WSO2 Asgardeo: Modern Identity and Access Management
In today's digital landscape, secure and seamless identity management is crucial for any application. WSO2 Asgardeo is a comprehensive cloud-native Identity-as-a-Service (IDaaS) solution that provides enterprise-grade security with developer-friendly features.
What is WSO2 Asgardeo?
WSO2 Asgardeo is a cloud-based Customer Identity and Access Management (CIAM) solution that enables developers to add authentication and authorization to their applications quickly and securely. Built on proven open-source technology, Asgardeo offers a modern, standards-based approach to identity management.
Why Choose Asgardeo?
Cloud-Native Architecture
Asgardeo is built for the cloud, offering high availability, scalability, and automatic updates without infrastructure management overhead.
Standards-Based
Supports industry-standard protocols including OAuth 2.0, OpenID Connect (OIDC), SAML 2.0, and WS-Federation.
Developer-Friendly
Rich SDKs, comprehensive documentation, and intuitive APIs make integration straightforward for developers.
Enterprise-Ready Security
Built with security best practices, including multi-factor authentication (MFA), adaptive authentication, and passwordless login options.
Cost-Effective
Pay-as-you-go pricing model with a generous free tier for development and small-scale applications.
Key Features
1. Multi-Factor Authentication (MFA)
Add an extra layer of security with various MFA options:
- SMS OTP
- Email OTP
- TOTP (Time-based One-Time Password)
- Hardware tokens
- Biometric authentication
2. Social Login Integration
Enable users to sign in with their existing social accounts:
- Microsoft
- Apple
- GitHub
- And more...
3. Passwordless Authentication
Modern authentication methods for better user experience:
- Magic links via email
- Biometric authentication (WebAuthn/FIDO2)
- SMS-based authentication
4. Single Sign-On (SSO)
Allow users to authenticate once and access multiple applications seamlessly.
5. Adaptive Authentication
Implement risk-based authentication that adapts based on user behavior, location, and device.
6. User Self-Service
Empower users with self-service capabilities:
- Password reset
- Profile management
- Account recovery
- Consent management
7. Branding and Customization
Customize the login experience to match your brand:
- Custom themes
- Branded login pages
- Localization support
Getting Started with Asgardeo
Step 1: Create an Asgardeo Account
Visit https://wso2.com/asgardeo/ and sign up for a free account. You'll get access to an organization where you can manage applications and users.
Step 2: Register Your Application
In the Asgardeo console:
- Navigate to Applications
- Click New Application
- Choose your application type:
- Single Page Application (React, Angular, Vue.js)
- Traditional Web Application
- Mobile Application
- Machine-to-Machine (M2M)
Step 3: Configure Application Settings
{ "clientId": "YOUR_CLIENT_ID", "baseUrl": "https://api.asgardeo.io/t/{organization}", "signInRedirectURL": "http://localhost:3000/callback", "signOutRedirectURL": "http://localhost:3000", "scope": ["openid", "profile", "email"] }
Integration Examples
React Application
Install Asgardeo React SDK
npm install @asgardeo/auth-react
Configure the SDK
// src/config.js export const config = { signInRedirectURL: "http://localhost:3000", signOutRedirectURL: "http://localhost:3000", clientID: "YOUR_CLIENT_ID", baseUrl: "https://api.asgardeo.io/t/{organization}", scope: ["openid", "profile", "email"] };
Wrap Your App with AuthProvider
// src/App.js import { AuthProvider } from "@asgardeo/auth-react"; import { config } from "./config"; function App() { return ( <AuthProvider config={config}> <YourApplication /> </AuthProvider> ); } export default App;
Implement Login/Logout
// src/components/LoginButton.js import { useAuthContext } from "@asgardeo/auth-react"; function LoginButton() { const { state, signIn, signOut } = useAuthContext(); return ( <div> {state.isAuthenticated ? ( <div> <p>Welcome, {state.username}!</p> <button onClick={() => signOut()}>Logout</button> </div> ) : ( <button onClick={() => signIn()}>Login</button> )} </div> ); } export default LoginButton;
Access User Information
import { useAuthContext } from "@asgardeo/auth-react"; function UserProfile() { const { state, getBasicUserInfo } = useAuthContext(); useEffect(() => { if (state.isAuthenticated) { getBasicUserInfo() .then((response) => { console.log("User Info:", response); }) .catch((error) => { console.error(error); }); } }, [state.isAuthenticated]); return <div>Check console for user info</div>; }
Node.js Backend Integration
Install Dependencies
npm install express express-openid-connect
Configure OpenID Connect
