Skip to content

refactor: update security and more #1115

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

refactor: update security and more #1115

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fd8bd0c
refactor: update some docs
Rany0101 May 23, 2025
7fa9044
refactor: update-301
Rany0101 May 23, 2025
39d031c
refactor: update-301-v2
Rany0101 May 23, 2025
603ca46
refactor: update event types
Rany0101 May 25, 2025
a5324e1
refactor: update end user flows
Rany0101 May 25, 2025
2d2b864
refactor: update-wrong-links
Rany0101 May 25, 2025
bbd2fc7
Merge branch 'rany-update-docs' of https://github.com/logto-io/docs i…
Rany0101 May 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/authorization/role-based-access-control/README.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,10 @@ Note the order admin shares the permission `read:product` with the product admin

## Related resources \{#related-resources}

<Url href="https://blog.logto.io/rbac-in-practice">
RBAC in practice: A step-by-step guide to implement secure authorization for your application
</Url>

<Url href="https://blog.logto.io/mastering-rbac">
Mastering RBAC in Logto: A Comprehensive Real-World Example
</Url>
Expand Down
3 changes: 2 additions & 1 deletion docs/connectors/enterprise-connectors.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ If our standard connectors don't meet your specific requirements, don't hesitate
3. Provide a unique name (e.g., Okta for Acme Company).
4. Configure the connection with your IdP in the "Connection" tab. Check the guides above for each connector types.
5. Customize the SSO experience and **email domain** in the "Experience" tab.
6. For the SAML enterprise connector, enabling IdP-initiated SSO in the "IdP-initiated SSO" tab is optional. Refer to the guide for details.
6. For the SAML enterprise connector, enabling IdP-initiated SSO in the "IdP-initiated SSO" tab is optional. [Refer to the guide](/end-user-flows/enterprise-sso/idp-initiated-sso) for details.
7. Save changes.

Please note the following settings:
Expand Down Expand Up @@ -138,3 +138,4 @@ Logto provides an entry point for configuring SSO connector JIT provisioning wit

<Url href="https://blog.logto.io/idp-vs-sp-initiated-sso">IdP-initiated SSO & SP-initiated SSO</Url>
<Url href="https://blog.logto.io/differences-between-saml-and-oidc">SAML vs. OpenID Connect</Url>
<Url href="https://blog.logto.io/sso-vs-saml">SAML vs. SSO</Url>
5 changes: 1 addition & 4 deletions docs/developers/audit-logs.mdx → docs/developers/audit-logs/README.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,4 @@
---
id: audit-logs
title: Audit logs
sidebar_label: Audit logs
sidebar_position: 6
---

Expand All @@ -21,7 +18,7 @@ Audit logs only contain logs that occur during user authentication process, logs

Logto's logs offer comprehensive details, ensuring ease of action and customer safety. They capture and record the following information:

- Type of event (full list of audit log events can be found [here](https://github.com/logto-io/logto/blob/master/packages/console/src/consts/logs.ts))
- Type of event (full list of audit log events can be found [here](/developers/audit-logs/event-types))
- Application involved
- IP address
- User involved
Expand Down
148 changes: 148 additions & 0 deletions docs/developers/audit-logs/event-types.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
---
sidebar_label: Event types
---

# Event types of audit logs

You can filter event types in <CloudLink to="/audit-logs">Logto Console > Audit Logs</CloudLink>.

:::note

Logto now supports retrieving logs related to end-user interactions via the [Experience APIs](https://openapi.logto.io/group/endpoint-experience).

Audit logs for [Management APIs](/integrate-logto/interact-with-management-api) and [Account APIs](https://openapi.logto.io/group/endpoint-account-center) are coming soon.

Feel free to [contact us](https://logto.io/contact) if you’d like to share your requirements.

:::

## Exchange token

| Key | Name |
| --------------------------------- | ------------------------------------ |
| ExchangeTokenBy.AuthorizationCode | Exchange token by Code |
| ExchangeTokenBy.ClientCredentials | Exchange token by Client Credentials |
| ExchangeTokenBy.RefreshToken | Exchange token by Refresh Token |
| ExchangeTokenBy.TokenExchange | Token exchange |

## Custom token claims

| Key | Name |
| ------------------------------ | ----------------------------------- |
| JwtCustomizer.AccessToken | Get custom user access token claims |
| JwtCustomizer.ClientCredential | Get custom M2M access token claims |

## Interaction lifecycle

| Key | Name |
| ------------------ | ------------------- |
| Interaction.Create | Interaction started |
| Interaction.End | Interaction ended |

