diff --git a/docs/authorization/role-based-access-control/README.mdx b/docs/authorization/role-based-access-control/README.mdx
index 5b627ac5303..27c7b0e500c 100644
--- a/docs/authorization/role-based-access-control/README.mdx
+++ b/docs/authorization/role-based-access-control/README.mdx
@@ -96,6 +96,10 @@ Note the order admin shares the permission `read:product` with the product admin
## Related resources \{#related-resources}
+
+ RBAC in practice: A step-by-step guide to implement secure authorization for your application
+
+
Mastering RBAC in Logto: A Comprehensive Real-World Example
diff --git a/docs/connectors/enterprise-connectors.mdx b/docs/connectors/enterprise-connectors.mdx
index 46500cf908b..197326656d1 100644
--- a/docs/connectors/enterprise-connectors.mdx
+++ b/docs/connectors/enterprise-connectors.mdx
@@ -90,7 +90,7 @@ If our standard connectors don't meet your specific requirements, don't hesitate
3. Provide a unique name (e.g., Okta for Acme Company).
4. Configure the connection with your IdP in the "Connection" tab. Check the guides above for each connector types.
5. Customize the SSO experience and **email domain** in the "Experience" tab.
-6. For the SAML enterprise connector, enabling IdP-initiated SSO in the "IdP-initiated SSO" tab is optional. Refer to the guide for details.
+6. For the SAML enterprise connector, enabling IdP-initiated SSO in the "IdP-initiated SSO" tab is optional. [Refer to the guide](/end-user-flows/enterprise-sso/idp-initiated-sso) for details.
7. Save changes.
Please note the following settings:
@@ -138,3 +138,4 @@ Logto provides an entry point for configuring SSO connector JIT provisioning wit
IdP-initiated SSO & SP-initiated SSO
SAML vs. OpenID Connect
+SAML vs. SSO
diff --git a/docs/developers/audit-logs.mdx b/docs/developers/audit-logs/README.mdx
similarity index 94%
rename from docs/developers/audit-logs.mdx
rename to docs/developers/audit-logs/README.mdx
index f7696a2af1e..5a09620b444 100644
--- a/docs/developers/audit-logs.mdx
+++ b/docs/developers/audit-logs/README.mdx
@@ -1,7 +1,4 @@
---
-id: audit-logs
-title: Audit logs
-sidebar_label: Audit logs
sidebar_position: 6
---
@@ -21,7 +18,7 @@ Audit logs only contain logs that occur during user authentication process, logs
Logto's logs offer comprehensive details, ensuring ease of action and customer safety. They capture and record the following information:
-- Type of event (full list of audit log events can be found [here](https://github.com/logto-io/logto/blob/master/packages/console/src/consts/logs.ts))
+- Type of event (full list of audit log events can be found [here](/developers/audit-logs/event-types))
- Application involved
- IP address
- User involved
diff --git a/docs/developers/audit-logs/event-types.mdx b/docs/developers/audit-logs/event-types.mdx
new file mode 100644
index 00000000000..6dc3dfd1ffe
--- /dev/null
+++ b/docs/developers/audit-logs/event-types.mdx
@@ -0,0 +1,148 @@
+---
+sidebar_label: Event types
+---
+
+# Event types of audit logs
+
+You can filter event types in Logto Console > Audit Logs.
+
+:::note
+
+Logto now supports retrieving logs related to end-user interactions via the [Experience APIs](https://openapi.logto.io/group/endpoint-experience).
+
+Audit logs for [Management APIs](/integrate-logto/interact-with-management-api) and [Account APIs](https://openapi.logto.io/group/endpoint-account-center) are coming soon.
+
+Feel free to [contact us](https://logto.io/contact) if you’d like to share your requirements.
+
+:::
+
+## Exchange token
+
+| Key | Name |
+| --------------------------------- | ------------------------------------ |
+| ExchangeTokenBy.AuthorizationCode | Exchange token by Code |
+| ExchangeTokenBy.ClientCredentials | Exchange token by Client Credentials |
+| ExchangeTokenBy.RefreshToken | Exchange token by Refresh Token |
+| ExchangeTokenBy.TokenExchange | Token exchange |
+
+## Custom token claims
+
+| Key | Name |
+| ------------------------------ | ----------------------------------- |
+| JwtCustomizer.AccessToken | Get custom user access token claims |
+| JwtCustomizer.ClientCredential | Get custom M2M access token claims |
+
+## Interaction lifecycle
+
+| Key | Name |
+| ------------------ | ------------------- |
+| Interaction.Create | Interaction started |
+| Interaction.End | Interaction ended |
+
+## Register
+
+| Key | Name |
+| -------------------------------------------------------------- | ---------------------------------------------------------- |
+| Interaction.Register.Create | Create new register interaction |
+| Interaction.Register.Submit | Submit register interaction |
+| Interaction.Register.Update | Update register interaction |
+| Interaction.Register.Identifier.Submit | Create and identify new user for register interaction |
+| Interaction.Register.Identifier.VerificationCode.Create | Create and send register identifier with verification code |
+| Interaction.Register.Identifier.VerificationCode.Submit | Submit and verify register verification code |
+| Interaction.Register.Verification.NewPassword.Submit | Create new password identity for register |
+| Interaction.Register.Verification.Password.Submit | Create and verify identifier with password verification |
+| Interaction.Register.Verification.EmailVerificationCode.Create | Create and send register email verification code |
+| Interaction.Register.Verification.EmailVerificationCode.Submit | Verify register email verification code |
+| Interaction.Register.Verification.SmsVerificationCode.Create | Create and send register SMS verification code |
+| Interaction.Register.Verification.SmsVerificationCode.Submit | Verify register SMS verification code |
+| Interaction.Register.Verification.Social.Create | Create social authentication URL |
+| Interaction.Register.Verification.Social.Submit | Verify social authentication |
+| Interaction.Register.Verification.EnterpriseSso.Create | Create enterprise SSO authentication URL |
+| Interaction.Register.Verification.EnterpriseSso.Submit | Verify enterprise SSO authentication |
+| Interaction.Register.Profile.Create | Put new register interaction profile |
+| Interaction.Register.Profile.Delete | Delete register interaction profile |
+| Interaction.Register.Profile.Update | Patch update register interaction profile |
