIED"
],
"multiFactors": [
"MULTI_FACTOR_TYPE_UNSPECIFIED"
],
"idps": [
{
"idpId": "69629023906488334",
"idpName": "google",
"idpType": [
"IDP_TYPE_OIDC"
]
}
],
"allowDomainDiscovery": true,
"disableLoginWithEmail": true,
"disableLoginWithPhone": true,
"forceMfaLocalOnly": true
},
"isDefault": true
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}