## Register

| Key | Name |
| -------------------------------------------------------------- | ---------------------------------------------------------- |
| Interaction.Register.Create | Create new register interaction |
| Interaction.Register.Submit | Submit register interaction |
| Interaction.Register.Update | Update register interaction |
| Interaction.Register.Identifier.Submit | Create and identify new user for register interaction |
| Interaction.Register.Identifier.VerificationCode.Create | Create and send register identifier with verification code |
| Interaction.Register.Identifier.VerificationCode.Submit | Submit and verify register verification code |
| Interaction.Register.Verification.NewPassword.Submit | Create new password identity for register |
| Interaction.Register.Verification.Password.Submit | Create and verify identifier with password verification |
| Interaction.Register.Verification.EmailVerificationCode.Create | Create and send register email verification code |
| Interaction.Register.Verification.EmailVerificationCode.Submit | Verify register email verification code |
| Interaction.Register.Verification.SmsVerificationCode.Create | Create and send register SMS verification code |
| Interaction.Register.Verification.SmsVerificationCode.Submit | Verify register SMS verification code |
| Interaction.Register.Verification.Social.Create | Create social authentication URL |
| Interaction.Register.Verification.Social.Submit | Verify social authentication |
| Interaction.Register.Verification.EnterpriseSso.Create | Create enterprise SSO authentication URL |
| Interaction.Register.Verification.EnterpriseSso.Submit | Verify enterprise SSO authentication |
| Interaction.Register.Profile.Create | Put new register interaction profile |
| Interaction.Register.Profile.Delete | Delete register interaction profile |
| Interaction.Register.Profile.Update | Patch update register interaction profile |

## Sign in

| Key | Name |
| ------------------------------------------------------------ | ----------------------------------------------------------- |
| Interaction.SignIn.Create | Create new sign-in interaction |
| Interaction.SignIn.Submit | Submit sign-in interaction |
| Interaction.SignIn.Update | Update sign-in interaction |
| Interaction.SignIn.Identifier.Submit | Identify user for sign-in interaction |
| Interaction.SignIn.Identifier.Password.Submit | Submit sign-in identifier with password |
| Interaction.SignIn.Verification.NewPassword.Submit | Create new password identity for register |
| Interaction.SignIn.Verification.Password.Submit | Create and verify identifier with password verification |
| Interaction.SignIn.Identifier.VerificationCode.Create | Create and send sign-in verification code |
| Interaction.SignIn.Identifier.VerificationCode.Submit | Submit and verify sign-in identifier with verification code |
| Interaction.SignIn.Verification.EmailVerificationCode.Create | Create and send sign-in email verification code |
| Interaction.SignIn.Verification.EmailVerificationCode.Submit | Verify sign-in email verification code |
| Interaction.SignIn.Verification.SmsVerificationCode.Create | Create and send sign-in SMS verification code |
| Interaction.SignIn.Verification.SmsVerificationCode.Submit | Verify sign-in SMS verification code |
| Interaction.SignIn.Identifier.Social.Create | Create social sign-in authorization-url |
| Interaction.SignIn.Identifier.Social.Submit | Authenticate and submit social identifier |
| Interaction.SignIn.Verification.Social.Create | Create social authentication URL |
| Interaction.SignIn.Verification.Social.Submit | Verify social authentication |
| Interaction.SignIn.Identifier.SingleSignOn.Create | Create single-sign-on authentication session |
| Interaction.SignIn.Identifier.SingleSignOn.Submit | Submit single-sign-on authentication interaction |
| Interaction.SignIn.Verification.EnterpriseSso.Create | Create enterprise SSO authentication URL |
| Interaction.SignIn.Verification.EnterpriseSso.Submit | Verify enterprise SSO authentication |
| Interaction.SignIn.Verification.IdpInitiatedSso.Create | Create IdP-initiated SAML SSO authentication session |
| Interaction.SignIn.Profile.Create | Put new sign-in interaction profile |
| Interaction.SignIn.Profile.Delete | Delete sign-in interaction profile |
| Interaction.SignIn.Profile.Update | Patch update sign-in interaction profile |

## Forgot password

| Key | Name |
| -------------------------------------------------------------------- | ------------------------------------------------------- |
| Interaction.ForgotPassword.Create | Create new forgot-password interaction |
| Interaction.ForgotPassword.Submit | Submit forgot-password interaction |
| Interaction.ForgotPassword.Update | Update forgot-password interaction |
| Interaction.ForgotPassword.Identifier.Submit | Identify user for forgot-password interaction |
| Interaction.ForgotPassword.Identifier.VerificationCode.Create | Create and send forgot-password verification code |
| Interaction.ForgotPassword.Identifier.VerificationCode.Submit | Submit and verify forgot-password verification code |
| Interaction.ForgotPassword.Verification.EmailVerificationCode.Create | Create and send forgot-password email verification code |
| Interaction.ForgotPassword.Verification.EmailVerificationCode.Submit | Verify forgot-password email verification code |
| Interaction.ForgotPassword.Verification.SmsVerificationCode.Create | Create and send forgot-password SMS verification code |
| Interaction.ForgotPassword.Verification.SmsVerificationCode.Submit | Verify forgot-password SMS verification code |
| Interaction.ForgotPassword.Profile.Create | Put new forgot-password interaction profile |
| Interaction.ForgotPassword.Profile.Delete | Delete forgot-password interaction profile |
| Interaction.ForgotPassword.Profile.Update | Patch update forgot-password interaction profile |