+
+## Sign in
+
+| Key | Name |
+| ------------------------------------------------------------ | ----------------------------------------------------------- |
+| Interaction.SignIn.Create | Create new sign-in interaction |
+| Interaction.SignIn.Submit | Submit sign-in interaction |
+| Interaction.SignIn.Update | Update sign-in interaction |
+| Interaction.SignIn.Identifier.Submit | Identify user for sign-in interaction |
+| Interaction.SignIn.Identifier.Password.Submit | Submit sign-in identifier with password |
+| Interaction.SignIn.Verification.NewPassword.Submit | Create new password identity for register |
+| Interaction.SignIn.Verification.Password.Submit | Create and verify identifier with password verification |
+| Interaction.SignIn.Identifier.VerificationCode.Create | Create and send sign-in verification code |
+| Interaction.SignIn.Identifier.VerificationCode.Submit | Submit and verify sign-in identifier with verification code |
+| Interaction.SignIn.Verification.EmailVerificationCode.Create | Create and send sign-in email verification code |
+| Interaction.SignIn.Verification.EmailVerificationCode.Submit | Verify sign-in email verification code |
+| Interaction.SignIn.Verification.SmsVerificationCode.Create | Create and send sign-in SMS verification code |
+| Interaction.SignIn.Verification.SmsVerificationCode.Submit | Verify sign-in SMS verification code |
+| Interaction.SignIn.Identifier.Social.Create | Create social sign-in authorization-url |
+| Interaction.SignIn.Identifier.Social.Submit | Authenticate and submit social identifier |
+| Interaction.SignIn.Verification.Social.Create | Create social authentication URL |
+| Interaction.SignIn.Verification.Social.Submit | Verify social authentication |
+| Interaction.SignIn.Identifier.SingleSignOn.Create | Create single-sign-on authentication session |
+| Interaction.SignIn.Identifier.SingleSignOn.Submit | Submit single-sign-on authentication interaction |
+| Interaction.SignIn.Verification.EnterpriseSso.Create | Create enterprise SSO authentication URL |
+| Interaction.SignIn.Verification.EnterpriseSso.Submit | Verify enterprise SSO authentication |
+| Interaction.SignIn.Verification.IdpInitiatedSso.Create | Create IdP-initiated SAML SSO authentication session |
+| Interaction.SignIn.Profile.Create | Put new sign-in interaction profile |
+| Interaction.SignIn.Profile.Delete | Delete sign-in interaction profile |
+| Interaction.SignIn.Profile.Update | Patch update sign-in interaction profile |
+
+## Forgot password
+
+| Key | Name |
+| -------------------------------------------------------------------- | ------------------------------------------------------- |
+| Interaction.ForgotPassword.Create | Create new forgot-password interaction |
+| Interaction.ForgotPassword.Submit | Submit forgot-password interaction |
+| Interaction.ForgotPassword.Update | Update forgot-password interaction |
+| Interaction.ForgotPassword.Identifier.Submit | Identify user for forgot-password interaction |
+| Interaction.ForgotPassword.Identifier.VerificationCode.Create | Create and send forgot-password verification code |
+| Interaction.ForgotPassword.Identifier.VerificationCode.Submit | Submit and verify forgot-password verification code |
+| Interaction.ForgotPassword.Verification.EmailVerificationCode.Create | Create and send forgot-password email verification code |
+| Interaction.ForgotPassword.Verification.EmailVerificationCode.Submit | Verify forgot-password email verification code |
+| Interaction.ForgotPassword.Verification.SmsVerificationCode.Create | Create and send forgot-password SMS verification code |
+| Interaction.ForgotPassword.Verification.SmsVerificationCode.Submit | Verify forgot-password SMS verification code |
+| Interaction.ForgotPassword.Profile.Create | Put new forgot-password interaction profile |
+| Interaction.ForgotPassword.Profile.Delete | Delete forgot-password interaction profile |
+| Interaction.ForgotPassword.Profile.Update | Patch update forgot-password interaction profile |
+
+## MFA
+
+| Key | Name |
+| --------------------------------------------------- | ----------------------------------------------- |
+| Interaction.Register.Verification.BackupCode.Create | Create backup codes for MFA binding |
+| Interaction.Register.Verification.BackupCode.Submit | Verify backup code |
+| Interaction.Register.Verification.Totp.Create | Create TOTP verification secret for MFA binding |
+| Interaction.Register.Verification.Totp.Submit | Verify TOTP verification code |
+| Interaction.Register.Verification.Webauthn.Create | Create WebAuthn authentication |
+| Interaction.Register.Verification.WebAuthn.Submit | Verify WebAuthn authentication |
+| Interaction.SignIn.Verification.BackupCode.Create | Create backup codes for MFA binding |
+| Interaction.SignIn.Verification.BackupCode.Submit | Verify backup code |
+| Interaction.SignIn.Verification.Totp.Create | Create TOTP verification secret for MFA binding |
+| Interaction.SignIn.Verification.Totp.Submit | Verify TOTP verification code |
+| Interaction.SignIn.Verification.Webauthn.Create | Create WebAuthn authentication |
+| Interaction.SignIn.Verification.WebAuthn.Submit | Verify WebAuthn authentication |
+
+## SAML application
+
+| Key | Name |
+| ---------------------------- | ----------------------------------------------- |
+| SamlApplication.AuthnRequest | Receive SAML application authentication request |
+| SamlApplication.Callback | Handle SAML application callback |
+
+## Security
+
+| Key | Name |
+| -------------------------- | -------------------- |
+| Interaction.Create.Captcha | CAPTCHA verification |
+
+## Related resources
+
+
+ GitHub: Logto audit log events
+
diff --git a/docs/developers/user-impersonation.mdx b/docs/developers/user-impersonation.mdx
index f2b121b598e..ea9177047e9 100644
--- a/docs/developers/user-impersonation.mdx
+++ b/docs/developers/user-impersonation.mdx
@@ -343,3 +343,9 @@ By customizing access token claims in this way, TechCorp can include valuable in
:::note
Be cautious when adding custom claims to your tokens. Avoid including sensitive information that could pose security risks if the token is intercepted or leaked. The JWTs are signed but not encrypted, so the claims are visible to anyone with access to the token.
