Skip to main content
Version: v2

getAuthenticationContext

Last updated on
This function is only available on the JavaScript SDK. Support for more SDKs will be coming soon.

The getAuthenticationContext function enables an app using the Beyond Identity SDK to get information associated with the current authentication request.

Dependencies​

The getAuthenticationContext function requires the Beyond Identity SDK.

yarn add @beyondidentity/bi-sdk-js

or

npm install @beyondidentity/bi-sdk-js

Prerequisites​

Before making a call to getAuthenticationContext, you must complete the following prerequisite calls:

  1. Import the required types and functions from the SDK.

    import { Embedded } from '@beyondidentity/bi-sdk-js';

  2. Initialize the SDK.

    // --- Initialize with required arguments
    try {
      const embedded = await Embedded.initialize();
      console.log("Initialization successful", embedded);
    } catch (error) {
      console.error("Initialization failed:", error);
    }

    // --- Initialize with required and optional arguments
    const config = {
      allowedDomains: ["example.com", "another-example.com"],
      logger: function (logType, message) {
        console.log(`[${logType}] ${message}`);
      },
    };

    try {
      const embedded = await Embedded.initialize(config);
      console.log("Initialization successful", embedded);
    } catch (error) {
      console.error("Initialization failed:", error);
    }

  3. Use getAuthenticationContext to get information associated with the current authentication request.

    await embedded.getAuthenticationContext(url);

Parameters​

ParameterTypeDescription
urlstringRequired. The authentication URL of the current transaction. This URL is generated by the Beyond Identity API's /authorize endpoint in response to a standard OpenID Connect request from your app (see example below). The generated URL is unique for each authentication request. It contains an encoded JWT token containing the challenge for the passkey to sign. (/bi-authenticate?request=someToken)

Returns​

On success, the getAuthenticationContext function returns a Promise that resolves to an AuthenticationContext, which itself is a JSON object that contains the following keys:

KeyDescription
applicationAn object containing the application's id and displayName.
authMethodsAn array containing the type of authentication methods the application supports.
authUrlA string containing a URL you must pass into authenticate or authenticateOtp.
originAn object containing the sourceIp, userAgent, geolocation, and referer of the request.

Currently, the following authentication methods are supported, and more are coming soon:

Auth methodDescription
webauthn_passkeyGenerates a hardware key within your device's trusted execution environment (TEE).
software_passkeyA generates a passkey securely created within the browser's context.
email_one_time_passwordEnables a workflow that verifies identity via an email one-time password.

Examples​

Example: Call getAuthenticationContext​

let authenticationContext = await embedded.getAuthenticationContext(url);

Example: Retrieve Beyond Identity authentication url via OIDC call​

The app sends an OIDC call to the Beyond Identity API's /authorize endpoint:

GET https://auth-us.beyondidentity.com/v1/tenants/{TENANT_ID}/realms/{REALM_ID}/applications/{APPLICATION_ID}/authorize?client_id={CLIENT_ID}&scope=openid&response_type=code&redirect_uri={REDIRECT_URI}&state=8LIY29kN8Oz7zrAhb8xb0yvem-gvnRy1HTn03MAuL_E

where the following elements match the corresponding properties of the app as configured in your Beyond Identity tenant:

PropertyDescription
TENANT_IDThe Tenant ID of the tenant in which the app is configured.
REALM_IDThe Realm ID of the realm in which the app is configured.
APPLICATION_IDThe Application ID from the header of the app's configuration page.
CLIENT_IDThe Client ID from the External Protocol tab of the app's configuration page.
REDIRECT_URIMatches one of the Redirect URIs configured on the External Protocol tab of the app's configuration page, URL encoded.

When the Invocation Type configured on the Authenticator Config tab of the app's configuration page is set to Manual, returns a JSON object:

{ "authenticate_url": "http://localhost:8083/bi-authenticate?request={BI_JWT}" }

where BI_JWT is a base64url encoded JWT token containing the challenge and other data to kick off the passkey authentication.

When the Invocation Type on the app is set to Automatic, it returns an HTTP 302 to the authentication URL:

http/1.1 302 Found
...
location: http://localhost:8083/bi-authenticate?request={BI_JWT}

where BI_JWT is a base64url encoded JWT token containing the challenge and other data to kick off the passkey authentication.