Nico Sabena nicosabena

## force_single_connection_no_ui.html
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>Sign In with Auth0</title>
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>

<body>

## Configure WS-Fed generated attributes.js
function (user, context, callback) {

  // only apply changes for the WS-Fed application
  if (context.clientName !== 'Your ws-fed application name') {
    return callback(null, user, context);
  }

  // exclude the upn claim creation (defaults to true)
  context.samlConfiguration.createUpnClaim = false;


## smaller-header-hlp.html
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>Sign In with Auth0</title>
  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0" />
  <style  type="text/css">

  /* completely hide the header

## embedded-lock-test.html
<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML>
<HEAD>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap-theme.min.css" integrity="sha384-fLW2N01lMqjakBkx3l/M9EahuwpSfeNvV63J5ezn3uZzapT0u7EYsXMjQV+0En5r" crossorigin="anonymous">
    <TITLE>
        Hello World
    </TITLE>
    <style>

## restrict_scopes_in_rule.js
function (user, context, callback) {

  function getAllowedScopes(audience, clientID) {
    // openid profile email are OIDC scopes
    // real code would calculate allowedScopes based on
    // contextual information like audience,
    // context.clientID, context.clientName, context.connection, user
    let allowedScopes = ["openid","profile","email","read:timesheets"];
    return allowedScopes;
  }

## Lock-with-extra-button.html
<!--
This example how you can add an extra button to Lock to directly
force an authentication with an enterprise connection (instead of relying
on Lock's home realm discovery with the email domain).

Warning: This is provided "as-is". It relies on Lock's current DOM structure, which
might change in future versions without previous warning and break this solution.

If you want buttons for your enterprise connections, a better idea is to
use the "New" Universal Login experience instead, which provides these

## hosted login page with password and passwordless.html
<!--
This shows how you can have both a regular Lock or Passwordless Lock in the
hosted login page, and decide between the two based on some logic (e.g. like
based on the clientID, see the "usePasswordless" variable at the bottom of this code).

If your applications have both DB and passwordless connections
enabled, you could also present the option to the user (e.g. with a couple of buttons)
and then show the proper widget based on the user's selection.
-->

## delete_grants_after_password_change.js
async function (user, context, callback) {
  // this rule will run after a user changes their password and
  // delete, for the user, either:
  //   - all grants (for OIDC-Conformant usage)
  //   - all device credentials (for non OIDC-Conformant apps)
  // These actions will effectively invalidate all issued refresh tokens
  // on the next token request (be it an interactive login
  // or a refresh token flow).
  // It compares a user's last_password_rest property
  // against an "app_metadata.last_revoke" property used

## single-connection-hlp.html
<!DOCTYPE html>
<!--
  This hosted login page will go directly to a single upstream identity provider
  instead of showing Lock. It's a good choice for tenants that have only one
  connection enabled, or for individual applications with just one connection
  (in which case, the logic to decide to go directly to the idp needs to
  be changed, see below).
  It still keeps Lock if you do `prompt=login`, just in case.
-->

## cookie-check-hosted-login-page.html
<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>Sign In with Auth0</title>
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>
  <div id="nocookies" style="display:none">
	<!DOCTYPE html>
	<html>
	<head>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
	<title>Sign In with Auth0</title>
	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
	</head>

	<body>
	function (user, context, callback) {

	// only apply changes for the WS-Fed application
	if (context.clientName !== 'Your ws-fed application name') {
	return callback(null, user, context);
	}

	// exclude the upn claim creation (defaults to true)
	context.samlConfiguration.createUpnClaim = false;
	<!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN">
	<HTML>
	<HEAD>
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
	<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap-theme.min.css" integrity="sha384-fLW2N01lMqjakBkx3l/M9EahuwpSfeNvV63J5ezn3uZzapT0u7EYsXMjQV+0En5r" crossorigin="anonymous">
	<TITLE>
	Hello World
	</TITLE>
	<style>
	function (user, context, callback) {

	function getAllowedScopes(audience, clientID) {
	// openid profile email are OIDC scopes
	// real code would calculate allowedScopes based on
	// contextual information like audience,
	// context.clientID, context.clientName, context.connection, user
	let allowedScopes = ["openid","profile","email","read:timesheets"];
	return allowedScopes;
	}
	<!--
	This example how you can add an extra button to Lock to directly
	force an authentication with an enterprise connection (instead of relying
	on Lock's home realm discovery with the email domain).

	Warning: This is provided "as-is". It relies on Lock's current DOM structure, which
	might change in future versions without previous warning and break this solution.

	If you want buttons for your enterprise connections, a better idea is to
	use the "New" Universal Login experience instead, which provides these
	<!--
	This shows how you can have both a regular Lock or Passwordless Lock in the
	hosted login page, and decide between the two based on some logic (e.g. like
	based on the clientID, see the "usePasswordless" variable at the bottom of this code).

	If your applications have both DB and passwordless connections
	enabled, you could also present the option to the user (e.g. with a couple of buttons)
	and then show the proper widget based on the user's selection.
	-->
	async function (user, context, callback) {
	// this rule will run after a user changes their password and
	// delete, for the user, either:
	// - all grants (for OIDC-Conformant usage)
	// - all device credentials (for non OIDC-Conformant apps)
	// These actions will effectively invalidate all issued refresh tokens
	// on the next token request (be it an interactive login
	// or a refresh token flow).
	// It compares a user's last_password_rest property
	// against an "app_metadata.last_revoke" property used
	<!DOCTYPE html>
	<!--
	This hosted login page will go directly to a single upstream identity provider
	instead of showing Lock. It's a good choice for tenants that have only one
	connection enabled, or for individual applications with just one connection
	(in which case, the logic to decide to go directly to the idp needs to
	be changed, see below).
	It still keeps Lock if you do `prompt=login`, just in case.
	-->