:::
+
+## Related resources
+
+
+ What is impersonation in cybersecurity and identity management? How can AI agents use it?
+
diff --git a/docs/end-user-flows/README.mdx b/docs/end-user-flows/README.mdx
index 678213411fc..1bde387cc65 100644
--- a/docs/end-user-flows/README.mdx
+++ b/docs/end-user-flows/README.mdx
@@ -18,6 +18,7 @@ End-user flows cover all verification processes for user interactions, categoriz
| [Enterprise SSO](/end-user-flows/enterprise-sso) | - [SP-initiated SSO](/end-user-flows/enterprise-sso/sp-initiated-sso)
- [IdP-initiated SSO](/end-user-flows/enterprise-sso/idp-initiated-sso)
|
| [Multi-factor authentication](/end-user-flows/mfa) | - [Authenticator apps OTP](/end-user-flows/mfa/authenticator-app-otp)
- [Passkeys (WebAuthn)](/end-user-flows/mfa/webauthn)
- [Backup codes](/end-user-flows/mfa/backup-codes)
|
| [Authentication parameters](/end-user-flows/authentication-parameters) | - [First screen](/end-user-flows/authentication-parameters/first-screen)
- [Direct sign-in](/end-user-flows/authentication-parameters/direct-sign-in)
|
+| [Magic link (One-time token)](/end-user-flows/one-time-token) | - Organization member invitation
- User invitation when registration is disabled
- Sign in or sign up using magic link
|
| Authorize third-party apps | - [Consent screen for OIDC / OAuth apps](/end-user-flows/consent-screen)
|
| [Sign-out](/end-user-flows/sign-out) | - [Clear tokens and local session at the client side](/end-user-flows/sign-out/#clear-tokens-and-local-session-at-the-client-side)
- [Clear sign-in session at Logto](/end-user-flows/sign-out/#clear-sign-in-session-at-logto)
- [Federated sign-out: Back-channel logout](/end-user-flows/sign-out/#federated-sign-out-back-channel-logout)
|
diff --git a/docs/end-user-flows/consent-screen.mdx b/docs/end-user-flows/consent-screen.mdx
index 9062de37641..d58548423f8 100644
--- a/docs/end-user-flows/consent-screen.mdx
+++ b/docs/end-user-flows/consent-screen.mdx
@@ -1,5 +1,5 @@
---
-sidebar_position: 5
+sidebar_position: 6
---
# Consent screen
@@ -8,9 +8,9 @@ sidebar_position: 5
Imagine you are signing up to Logto using your Google account. When you click on the "Sign in with Google" button, you are redirected to Google's sign-in page. After you enter your Google credentials, you will be prompted to grant permission to Logto to access your Google account information. This is the user consent screen.
-This page is what we call the user **consent screen** or **consent page**. It is a standard [OIDC / OAuth 2.0 flow](/integrate-logto/third-party-applications/oidc-oauth-third-party-applications) that allows users to grant permissions to [third-party applications](/integrate-logto/third-party-applications) to access their data on their behalf. Its primary purpose is to inform users about the collection, processing, and usage of their personal data and to seek their explicit agreement or consent for these activities.
+This page is what we call the user **consent screen** or **consent page**. It is a standard [OIDC / OAuth 2.0 flow](/integrate-logto/third-party-applications) that allows users to grant permissions to [third-party applications](/integrate-logto/third-party-applications) to access their data on their behalf. Its primary purpose is to inform users about the collection, processing, and usage of their personal data and to seek their explicit agreement or consent for these activities.
-On a consent screen, users are typically presented with [information](/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/consent-screen-branding#customize-the-branding-information) about the types of data that will be collected, how it will be used, and whether it will be shared with third parties. This information is crucial for transparency, allowing users to make informed decisions about their privacy and data security.
