Using the Flow Continuation Step in public self-service flows

The concept of flow continuation is a mechanism that allows a user-related flow to be started and continued at a later time based on a stored token. While such a flow can be started anywhere, continuation is limited to public self-service flows.

How it works

Flow continuation is separated into the two components initiation point and continuation flow. The initiating point may be any component that is capable of issuing a Flow Continuation Token. The initiation point issues the token and stores information about the user in the IAM database. The Flow Continuation Token can subsequently be sent to the user, e.g. in an email containing a link. The token link in the email can be used by the user at a later time because the Flow Continuation Token can be validated by a Flow Continuation Step of the continuation flow at any time.

  • Available initiation points in Airlock IAM (as of IAM 7.7):
  • Send Email Link Step in public self-service flows.
  • Send Email Link Step in self-registration flows.
  • Password Token Controller in the Adminapp's user management.

Example flow

FlowContinuation
  1. An authorized user uses the public self-service Send Email Link Step as the initiation point. The step creates a Flow Continuation Token in the database, embeds it in a link, and sends it to the user via email.
  2. The Flow Continuation Token is stored in the IAM database and can be used in the continuation flow, a public self-service flow containing a Flow Continuation Step.
  3. When the email link is used by the user, the continuation flow is started.
  4. The Flow Continuation Step validates the Flow Continuation Token and identifies the user by reading the data stored in the IAM database.
  5. The public self-service flow continues with the user identified by the Flow Continuation Step.

Note that the initiation point and the public self-service continuation flow with the Flow Continuation Step do not have to operate on the same HTTP session. This is because the user information associated with the Flow Continuation Token is stored in the IAM database.

This allows for use-cases where the initiation point and the continuation flow are in different components. For example, the starting point of the initiation point may be in the helpdesk's browser session and the continuation flow may be in the user's browser session.

The Flow Continuation Step is a non-interactive step and takes the Flow Continuation Token from the HTTP request header X-Flow-Continuation-Token.

The following example request shows how the Flow Continuation Token is sent to the continuation flow as an HTTP header in the request selecting the corresponding flow.
Note that most other HTTP headers have been removed for simplicity.

POST /auth-login/rest/public/self-service/flows/password-reset-continue/select HTTP/1.1
Content-Type: application/json
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15
Content-Length: 0
X-Flow-Continuation-Token: 5zJztFS4osAWnV6KLGdSSXjFjZZATaBsVJW2vSQZtG1i18NZo3MjQu69PJpe4cTPTqfXTxRYppwkpSx2b89Er3hwWBWAcgqS9Qif

Limitations

The flow continuation concept cannot be used to split any flow at any point. Since the flow continuation token only stores information about the user in the database (and not the whole state of the flow), the following restrictions apply.

  • A user account for the affected user must exist in the database.
  • All user data entered or manipulated within the initiation point (e.g. self-registration flow) must be persisted within the initiation point. Open changes are not transported to the continuation flow in the flow continuation token.
  • The continuation flow must be a public self-service flow.