Authentication overview

Frontegg offers an identity platform designed for embedding authentication and user management capabilities directly into SaaS applications. The platform provides a suite of tools and services that allow developers to integrate various authentication methods, manage user identities, and enforce authorization policies without building the underlying infrastructure from scratch. This approach aims to reduce development time and manage the complexities associated with secure user authentication in multi-tenant environments, as described in the official Frontegg product introduction.

The core components of Frontegg's authentication system include user directories, identity providers, and authentication flows. Developers configure these elements through the Frontegg Admin Portal, which acts as a central control panel for setting up authentication policies, managing users, and integrating with external identity sources. Applications interact with Frontegg's services via client-side SDKs and backend APIs, ensuring that authentication events and user data are securely handled and synchronized across the application stack. This modular architecture supports both traditional credential-based logins and modern federated identity solutions, providing flexibility for different application requirements and user preferences.

Frontegg's authentication system is built to support scalability and maintain compliance with various security standards. This includes features like multi-factor authentication (MFA), single sign-on (SSO) for enterprise clients, and audit logging to track authentication events. The platform's design emphasizes a developer-centric experience, offering comprehensive documentation and SDKs for popular frameworks to facilitate the integration process, as detailed in the Frontegg getting started guide.

Supported authentication methods

Frontegg supports a range of authentication methods to accommodate diverse user bases and security requirements. These methods can be configured and managed within the Frontegg Admin Portal, allowing developers to choose the most appropriate options for their applications.

Credential-based authentication

  • Email and Password: This traditional method allows users to authenticate using a registered email address and a password. Frontegg handles password hashing, storage, and recovery flows, adhering to security best practices for credential management.

Social login

  • OAuth 2.0 / OpenID Connect Providers: Frontegg integrates with popular social identity providers such as Google, GitHub, and Facebook. This enables users to log in using their existing accounts from these services, simplifying the registration and login process. The integration leverages OAuth 2.0 and OpenID Connect standards for secure delegation of authentication, as outlined in the OAuth 2.0 specification.

Enterprise authentication

  • Single Sign-On (SSO): For enterprise customers, Frontegg supports SSO through SAML 2.0 and OpenID Connect. This allows users to authenticate once with their corporate identity provider (e.g., Okta, Azure AD) and gain access to the SaaS application without re-entering credentials. SAML 2.0 is a widely adopted standard for exchanging authentication and authorization data between security domains, as described by the OASIS SAML 2.0 specifications.
  • Multi-Factor Authentication (MFA): Frontegg provides built-in MFA capabilities, allowing application administrators to enforce additional verification steps during login. This typically includes time-based one-time passwords (TOTP) through authenticator apps, adding an extra layer of security beyond just a password.

Authentication methods matrix

The following table summarizes the authentication methods supported by Frontegg:

Method When to Use Security Level
Email and Password Standard user accounts, general purpose applications Medium (enhanced with strong password policies and MFA)
Social Login (Google, GitHub, Facebook) Consumer-facing applications, ease of registration and login Medium to High (depends on provider's security, enhanced with MFA)
Enterprise SSO (SAML, OpenID Connect) B2B SaaS applications, corporate user bases High (leveraging enterprise-grade identity providers)
Multi-Factor Authentication (MFA) All applications requiring enhanced security, compliance requirements High (adds an additional layer of verification)

Getting your credentials

To integrate Frontegg authentication into your application, you typically need to obtain specific credentials from your Frontegg workspace. These credentials are used to identify your application and authorize it to interact with Frontegg's services. The primary credentials include your Client ID and API Keys.

Client ID and application setup

  1. Create a Frontegg application: Log into your Frontegg Admin Portal. Navigate to the "Applications" section and create a new application or select an existing one. Each application in Frontegg represents a distinct service or client that will use Frontegg for authentication.
  2. Retrieve Client ID: Once an application is created, Frontegg automatically generates a unique Client ID for it. This ID is essential for client-side SDKs and frontend integrations to identify which Frontegg application they are connecting to. You can find this ID in the application settings within the Admin Portal.
  3. Configure Redirect URIs: For OAuth 2.0 and OpenID Connect flows, you must configure valid "Redirect URIs" (also known as Callback URLs) in your Frontegg application settings. These URIs are where Frontegg redirects the user after successful authentication, ensuring security by preventing unauthorized redirects.

API keys for backend integrations

  1. Generate API Keys: For backend services that need to interact with Frontegg's APIs (e.g., for user management, role assignment, or custom authorization logic), you will need API Keys. In the Frontegg Admin Portal, go to the "API Keys" section.
  2. Define Permissions: When generating an API Key, you can specify the permissions or scopes associated with it. This allows you to follow the principle of least privilege, granting the API Key only the necessary access to Frontegg's resources. For example, an API Key might only have permission to read user profiles but not to delete them.
  3. Securely store API Keys: API Keys are sensitive credentials. They should be treated like passwords and never exposed in client-side code or publicly accessible repositories. Store them securely in environment variables or a secrets management system in your backend environment.

For detailed instructions on setting up your application and retrieving credentials, consult the Frontegg React SDK documentation or the relevant guide for your chosen SDK.

Authenticated request example

When integrating Frontegg into a frontend application, the SDKs handle most of the token management. However, for backend-to-backend communication or when making direct API calls that require authentication, you typically use an access token obtained through an OAuth 2.0 flow or an API Key. Here's an example of how a backend service might make an authenticated request to a protected resource, assuming an access token has already been acquired.