+On a consent screen, users are typically presented with [information](/integrate-logto/third-party-applications/consent-screen-branding#customize-the-branding-information) about the types of data that will be collected, how it will be used, and whether it will be shared with third parties. This information is crucial for transparency, allowing users to make informed decisions about their privacy and data security.
Consent pages are particularly important in the context of privacy regulations such as the General Data Protection Regulation ([GDPR](https://gdpr-info.eu/art-4-gdpr/)) in the European Union or the California Consumer Privacy Act ([CCPA](https://oag.ca.gov/privacy/ccpa)) in the United States, which require organizations to obtain clear and affirmative consent from users before processing their personal information.
@@ -20,7 +20,7 @@ As previously mentioned, the consent screen appears when users sign in to Logto
-Similarly, in Logto, when Logto functions as the IdP, the consent screen is shown when users sign in to a [**OIDC / OAuth third-party application**](/integrate-logto/third-party-applications/oidc-oauth-third-party-applications) integrated with Logto. This screen informs users about the data the application is requesting and seeks their permission to proceed. Users can review the requested permissions and decide whether to grant authorization to the application.
+Similarly, in Logto, when Logto functions as the IdP, the consent screen is shown when users sign in to a [**OIDC / OAuth third-party application**](/integrate-logto/third-party-applications) integrated with Logto. This screen informs users about the data the application is requesting and seeks their permission to proceed. Users can review the requested permissions and decide whether to grant authorization to the application.
@@ -28,7 +28,7 @@ Similarly, in Logto, when Logto functions as the IdP, the consent screen is show
The Logto consent flow allows you to authorize logins from third-party applications. You can customize the branding and permission requests for each OIDC third-party application.
-Learn more about setting up the [third-party application](/integrate-logto/third-party-applications/) and configuring the [consent](/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/consent-screen-branding/) screen in Logto.
+Learn more about setting up the [third-party application](/integrate-logto/third-party-applications/) and configuring the [consent](/integrate-logto/third-party-applications/consent-screen-branding/) screen in Logto.
## Related resources \{#related-resources}
diff --git a/docs/end-user-flows/one-time-token.mdx b/docs/end-user-flows/one-time-token.mdx
index 7fe5c3fa6da..505534d0a9a 100644
--- a/docs/end-user-flows/one-time-token.mdx
+++ b/docs/end-user-flows/one-time-token.mdx
@@ -1,5 +1,5 @@
---
-sidebar_position: 6
+sidebar_position: 5
---
# Magic link (One-time token)
diff --git a/docs/end-user-flows/organization-experience/README.mdx b/docs/end-user-flows/organization-experience/README.mdx
index 6e5398da964..120641a45f2 100644
--- a/docs/end-user-flows/organization-experience/README.mdx
+++ b/docs/end-user-flows/organization-experience/README.mdx
@@ -51,3 +51,9 @@ import OrganizationIcon from '@site/src/assets/organization.svg';
},
]}
/>
+
+## Related resources
+
+
+ Build a multi-tenant SaaS application: A complete guide from design to implementation
+
diff --git a/docs/integrate-logto/saml-app/README.mdx b/docs/integrate-logto/saml-app/README.mdx
index 4d7a2bfd3a8..607d23b2ba9 100644
--- a/docs/integrate-logto/saml-app/README.mdx
+++ b/docs/integrate-logto/saml-app/README.mdx
@@ -2,7 +2,7 @@
sidebar_position: 3
---
-# SAML App
+# SAML app
Logto supports integration as an [Identity Provider (IdP)](https://auth.wiki/identity-provider) with SAML protocol-based applications [Service Provider, SP](https://auth.wiki/service-provider). Through SAML app integration, you can provide enterprise users with a secure, standardized Single Sign-On (SSO) experience.
diff --git a/docs/integrate-logto/third-party-applications/README.mdx b/docs/integrate-logto/third-party-applications/README.mdx
index 00862c290d6..68ac0323549 100644
--- a/docs/integrate-logto/third-party-applications/README.mdx
+++ b/docs/integrate-logto/third-party-applications/README.mdx
@@ -1,11 +1,12 @@
---
-description: Use Logto to create your own Identity Provider and enable SSO for third-party applications. Effortlessly integrate OIDC, OAuth, or SAML application.
+description: Use Logto to create your own Identity Provider and enable SSO for third-party applications. Effortlessly integrate OIDC / OAuth application.
sidebar_position: 4
---
-import OidcIcon from '@site/src/assets/oidc.svg';
+import AuthorizationIcon from '@site/src/assets/authorization.svg';
+import CustomizationIcon from '@site/src/assets/customization.svg';
-# Third-party applications
+# Third-party app (OAuth / OIDC)
Logto's third-party application integration enables you to leverage Logto as an [Identity Provider (IdP)](https://auth.wiki/identity-provider) for external applications.
@@ -15,6 +16,10 @@ Unlike the applications you created in the [Integrate Logto into your applicatio
This integration approach is well-suited for common business scenarios. You can enable users to access partner applications using their Logto accounts, just like how enterprise users sign in to Slack with Google Workspace. You can also build an open platform where third-party applications can add "Sign in with Logto" functionality, similar to "Sign in with Google."
+Logto is an identity service built on the [OpenID Connect (OIDC)](https://auth.wiki/openid-connect) protocol, providing both [authentication](https://auth.wiki/authentication) and [authorization](https://auth.wiki/authorization) capabilities. This make integrating an OIDC third-party app as straightforward as traditional web application.
