Multiple login flows

[osbornk]

Is there anyway to tie a login/consent flow to a particular client ID or some other passthrough parameter. For example, if the request comes from a mobile first-party client we might want a particular UI. Else, fallback to some other UI.

[mig5]

You can obtain the Client ID, its name, URIs or other attributes to do with the OIDC client, by examining the login request 'challenge' token, in your Login/Consent app. From there, you can take different action that is entirely up to you.

Basically, when your user/browser lands on your 'login' page that Hydra's redirected them to, with the login challenge as a query parameter token, take that challenge (presumably your GET route on your Login and Consent app can inspect the query parameters that were in the URL) and pass it to the Hydra Admin API to get the OIDC client details.

I do this to render different themed login pages depending on OIDC client (like in a case statement). The code below is using the API PHP bindings with Ory Hydra 1.x but it should be pretty understandable/similar for other languages/Hydra 2:

$login_request = $this-->hydra->getLoginRequest($login_challenge);
$client = $login_request->getClient();
if (isset($client['redirectUris'])) {
    switch ($client['redirectUris'][0]) {
        case "https://something.example.com/callback":
            // Load or render some theme in your app, or redirect to some other page,
            // based on the name of the redirect_uris of the OIDC client.
            // You could equally compare against some other attribute of getClient() rather
            // than the redirectUris.
        case "https://someotherurl":
            // ...
    }
}

You can get a sense of what attributes exist for getClient() via the docs.

or some other passthrough parameter.

Thought I'd also point out that you can also do this:

                $action = 'login';
                $request_url = $login_request->getRequestUrl();
                $parts = parse_url($request_url);
                parse_str($parts['query'], $query);
                if (isset($query['action'])) {
                    $action = $query['action'];
                }

Here, I am checking for an 'action' query param that might have been set by the OIDC Client when initiating the auth flow. E.G, if the 'action' query param was 'register', I might show a registration page rather than a login page.

With the JumboJett PHP OpenIDConnect library, my OIDC client (on my RP) sets this param in its 'register' route, with addAuthParam:

      $this-->oidc->addAuthParam(array('action' => 'register'));

So that's another way: rather than inspect the OIDC client attributes, inspect the 'auth params' that end up as query params in the getRequestUrl() known to Hydra (still obtainable via the 'challenge' token).

Hope it helps!