const express = require('express'); const { auth } = require('express-openid-connect'); const app = express(); const config = { authRequired: false, auth0Logout: true, secret: 'a long, randomly-generated string', baseURL: 'http://localhost:3000', clientID: 'YOUR_CLIENT_ID', issuerBaseURL: 'https://api.asgardeo.io/t/{organization}/oauth2/token', }; app.use(auth(config)); // Require authentication for /admin routes app.use('/admin', (req, res, next) => { if (!req.oidc.isAuthenticated()) { return res.status(401).send('Unauthorized'); } next(); }); app.get('/', (req, res) => { res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out'); }); app.listen(3000);
Mobile Application (React Native)
Install Asgardeo React Native SDK
npm install @asgardeo/auth-react-native
Configure and Use
import { AsgardeoAuthClient } from "@asgardeo/auth-react-native"; const config = { clientId: "YOUR_CLIENT_ID", serverOrigin: "https://api.asgardeo.io/t/{organization}", signInRedirectURL: "myapp://callback", signOutRedirectURL: "myapp://logout" }; const authClient = new AsgardeoAuthClient(config); // Sign in authClient.signIn() .then((response) => { console.log("Signed in successfully", response); }) .catch((error) => { console.error("Sign in failed", error); }); // Get user info authClient.getBasicUserInfo() .then((userInfo) => { console.log("User Info:", userInfo); }); // Sign out authClient.signOut();
Advanced Features
Implementing Adaptive Authentication
Asgardeo allows you to define authentication flows based on context:
// Example: Require MFA for high-risk login attempts if (context.request.ip !== user.lastLoginIP) { executeStep(1); // Username & Password executeStep(2); // MFA (TOTP or SMS) } else { executeStep(1); // Username & Password only }
Role-Based Access Control (RBAC)
Define roles and assign them to users:
// In your application, check user roles const { state } = useAuthContext(); if (state.isAuthenticated) { const userRoles = state.idToken?.groups || []; if (userRoles.includes('admin')) { // Show admin features } else if (userRoles.includes('editor')) { // Show editor features } }
API Authorization
Protect your APIs using access tokens:
// Backend middleware to verify tokens const jwt = require('jsonwebtoken'); const jwksClient = require('jwks-rsa'); const client = jwksClient({ jwksUri: 'https://api.asgardeo.io/t/{organization}/oauth2/jwks' }); function getKey(header, callback) { client.getSigningKey(header.kid, (err, key) => { const signingKey = key.publicKey || key.rsaPublicKey; callback(null, signingKey); }); } function verifyToken(req, res, next) { const token = req.headers.authorization?.split(' ')[1]; if (!token) { return res.status(401).json({ error: 'No token provided' }); } jwt.verify(token, getKey, (err, decoded) => { if (err) { return res.status(401).json({ error: 'Invalid token' }); } req.user = decoded; next(); }); } app.get('/api/protected', verifyToken, (req, res) => { res.json({ message: 'This is protected data', user: req.user }); });
User Management
Creating Users Programmatically
Use the SCIM 2.0 API to manage users:
curl -X POST \ https://api.asgardeo.io/t/{organization}/scim2/Users \ -H 'Authorization: Bearer {access_token}' \ -H 'Content-Type: application/json' \ -d '{ "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"], "userName": "john.doe@example.com", "name": { "givenName": "John", "familyName": "Doe" }, "emails": [{ "primary": true, "value": "john.doe@example.com" }], "password": "SecurePassword123!" }'
User Profile Management
Allow users to update their profiles:
import { useAuthContext } from "@asgardeo/auth-react"; function ProfileUpdate() { const { updateProfile } = useAuthContext(); const handleUpdate = async () => { try { await updateProfile({ givenName: "John", familyName: "Doe", email: "john.doe@example.com" }); console.log("Profile updated successfully"); } catch (error) { console.error("Profile update failed", error); } }; return <button onClick={handleUpdate}>Update Profile</button>; }
Security Best Practices
1. Use PKCE for SPAs
Always enable Proof Key for Code Exchange (PKCE) for single-page applications:
const config = { // ... other config enablePKCE: true };
2. Implement Token Refresh
Handle token expiration gracefully:
const { refreshAccessToken } = useAuthContext(); // Refresh token before it expires useEffect(() => { const interval = setInterval(() => { refreshAccessToken() .then(() => console.log("Token refreshed")) .catch((error) => console.error("Token refresh failed", error)); }, 4 * 60 * 1000); // Refresh every 4 minutes return () => clearInterval(interval); }, []);
3. Secure Token Storage
Never store tokens in localStorage. Use secure, httpOnly cookies or in-memory storage.