+
+Thus due to OIDC builds upon [OAuth 2.0](https://auth.wiki/oauth-2.0) adding an authentication layer, you can also integrate third-party app using OAuth protocol.
+
## Create an third-party application in Logto \{#create-an-third-party-application-in-logto}
1. Go to Console > Applications
@@ -24,21 +29,65 @@ This integration approach is well-suited for common business scenarios. You can
All created third-party applications will be catalogued on the Applications page under the "Third-party apps" tab. This arrangement helps you distinguish them from your own applications, making it easier to manage all your applications in one place.
-## Setup the third-party application configurations \{#setup-the-third-party-application-configurations}
+## Set up the OIDC configurations \{#set-up-the-oidc-configurations}
+
+:::note
+Before setting up the OIDC configurations, please ensure you've [created an OIDC third-party application](/quick-starts/third-party-oidc).
+:::
+
+1. Provide the [**redirect URI**](/integrate-logto/application-data-structure#redirect-uris) of your OIDC third-party application. This is the URL that the third-party application will redirect users to after they are authenticated by Logto.
+ You can usually find this information in the third-party application's IdP connection settings page.
+
+2. Retrieve the [**client ID**](/integrate-logto/application-data-structure#application-id) and [**client secret**](/integrate-logto/application-data-structure#application-secret) from Logto application details page and enter them into your service provider's IdP connection settings page.
+
+3. Retrieve the [**authorization endpoint**](/integrate-logto/application-data-structure#authorization-endpoint) and [**token endpoint**](/integrate-logto/application-data-structure#token-endpoint) from Logto application details page and provide them to your service provider.
+ If your service provider supports OIDC discovery, you can simply copy the **discovery endpoint** from Logto application details page and provide it to your service provider. The service provider will be able to retrieve all the up to date OIDC authentication information from the discovery endpoint automatically.
+ Otherwise, click on the **Show endpoint details** button to view all the OIDC authentication endpoints.
+
+## Consent screen for OIDC third-party applications \{#consent-screen-for-oidc-third-party-applications}
+
+For security reasons, all the OIDC third-party applications will be redirected to a [consent screen](/end-user-flows/consent-screen) for user authorization after they are authenticated by Logto.
+
+All the third-party requested [user profile permissions](/integrate-logto/third-party-applications/permission-management#user-permissions-user-profile-scopes), [API resource scopes](/integrate-logto/third-party-applications/permission-management#api-resource-permissions-api-resource-scopes), [organization permissions](/integrate-logto/third-party-applications/permission-management#organization-permissions-organization-scopes), and organization membership information will be displayed on the consent screen.
+
+These requested permissions will be granted to the third-party applications only after the user clicks on the "Authorize" button.
-Based on the protocol type you selected when creating the third-party application, you can follow one of these guides to setup your third-party application:
+
+ 
+
+
+## Further actions \{#further-actions}
,
+ },
+ },
+ {
+ type: 'link',
+ label: 'Consent screen branding',
+ href: '/integrate-logto/third-party-applications/consent-screen-branding',
description:
- 'Set up OpenID Conenct (OIDC) or OAuth configurations for your third-party application to integrate with Logto.',
+ 'Personalize the consent screen appearance to match your brand identity and provide a consistent user experience.',
customProps: {
- icon: ,
+ icon: ,
},
},
]}
/>
+
+## Related resources \{#related-resources}
+
+
+ Use case: Integrate Apache Answer to launch a community for your users
+
+
+
+ Using Logto as an third-party identity provider (IdP)
+
diff --git a/docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/consent-screen-branding.mdx b/docs/integrate-logto/third-party-applications/consent-screen-branding.mdx
similarity index 100%
rename from docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/consent-screen-branding.mdx
rename to docs/integrate-logto/third-party-applications/consent-screen-branding.mdx
diff --git a/docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/README.mdx b/docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/README.mdx
deleted file mode 100644
index 15b6ee1352c..00000000000
--- a/docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/README.mdx
+++ /dev/null
@@ -1,71 +0,0 @@
----
-description: Integrate third-party OIDC / OAuth applications and provide OAuth authorization with a consent screen.
----
-
-import AuthorizationIcon from '@site/src/assets/authorization.svg';
-import CustomizationIcon from '@site/src/assets/customization.svg';
-
-# OIDC / OAuth third-party applications
-
-Logto is an identity service built on the [OpenID Connect (OIDC)](https://auth.wiki/openid-connect) protocol, providing both [authentication](https://auth.wiki/authentication) and [authorization](https://auth.wiki/authorization) capabilities. This make integrating an OIDC third-party app as straightforward as traditional web application.
-
-Thus due to OIDC builds upon [OAuth 2.0](https://auth.wiki/oauth-2.0) adding an authentication layer, you can also integrate third-party app using OAuth protocol.
-
-## Set up the OIDC configurations \{#set-up-the-oidc-configurations}
-
-:::note
-Before setting up the OIDC configurations, please ensure you've [created an OIDC third-party application](/quick-starts/third-party-oidc).
-:::
-
-1. Provide the [**redirect URI**](/integrate-logto/application-data-structure#redirect-uris) of your OIDC third-party application. This is the URL that the third-party application will redirect users to after they are authenticated by Logto.
- You can usually find this information in the third-party application's IdP connection settings page.
-
-2. Retrieve the [**client ID**](/integrate-logto/application-data-structure#application-id) and [**client secret**](/integrate-logto/application-data-structure#application-secret) from Logto application details page and enter them into your service provider's IdP connection settings page.
