PlusAuth provides lots of customization options for your tenant. You will find those options at Dashboard > Tenant Settings.
In this section you will find common available options for customizing your tenant's behaviour.
This configuration is for providing better user experience to your application. PlusAuth will need this configuration in cases when there is no way to know which client initiated the operation. This could happen when user session is expired or coming from an external url which is not inititated by your application. In those scenarios PlusAuth will redirect to this url. It should be located in your application and should initiate PlusAuth authorization which will handle the flow correctly.
Some would want to disable registration page in their application. Disabling this option will prevent users from registering through PlusAuth. PlusAuth widget will also hide the SignUp link at the login page.
Disabling this option will prevent users to use password recovery mechanisms provided by PlusAuth. PlusAuth widget will also hide Forgot Password link from login and register pages.
Enabling this option will send newly registered users configured welcome email. If email verification is enabled users will receive the email after they verify their accounts.
Although it is advised to give no indication to the status of an existing account, some may prefer usability to security in this context. The objective is to prevent the creation of a discrepancy factor, allowing an attacker to mount a user enumeration action against your application.
Enabling this option will expose below errors to clients.
account_blocked(User's account exists, and it is blocked )
user_not_found(No user found with provided identity)
invalid_password(User's account exists but provided password is incorrect)
A verification email will be send to newly registered users in order to verify the ownership of the email account. With this option disabled newly registered users could login without verifying their emails.
It is common to see that some applications doesn't require to enter credentials after signing up. With this option enabled users will be logged in automatically and will be redirected to Tenant Login Url. If it is configured correctly user would be authenticated in the application.
This page is for advanced customizations and it is strongly recommended to not change them if you are not sure what these are for.
PlusAuth doesn't store the user passwords in plain text. By using hashing which is a common technique in programming world, PlusAuth store the hashed version of the user password. You can select one of the hash functions.
Updating this setting will affect newly registered users. Password hash of old users will be updated when they login.
PlusAuth provides most used and relatively secure hash functions to be selected. They are:
PlusAuth uses argon2 by default.
You can customize lifetime of generated tokens. Values are defined in seconds.