Hosted Login or AuthN APIs

Add authentication to your app with AuthN

This document outlines the differences between two alternative options you can use to add the login functionality to your application using Pangea as the identity provider.

• Hosted Login

  This is the easiest and the most comprehensive option. You can quickly add authentication capabilities to your application by delegating the process of signing up and signing in to your Pangea project using its Hosted Login page. After authenticating with Pangea, the user is redirected back to your application with a code that can be exchanged for the user's profile and session tokens.

  Learn more about Pangea's Hosted Login

• AuthN flow APIs

  Alternatively, your application can collect user credentials and other information directly, and complete the sign-up and sign-in process via calls to the AuthN APIs in the application backend. You can also use the APIs to implement passwordless authentication methods that don’t require direct user interaction in the user agent, such as Email Code, Magic Link, or SMS. The user never leaves the context of your application and there are no redirects.

  Learn more about AuthN login flow APIs

Choose which option fits your application needs and capabilities based on the advantages and limitations of both options described below. With either option, you can use the AuthN APIs directly or use a Pangea SDK in the supported environments.

Hosted Login

PROS

• Using Pangea Hosted Login requires minimum implementation efforts in your application.

  You can easily add configurable credential handling, multi-factor authentication (MFA), password resets, legal agreements, session management, and more to your app in two steps:

  • Provide a link to the Hosted Login page.
  • Handle redirects from the login page.

  This gives you immediate access to the login functionality available in AuthN:

  • Modern authentication options:
    • Traditional password-based login
    • Passkeys for passwordless login
    • Social authentication using OpenID Connect
    • Single Sign-On using SAML
    • MFA using email or SMS one-time codes
    • Time-based one-time password (TOTP) and authenticator apps
    • Magic Links
    • Identity aggregation
  • CAPTCHA to enable human verification in the registration process
  • Legal Agreements and Disclaimers during the sign-up and sign-in flows
  • Threat intelligence implemented with various Security Controls based on the geographic, IP, and domain context of the authentication request

  These capabilities can be easily configured, enabled, and combined in different ways using the Pangea User Console to customize the sign-up and sign-in flows, with immediate effects across all applications using the Hosted Login page.

  You will automatically get access to any additional features integrated into AuthN as they become available.

• You can use the same login functionality across different applications:

  • Your users get a consistent login experience.
  • Any enhancements or modifications to the login process are centralized and uniform.
  • As your requirements change, you can update your login implementation once for all apps.
  • You can delegate signing up and signing in to an external application.

CONS

• Customizing the Hosted Login appearance using Branding & Customization might not be 100 % sufficient to satisfy specific branding requirements.
• Sending users to a hosted login page can cause noticeable interruptions in the browser, like quick flashes or flickering, which might disrupt the seamless experience of using the application.

AuthN flow APIs

PROS

• The login experience could be seamlessly integrated with your application and satisfy tight, specific branding requirements.
• You could use passwordless authentication methods for step-up authorization.

CONS

• Your application becomes responsible for accidental or malicious disclosure of the user credentials to which it will have direct access.

  Inadvertent or intentional disclosure of these credentials can lead to unauthorized access, identity theft, and reputation damage. To mitigate this risk, you will need to develop robust security measures such as encryption, secure storage, access controls, audits, etc., and adhere to industry best practices and compliance with data protection regulations to maintain user trust. All of these measures have already been implemented in Pangea's Hosted Login solution.

• Your application will need to capture and track changes in your AuthN configuration and user preferences. Then, you'll need to implement user-facing functionality for every authentication feature you enable, such as password requirements, multi-factor authentication (MFA) options, additional security controls, legal agreements, and more.

• For threat intelligence purposes, you'll need to include the user authentication context in your requests to the AuthN APIs. This could require a significant development effort and allocation of resources that might otherwise be spent on application-specific functionalities.

• Every change in AuthN functionality would require re-implementation at the application level in every application utilizing the AuthN APIs.

• The direct use of AuthN APIs does not support browser-based interactions such as SAML, Social Authentication, CAPTCHAs, Passkeys, and similar features.

note

Some of these challenges can be addressed through a login widget.

However, using an application to collect and proxy sending user credentials to the Pangea APIs poses an additional security risk. A poorly configured application or malicious developer could capture the credentials. We recommend using the Hosted Flow over the Flow APIs to mitigate this risk.

Was this article helpful?

Contact us