-
-3. Retrieve the [**authorization endpoint**](/integrate-logto/application-data-structure#authorization-endpoint) and [**token endpoint**](/integrate-logto/application-data-structure#token-endpoint) from Logto application details page and provide them to your service provider.
- If your service provider supports OIDC discovery, you can simply copy the **discovery endpoint** from Logto application details page and provide it to your service provider. The service provider will be able to retrieve all the up to date OIDC authentication information from the discovery endpoint automatically.
- Otherwise, click on the **Show endpoint details** button to view all the OIDC authentication endpoints.
-
-## Consent screen for OIDC third-party applications \{#consent-screen-for-oidc-third-party-applications}
-
-For security reasons, all the OIDC third-party applications will be redirected to a [consent screen](/end-user-flows/consent-screen) for user authorization after they are authenticated by Logto.
-
-All the third-party requested [user profile permissions](/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management#user-permissions-user-profile-scopes), [API resource scopes](/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management#api-resource-permissions-api-resource-scopes), [organization permissions](/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management#organization-permissions-organization-scopes), and organization membership information will be displayed on the consent screen.
-
-These requested permissions will be granted to the third-party applications only after the user clicks on the "Authorize" button.
-
-
-
-
-
-## Further actions \{#further-actions}
-
-,
- },
- },
- {
- type: 'link',
- label: 'Consent screen branding',
- href: '/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/consent-screen-branding',
- description:
- 'Personalize the consent screen appearance to match your brand identity and provide a consistent user experience.',
- customProps: {
- icon: ,
- },
- },
- ]}
-/>
-
-## Related resources \{#related-resources}
-
-
- Using Logto as an third-party identity provider (IdP)
-
diff --git a/docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management.mdx b/docs/integrate-logto/third-party-applications/permission-management.mdx
similarity index 100%
rename from docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management.mdx
rename to docs/integrate-logto/third-party-applications/permission-management.mdx
diff --git a/docs/introduction/README.mdx b/docs/introduction/README.mdx
index 1e7db73c70b..9d8b66d13ae 100644
--- a/docs/introduction/README.mdx
+++ b/docs/introduction/README.mdx
@@ -4,13 +4,18 @@ description: Quickly launch your identity and access management system by integr
import AuditLogIcon from '@site/src/assets/audit-log.svg';
import AuthorizationIcon from '@site/src/assets/authorization.svg';
+import BlockUserIcon from '@site/src/assets/block-user.svg';
+import CheckboxIcon from '@site/src/assets/checkbox.svg';
import CloudIcon from '@site/src/assets/cloud.svg';
import LogtoConsoleIcon from '@site/src/assets/console.svg';
import ExperienceIcon from '@site/src/assets/experience.svg';
import GearPlusIcon from '@site/src/assets/gear-plus.svg';
import GearIcon from '@site/src/assets/gear.svg';
import ImpersonationIcon from '@site/src/assets/impersonation.svg';
+import KeyIcon from '@site/src/assets/key.svg';
+import LinkIcon from '@site/src/assets/link.svg';
import LockIcon from '@site/src/assets/lock.svg';
+import LockoutIcon from '@site/src/assets/lockout.svg';
import LogtoApiIcon from '@site/src/assets/logto-api.svg';
import OpenSourceIcon from '@site/src/assets/open-source.svg';
import OrganizationIcon from '@site/src/assets/organization.svg';
@@ -48,6 +53,10 @@ Welcome to Logto documentation! Logto is an identity and access management (IAM)
icon: ,
docId: 'end-user-flows/authentication-parameters/README',
},
+ {
+ icon: ,
+ docId: 'end-user-flows/one-time-token',
+ },
{
icon: ,
docId: 'end-user-flows/consent-screen',
@@ -71,6 +80,28 @@ Welcome to Logto documentation! Logto is an identity and access management (IAM)
]}
/>
+,
+ docId: 'security/password-policy',
+ },
+ {
+ icon: ,
+ docId: 'security/captcha/README',
+ },
+ {
+ icon: ,
+ docId: 'security/blocklist',
+ },
+ {
+ icon: ,
+ docId: 'security/identifier-lockout',
+ },
+ ]}
+/>
+
,
- docId: 'developers/audit-logs',
+ docId: 'developers/audit-logs/README',
},
]}
/>
diff --git a/docs/introduction/set-up-logto-oss.mdx b/docs/introduction/set-up-logto-oss.mdx
index 2d94ecc633f..d771eeab08c 100644
--- a/docs/introduction/set-up-logto-oss.mdx
+++ b/docs/introduction/set-up-logto-oss.mdx
@@ -39,3 +39,7 @@ Read the [guide on upgrading](/logto-oss/upgrading-oss-version) to learn how to
## Contributing to Logto OSS \{#contributing-to-logto-oss}
Thank you for your interest in contributing to Logto! Here is the [contribution guideline](/logto-oss/contribution).
+
+## Related resources
+
+Logto OSS vs. Logto Cloud
diff --git a/docs/logto-cloud/billing-and-pricing.mdx b/docs/logto-cloud/billing-and-pricing.mdx
index ca677e94c50..c453781f93d 100644
--- a/docs/logto-cloud/billing-and-pricing.mdx
+++ b/docs/logto-cloud/billing-and-pricing.mdx
@@ -30,15 +30,16 @@ Keep in mind that only a few features are part of the add-on structure.
At the same time, Logto also offers a pay-as-you-go and pro-rated pricing model to ensure you get the most out of our service conveniently.
