diff --git a/apps/login/readme.md b/apps/login/readme.md index a8383961bcf..fac9db0db36 100644 --- a/apps/login/readme.md +++ b/apps/login/readme.md @@ -62,19 +62,19 @@ Requests to the APIs made: After a loginname is entered, a `listUsers` request is made using the loginName query to identify already registered users. -If only one user is found, we query `listAuthenticationMethodTypes` to identify future steps. +**USER FOUND:** If only one user is found, we query `listAuthenticationMethodTypes` to identify future steps. If no authentication methods are found, we render an error stating: _User has no available authentication methods._ (exception see below.) Now if only one method is found, we continue with the corresponding step (/password, /passkey/login). If multiple methods are set, we prefer passkeys over any other method, so we redirect to /passkey, second option is IDP, and third is password. If password is the next step, we check `loginSettings.passkeysType` for PasskeysType.ALLOWED, and prompt the user to setup passkeys afterwards. -If no user is found, we check whether registering is allowed using `loginSettings.allowRegister`. +**NO USER FOUND:** If no user is found, we check whether registering is allowed using `loginSettings.allowRegister`. If `loginSettings?.allowUsernamePassword` is not allowed we continue to check for available IDPs. If a single IDP is available, we directly redirect the user to signup. If no single IDP is set, we check for `loginSettings.allowUsernamePassword` and if no organization is set as context, we check whether we can discover a organization from the loginname of the user (using: `getOrgsByDomain`). Then if an organization is found, we check whether domainDiscovery is allowed on it and redirect the user to /register page including the discovered domain or without. If no previous condition is met we throw an error stating the user was not found. -If the outcome after this order produces a no authentication methods found, or user not found, we check whether `loginSettings?.ignoreUnknownUsernames` is set to `true` as in this case we redirect to the /password page regardless (to not leak information about a registered user). +**EXCEPTIONS**If the outcome after this order produces a no authentication methods found, or user not found, we check whether `loginSettings?.ignoreUnknownUsernames` is set to `true` as in this case we redirect to the /password page regardless (to not leak information about a registered user). > NOTE: We ignore `loginSettings.allowExternalIdp` as the information whether IDPs are available comes as response from `getActiveIdentityProviders(org?)`.