4. Validate ID Tokens
Always validate ID tokens on the backend:
const { verify } = require('jsonwebtoken'); function validateIdToken(idToken) { try { const decoded = verify(idToken, publicKey, { algorithms: ['RS256'], audience: 'YOUR_CLIENT_ID', issuer: 'https://api.asgardeo.io/t/{organization}/oauth2/token' }); return decoded; } catch (error) { throw new Error('Invalid ID token'); } }
5. Enable MFA for Sensitive Operations
Require additional authentication for critical actions like password changes or financial transactions.
Monitoring and Analytics
Asgardeo provides comprehensive analytics:
- Login Analytics: Track successful and failed login attempts
- User Activity: Monitor active users and engagement
- Application Usage: Understand which applications are most used
- Security Events: Get alerts for suspicious activities
Access these metrics through the Asgardeo console under Monitor > Analytics.
Migration and Integration
Migrating from Other Identity Providers
Asgardeo supports user migration from:
- Auth0
- Okta
- Firebase Authentication
- Custom identity solutions
Use the bulk user import feature or SCIM API for seamless migration.
Integration with Existing Systems
Asgardeo can integrate with:
- LDAP/Active Directory
- SAML-based enterprise SSO
- Legacy authentication systems
- Third-party identity providers
Pricing and Limits
Free Tier
- Up to 3 applications
- Up to 1,000 monthly active users
- Standard authentication features
- Community support
Business Tier
- Unlimited applications
- Pay per monthly active user
- Advanced features (adaptive auth, risk-based auth)
- Email support
Enterprise Tier
- Custom pricing
- Dedicated support
- SLA guarantees
- Custom integrations
Troubleshooting Common Issues
Issue: Redirect URI Mismatch
Solution: Ensure the redirect URI in your application matches exactly with the one configured in Asgardeo (including protocol and port).
Issue: CORS Errors
Solution: Configure allowed origins in the Asgardeo console under application settings.
Issue: Token Expiration
Solution: Implement token refresh logic and handle authentication state properly.
Issue: MFA Not Working
Solution: Verify that the user has enrolled in MFA and the authentication flow includes the MFA step.
Conclusion
WSO2 Asgardeo provides a powerful, flexible, and secure identity management solution for modern applications. Whether you're building a simple web app or a complex enterprise system, Asgardeo offers the tools and features needed to implement robust authentication and authorization.
Key takeaways:
- Quick Integration: SDKs and documentation make implementation straightforward
- Security First: Built with enterprise-grade security features
- Scalable: Cloud-native architecture grows with your needs
- Standards-Based: Uses industry-standard protocols for maximum compatibility
- Cost-Effective: Generous free tier and flexible pricing
Start with the free tier, experiment with the features, and scale as your application grows. With Asgardeo, you can focus on building your application while leaving identity management to the experts.
For more information, visit the official documentation and explore the developer portal for additional resources, tutorials, and sample applications.
