Magiclink authentication for anonymous user

We have a requirement to allow anonymous user access to limited functionality based on something similar to a magiclink.

Is there are way to use the Action interface and suspension handler
https://backstage.forgerock.com/docs/am/7/apidocs/org/forgerock/openam/auth/node/api/Action.html#suspend(org.forgerock.openam.auth.node.api.SuspensionHandler)
in a scripted decision node to implement something similar to magiclink authentication for an anonymous user.

The documentation on the SuspensionHandler and usage of the same in a Scripted decision node appears to be very limited.

There is a reference to implementing this in IG < 7 Magic links with ForgeRock Access Management — Before v7 | by Stéphane Orluc | Medium

Though it recommends using Email suspend node in AM 7.x which we are on. Since our deployment does not have an idm integration and there is no identity associated with the authentication request.

Are there suggestions on approaches to implement this feature?

Thank you

The Suspend action is not available in a scripted node. This means you’ll need to split the journey in two separate journey:

  • The first journey collect the user details and send the magic link by mail to the user
  • When the user follows the magic link, it resumes at the second journey.

Use a signed JWT embedded in the magic link, and which is validated by the second journey. The delicate part is how to end the first journey. A journey either ends with success (the session cookie is set) or fails (Login Failure message). The second option is preferable, security wise. A third option is to not end the journey at all - however, this will leave behind dangling authentication sessions, but they’ll eventually time out and be wiped. If you have implemented your own login page, it will be easier to handle either a login failure (ignore the error after the mail has been sent), or if the journey is not to ever end just stop the process from the front end at this level.

Regards

  • Patrick
2 Likes

Hi Patrick,
Thank you for the details. Do you have thoughts on how to best handle anonymous users?
Considering the email suspend node for example is not very configurable and pulls the email address/phone number from the user profile. For an anonymous user, how would that be approached.

Thank you
Ram