Use Case – Weak authentication

  1. REST target application configuration
  2. Go to:
    Loginapp >> Applications and Authentication
  3. Create and edit a Target Application plugin
    • Create an Application ID plugin with the ID set to "weak-app"
    • Create and edit an Authentication Flow plugin with
      • Username/password authentication
      • A consent step
    • Create an OAuth 2.0/OIDC ID Propagator plugin
  4. The target application will choose the correct authentication flow and complete it with OIDC identity propagation.
  1. Authorization server configuration
  2. Go to:
    Loginapp >> OAuth 2.0/OIDC Authorization Servers >> {{AS-Id}} >> OAuth 2.0 Grants/OIDC Flows >> OIDC Authorization Code Flow
  3. In the section FLow Settings configure an ACR to Flow Application ID Mapping plugin
    • ACR Value is set to "weak-acr"
    • Flow Application ID is an Application ID plugin with the ID set to "weak-app"
  4. The authorization code flow will select the correct target application if the client requests an acr_values of "weak-acr".
  5. In the section ID Token create and edit a Flow Condition Based OIDC ID Token ACR Value plugin
    • Create and edit a OIDC Flow Condition To ACR Value Mapping plugin
      • Flow Condition: Has Tag - Weak Authentication Tag
      • ACR Value: weak-acr
  6. The authorization code flow will return an acr with the value "weak-acr" based on the tag set in the flow.
  1. Loginapp UI configuration
  2. Go to:
    In Loginapp >> UI Settings >> Authentication UIs
  3. Create an Authentication & Authorization UI plugin
    • Create an Application ID plugin with the ID set to "weak-app"
    • Create a Target URI Resolver plugin that allows redirection to the client after the flow has completed successfully.
  4. The authorization code flow will now use the Loginapp UI for authentication.

Using the weak-app example

authorize call

Expected behavior:

  1. Use the above URL in a browser. This is required since the Loginapp UI configured depends heavily on javascript and without a browser, it will not be rendered.
  2. The login screen will be shown - enter username and password
  3. If local consents are configured, the consent screen is shown - grant consent
  4. The authorization server will now respond with a 302 status code and provide a location parameter with the URL, the authorization code, and the state parameter on this URL

Depending on your configuration, this may lead to an error in the browser, if the location cannot be resolved. If you look at the network tab in the developer tools of your browser, you will find the redirect URL that you are looking for.

Finding the Redirect URL


Use the code provided in this location parameter to exchange the authentication code for access and refresh tokens:

Redirect URL to weak-app

    Content-Type: application/x-www-form-urlencoded
    Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ


In the response, there will also be an ID token with all the required acr and role information.

ID token from the response

 "sub": "mike",
 "aud": "oidcConformance_clientId",
 "acr": "weak-acr",
 "roles": [
 "auth_time": 1598097477,
 "iss": "",
 "exp": 1598097602,
 "iat": 1598097482,