## MFA

| Key | Name |
| --------------------------------------------------- | ----------------------------------------------- |
| Interaction.Register.Verification.BackupCode.Create | Create backup codes for MFA binding |
| Interaction.Register.Verification.BackupCode.Submit | Verify backup code |
| Interaction.Register.Verification.Totp.Create | Create TOTP verification secret for MFA binding |
| Interaction.Register.Verification.Totp.Submit | Verify TOTP verification code |
| Interaction.Register.Verification.Webauthn.Create | Create WebAuthn authentication |
| Interaction.Register.Verification.WebAuthn.Submit | Verify WebAuthn authentication |
| Interaction.SignIn.Verification.BackupCode.Create | Create backup codes for MFA binding |
| Interaction.SignIn.Verification.BackupCode.Submit | Verify backup code |
| Interaction.SignIn.Verification.Totp.Create | Create TOTP verification secret for MFA binding |
| Interaction.SignIn.Verification.Totp.Submit | Verify TOTP verification code |
| Interaction.SignIn.Verification.Webauthn.Create | Create WebAuthn authentication |
| Interaction.SignIn.Verification.WebAuthn.Submit | Verify WebAuthn authentication |

## SAML application

| Key | Name |
| ---------------------------- | ----------------------------------------------- |
| SamlApplication.AuthnRequest | Receive SAML application authentication request |
| SamlApplication.Callback | Handle SAML application callback |

## Security

| Key | Name |
| -------------------------- | -------------------- |
| Interaction.Create.Captcha | CAPTCHA verification |

## Related resources

<Url href="https://github.com/logto-io/logto/blob/master/packages/console/src/consts/logs.ts">
GitHub: Logto audit log events
</Url>
6 changes: 6 additions & 0 deletions docs/developers/user-impersonation.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,3 +343,9 @@ By customizing access token claims in this way, TechCorp can include valuable in
:::note
Be cautious when adding custom claims to your tokens. Avoid including sensitive information that could pose security risks if the token is intercepted or leaked. The JWTs are signed but not encrypted, so the claims are visible to anyone with access to the token.
:::

## Related resources

<Url href="https://blog.logto.io/impersonation">
What is impersonation in cybersecurity and identity management? How can AI agents use it?
</Url>
1 change: 1 addition & 0 deletions docs/end-user-flows/README.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ End-user flows cover all verification processes for user interactions, categoriz
| [Enterprise SSO](/end-user-flows/enterprise-sso) | <ul><li>[SP-initiated SSO](/end-user-flows/enterprise-sso/sp-initiated-sso)</li><li>[IdP-initiated SSO](/end-user-flows/enterprise-sso/idp-initiated-sso)</li></ul> |
| [Multi-factor authentication](/end-user-flows/mfa) | <ul><li>[Authenticator apps OTP](/end-user-flows/mfa/authenticator-app-otp)</li><li>[Passkeys (WebAuthn)](/end-user-flows/mfa/webauthn)</li><li>[Backup codes](/end-user-flows/mfa/backup-codes)</li></ul> |
| [Authentication parameters](/end-user-flows/authentication-parameters) | <ul><li>[First screen](/end-user-flows/authentication-parameters/first-screen)</li><li>[Direct sign-in](/end-user-flows/authentication-parameters/direct-sign-in)</li></ul> |
| [Magic link (One-time token)](/end-user-flows/one-time-token) | <ul><li>Organization member invitation</li><li>User invitation when registration is disabled</li><li>Sign in or sign up using magic link</li></ul> |
| Authorize third-party apps | <ul><li>[Consent screen for OIDC / OAuth apps](/end-user-flows/consent-screen)</li></ul> |
| [Sign-out](/end-user-flows/sign-out) | <ul><li>[Clear tokens and local session at the client side](/end-user-flows/sign-out/#clear-tokens-and-local-session-at-the-client-side)</li><li>[Clear sign-in session at Logto](/end-user-flows/sign-out/#clear-sign-in-session-at-logto)</li><li>[Federated sign-out: Back-channel logout](/end-user-flows/sign-out/#federated-sign-out-back-channel-logout)</li></ul> |

Expand Down
Loading
Loading