-| | Included quota | Addition cost |
-| ------------------------------- | -------------- | ------------------------ |
-| **Tokens** | 100K | $0.08 per mo / 100 after |
-| **Machine-to-machine apps** | 1 | $8 **_each_** per month |
-| **API resources** | 3 | $4 **_each_** per month |
-| **Enterprise SSO** | 0 | $48 **_each_** per month |
-| **Multi-factor authentication** | _N/A_ | $48 per month |
-| **Organization** | Unlimited | $48 per month |
-| **Tenant members** | 3 | $8 **_each_** per month |
+| | Included quota | Addition cost |
+| ------------------------------- | ------------------------------------------------------- | ------------------------ |
+| **Tokens** | 100K | $0.08 per mo / 100 after |
+| **Machine-to-machine apps** | 1 | $8 **_each_** per month |
+| **API resources** | 3 | $4 **_each_** per month |
+| **Enterprise SSO** | 0 | $48 **_each_** per month |
+| **Multi-factor authentication** | _N/A_ | $48 per month |
+| **Organization** | Unlimited organizations & All the organization features | $48 per month |
+| **Advanced security bundle** | All advanced security features | $48 per month |
+| **Tenant members** | 3 | $8 **_each_** per month |
If we take those factors into consideration, the algorithm is
@@ -138,3 +139,7 @@ To provide you with a stable and predictable billing experience, we will grandfa
Logto uses token-based authentication. A single-user sign-in one time might involve consuming two or three tokens: ID token, Access token, and Refresh token. If you use features like M2M or Organization, additional tokens, such as M2M tokens or Organization tokens, may also be involved. Token consumption depends on how users interact with your system. To help you track this, we offer real-time token usage monitoring in the Console > Dashboard. Here is an example: our free plan offers 100k tokens for free, which can support approximately around 30k-50k MAU (Monthly Active Users).
+
+## Related resources
+
+Logto pricing table in detail
diff --git a/docs/logto-cloud/tenant-settings.mdx b/docs/logto-cloud/tenant-settings.mdx
index 422c648cd81..51fb8527b0a 100644
--- a/docs/logto-cloud/tenant-settings.mdx
+++ b/docs/logto-cloud/tenant-settings.mdx
@@ -10,17 +10,21 @@ sidebar_position: 2
When you create a tenant, you can choose the region where the tenant data is stored. It cannot be changed after the tenant is created. Here are the available regions:
-- EU (Netherlands)
-- US (West United States)
-- AU (Australia)
+- Europe (Netherlands)
+- West US (Arizona)
+- Australia (Australia East)
+- Japan (Japan East)
Usually, you should choose the region closest to your customers to minimize latency and improve performance.
Logto leverages the global edge network to deliver the best performance and availability for your applications. The request routing is optimized to ensure that your users are always connected with the best-performing option.
:::note
-Looking for another region? Please [contact us](https://logto.io/contact).
-:::
+Looking for another region? [Get in touch with us](https://logto.io/contact) to:
+
+- Request a new public cloud region
+- Inquire about a Logto Private Cloud deployment in your preferred location
+ :::
## Tenant types: Dev vs. Prod \{#tenant-types-dev-vs-prod}
@@ -68,3 +72,9 @@ However, there are certain limitations that apply to development tenants:
## Production \{#production}
The production tenant is where end-users access the live app and you might need a [paid subscription](https://logto.io/pricing). You can subscribe to the Free plan or Pro plan to create a production tenant. If you subscribe to the Free plan, you can only create up to 10 tenants.
+
+## Related resources
+
+
+ Protect your identities in local regions and dedicated computing resources
+
diff --git a/docs/logto-oss/README.mdx b/docs/logto-oss/README.mdx
index 1dfd068cf58..624a34bd5f8 100644
--- a/docs/logto-oss/README.mdx
+++ b/docs/logto-oss/README.mdx
@@ -138,3 +138,7 @@ Tips: Multi-tenancy, member invitations, and MFA are not available for your team
## Contributing to Logto OSS \{#contributing-to-logto-oss}
Thank you for your interest in contributing to Logto! Here is the [contribution guideline](/logto-oss/contribution).