Using an access token (OAuth 2.0)

After a user authenticates through Frontegg, your application receives an access token. This token is then used to authorize requests to your own backend APIs that are protected by Frontegg's authorization services. The access token is typically sent in the Authorization header using the Bearer scheme.

Example in Node.js with fetch:

async function fetchProtectedData(accessToken) {
  try {
    const response = await fetch('https://your-backend.com/api/protected-resource', {
      method: 'GET',
      headers: {
        'Authorization': `Bearer ${accessToken}`,
        'Content-Type': 'application/json'
      }
    });

    if (!response.ok) {
      throw new Error(`HTTP error! Status: ${response.status}`);
    }

    const data = await response.json();
    console.log('Protected data:', data);
    return data;
  } catch (error) {
    console.error('Error fetching protected data:', error);
    throw error;
  }
}

// Example usage (accessToken would be obtained after user login via Frontegg SDK)
// const userAccessToken = 'eyJ...'; // Replace with actual token
// fetchProtectedData(userAccessToken);

Using an API key (backend-to-Frontegg API)

For direct API calls from your backend to Frontegg's management APIs (e.g., to programmatically manage users or roles), you would use an API Key. These keys are typically passed in a custom header, as specified by Frontegg's API documentation.

Example in Python using requests:

import requests
import os

def get_frontegg_users():
    api_key = os.environ.get('FRONTEGG_API_KEY')
    client_id = os.environ.get('FRONTEGG_CLIENT_ID') # Often used with API Key for context
    if not api_key or not client_id:
        raise ValueError("Frontegg API Key or Client ID not set in environment variables")

    headers = {
        "Authorization": f"Bearer {api_key}",
        "x-frontegg-tenant-id": client_id, # This header might vary based on Frontegg's API
        "Content-Type": "application/json"
    }

    try:
        response = requests.get('https://api.frontegg.com/identity/resources/v1/users', headers=headers)
        response.raise_for_status() # Raise an exception for HTTP errors
        users_data = response.json()
        print("Frontegg users:", users_data)
        return users_data
    except requests.exceptions.HTTPError as err:
        print(f"HTTP error occurred: {err}")
    except Exception as err:
        print(f"An error occurred: {err}")

# Example usage:
# get_frontegg_users()

Refer to the Frontegg API Reference for specific endpoints and required headers when making direct API calls.

Security best practices

Implementing secure authentication is critical for protecting user data and maintaining application integrity. When using Frontegg for authentication, adherence to security best practices enhances the overall posture of your application.

Credential management

  • Strong password policies: Enforce the use of strong, unique passwords for email/password authentication. Frontegg allows configuration of password complexity requirements, including minimum length, character types, and expiration policies.
  • Multi-Factor Authentication (MFA): Always enable and encourage MFA for all users. MFA significantly reduces the risk of unauthorized access even if primary credentials are compromised. Frontegg supports various MFA methods, including TOTP.
  • Secure storage of API keys and secrets: Never hardcode API keys or other sensitive credentials directly into your application's source code. Instead, use environment variables, cloud secret managers (e.g., AWS Secrets Manager, Google Secret Manager), or secure configuration files.

Token handling

  • Short-lived access tokens: Configure access tokens to have short expiration times. This minimizes the window of opportunity for an attacker if a token is intercepted. Frontegg automatically manages token rotation and refresh token flows.
  • Secure token storage: On the client-side, store tokens securely. For web applications, use HTTP-only, secure cookies for refresh tokens and in-memory storage for access tokens to mitigate XSS attacks. Avoid storing tokens in localStorage if possible.
  • Validate tokens: Always validate access tokens on your backend before granting access to protected resources. Frontegg SDKs and APIs provide mechanisms to verify token signatures and expiration, ensuring the token's authenticity and validity.

Application and network security

  • Implement HTTPS/TLS: Ensure all communication between your application, users, and Frontegg services occurs over HTTPS/TLS. This encrypts data in transit, protecting credentials and sensitive information from interception.
  • Configure Redirect URIs carefully: Only whitelist trusted Redirect URIs in your Frontegg application settings. Misconfigured redirect URIs can lead to open redirect vulnerabilities, allowing attackers to redirect users to malicious sites and potentially steal tokens.
  • Principle of Least Privilege: When generating API keys or configuring roles, grant only the minimum necessary permissions required for the task. Regularly review and revoke unnecessary permissions.
  • Regular security audits: Conduct periodic security audits and penetration tests of your application to identify and address potential vulnerabilities. Stay updated with Frontegg's security advisories and recommended practices.
  • Cross-Origin Resource Sharing (CORS): Configure CORS policies on your backend to only allow requests from your authorized frontend domains. This prevents unauthorized domains from making requests to your API.

User management and lifecycle

  • Account lockout policies: Implement account lockout mechanisms after a certain number of failed login attempts to mitigate brute-force attacks. Frontegg provides configurable settings for this.
  • Audit logging: Utilize Frontegg's audit logging features to track authentication events, user actions, and security-related incidents. Regularly review these logs for suspicious activity.
  • User provisioning and de-provisioning: Establish clear processes for creating, updating, and deleting user accounts. Ensure that when users leave or roles change, their access rights are promptly updated or revoked.

By following these best practices, developers can significantly enhance the security of their applications when leveraging Frontegg for authentication and user management, aligning with general industry standards for secure identity systems, as detailed by the Mozilla Developer Network web security guidelines.