+
+## Related resources
+
+Logto OSS vs. Logto Cloud
diff --git a/docs/organizations/README.mdx b/docs/organizations/README.mdx
index ef404d375bc..8a7a8c4202f 100644
--- a/docs/organizations/README.mdx
+++ b/docs/organizations/README.mdx
@@ -102,3 +102,9 @@ For more planning resources, explore these two sections for ideas and inspiratio
},
]}
/>
+
+## Related resources
+
+
+ Build a multi-tenant SaaS application: A complete guide from design to implementation
+
diff --git a/docs/quick-starts/third-party/oidc/README.mdx b/docs/quick-starts/third-party/oidc/README.mdx
index 7fda92c27ea..79fd1235872 100644
--- a/docs/quick-starts/third-party/oidc/README.mdx
+++ b/docs/quick-starts/third-party/oidc/README.mdx
@@ -46,6 +46,4 @@ All third-party applications will be catalogued on the **Applications** page, sp
Third-party applications
-
- OIDC / OAuth third-party applications
-
+OIDC / OAuth third-party applications
diff --git a/docs/security/README.mdx b/docs/security/README.mdx
index a4bfd3dcaeb..32b27a35efb 100644
--- a/docs/security/README.mdx
+++ b/docs/security/README.mdx
@@ -2,7 +2,7 @@ import BlockUserIcon from '@site/src/assets/block-user.svg';
import CheckboxIcon from '@site/src/assets/checkbox.svg';
import HideIcon from '@site/src/assets/hide.svg';
import KeyIcon from '@site/src/assets/key.svg';
-import LockIcon from '@site/src/assets/lock.svg';
+import LockIcon from '@site/src/assets/lockout.svg';
import SecurityIcon from '@site/src/assets/security.svg';
import SendEmailIcon from '@site/src/assets/send-mail.svg';
import SuspendIcon from '@site/src/assets/suspend.svg';
@@ -37,6 +37,16 @@ Logto delivers robust secure access management designed to counter these risks h
icon: ,
},
},
+ {
+ type: 'link',
+ label: 'Blocklist',
+ href: '/security/blocklist',
+ description:
+ 'Take control of your user base by blocking disposable or unwanted email domains or addresses.',
+ customProps: {
+ icon: ,
+ },
+ },
{
type: 'link',
label: 'Identifier lockout',
@@ -57,16 +67,6 @@ Logto delivers robust secure access management designed to counter these risks h
icon: ,
},
},
- {
- type: 'link',
- label: 'Blocklist (Coming soon)',
- href: '/security',
- description:
- 'Take control of your user base by blocking disposable or unwanted email domains or addresses.',
- customProps: {
- icon: ,
- },
- },
]}
/>
diff --git a/docs/security/blocklist.md b/docs/security/blocklist.md
index 6447c77d9ec..bc5e9ab9707 100644
--- a/docs/security/blocklist.md
+++ b/docs/security/blocklist.md
@@ -12,6 +12,10 @@ The email blocklist policy allows customization of email blocklist settings to p
Visit the Console > Security > Blocklist to configure the email blocklist settings.
+### Block disposable email addresses {#block-disposable-email-addresses}
+
+This is a **cloud-only** feature. Once enabled, the system will automatically validates the domain of the provided email address against a list of known disposable email domains. If the domain is found in the list, the request will be rejected. The list of disposable email domains is regularly updated to ensure its effectiveness.
+
### Block email subaddressing {#block-email-subaddressing}
Email subaddressing allows users to create variations of their email addresses by adding a plus sign (+) followed by additional characters (e.g., user+tag@example.com). This feature can be exploited by malicious users to bypass blocklist restrictions. By enabling the block email subaddressing feature, the system will reject any sign-up or account linking attempts that utilize subaddressed email formats.
@@ -22,6 +26,15 @@ You can create a custom email blocklist by specifying a list of email addresses
For instance, adding `@example.com` to the blocklist will block all email addresses with that domain. Similarly, adding `foo@example.com` will specifically block that email address.
-### Block disposable email addresses {#block-disposable-email-addresses}
+:::note
-This is a **cloud-only** feature. Once enabled, the system will automatically validates the domain of the provided email address against a list of known disposable email domains. If the domain is found in the list, the request will be rejected. The list of disposable email domains is regularly updated to ensure its effectiveness.
+Disposable emails, subaddressing, and custom email are restricted during registration and account linking. Existing users with these email addresses can still sign in.
+
+- Admins can "bypass restrictions" by manually adding users in Console > User management, or via [Management API](https://openapi.logto.io/operation/operation-createuser). E.g., Create an user with a subaddress email when subaddressing is blocked.
+- Block exsiting accounts by deleting or suspending them in Console > User management.
+
+:::
+
+## Related resources
+
+What is disposable email? How to handle them in your app?
diff --git a/docs/security/identifier-lockout.mdx b/docs/security/identifier-lockout.mdx
index e02e19cec9f..f435177b29e 100644
--- a/docs/security/identifier-lockout.mdx
+++ b/docs/security/identifier-lockout.mdx
@@ -1,6 +1,7 @@
---
slug: /security/identifier-lockout
sidebar_label: Identifier Lockout
+sidebar_position: 4
---
# Identifier lockout
diff --git a/docs/user-management/personal-access-token.mdx b/docs/user-management/personal-access-token.mdx
index f09b5b7d498..d4acfdc638e 100644
--- a/docs/user-management/personal-access-token.mdx
+++ b/docs/user-management/personal-access-token.mdx
@@ -84,6 +84,10 @@ The example access token payload:
## Related resources \{#related-resources}
+
+ What is personal access token? When should I use personal access tokens?
+
+
Personal Access Tokens, Machine-to-Machine authentication, and API Keys definition and their
real-world scenarios
diff --git a/static/_redirects-docs b/static/_redirects-docs
index e5660fbf950..eead8480b52 100644
--- a/static/_redirects-docs
+++ b/static/_redirects-docs
@@ -95,6 +95,11 @@
/docs/recipes/logto-as-idp/configure-3rd-party-app-in-console/ /integrate-logto/third-party-applications/oidc-oauth-third-party-applications 301
/docs/recipes/logto-as-idp/permissions-management /integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management 301
/docs/recipes/logto-as-idp/permissions-management/ /integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management 301
+
+/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/consent-screen-branding /integrate-logto/third-party-applications/consent-screen-branding 301
+/integrate-logto/third-party-applications/oidc-oauth-third-party-applications /integrate-logto/third-party-applications 301
+/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management /integrate-logto/third-party-applications/permission-management 301
+
/docs/recipes/manage-users /user-management 301
/docs/recipes/manage-users/ /user-management 301
/docs/recipes/manage-users/admin-console /user-management/manage-users#manage-via-logto-console 301