IBM Cloud Docs
Anonymous authentication

Anonymous authentication

With IBM Cloud® App ID, you can allow users to anonymously browse your application under an anonymous user profile. If the user chooses to sign in, you can allow them to still access their anonymous attributes by attaching their anonymous profile to their user identity with App ID.

Understanding progressive authentication

When a user chooses not to sign in immediately, they are considered an anonymous user. For example, say you're an online retailer and you want to allow users to add objects to their shopping cart without signing in. However, you ask them to sign in to complete their purchase. If a user chooses to sign in, you can allow them to access the same objects that were in their shopping carts before they signed in.

You can use App ID to gather information about anonymous users into an anonymous user profile, which you can use to help personalize their experience of your application. If the user chooses to signs in, you can attach the user attributes that are part of the anonymous profile to their user identity that is stored in App ID. Anonymous profiles are temporarily valid. While you develop your app, you can configure the lifetime of anonymous tokens.

When a user signs in, they become an identified user. If an existing identified user profile does not exist, you can create a new identified user profile. After a user is identified, App ID issues new access and identity tokens and their anonymous token becomes invalid. However, an identified user can still access the attributes of their anonymous profile because they are accessible with the new access and identity tokens.

You can attach the attributes of only one anonymous profile to the user's identity that is stored in App ID. For example, say that a user browses your application anonymously in two separate browser tabs. The user adds a t-shirt to the shopping cart on the first tab and a pair of shorts to the cart on the second tab. App ID creates two separate anonymous profiles to track the interactions of the user with your application on each tab.

If the user chooses to sign in from the first tab, then they have access only to the t-shirt they added to their cart before they signed in. In this case, App ID attaches only the attributes of the anonymous profile on the first tab to the user's identity. The service does not merge the anonymous profile that is created on the second tab to the user's identity stored in App ID. But the user can still access the shorts anonymously on the second tab because they are still accessible with the anonymous profile that was created on the second tab. While you develop your app, you can configure how to attach anonymous attributes to identified user profiles.

What does the progressive authentication flow look like? 

In the following image, you can see the direction of communication that defines the progressive authentication flow between the user, your application, App ID, and the identity provider.

The path to becoming an identified user when they start as anonymous
Progressive authentication flow of anonymous user

  1. The user interacts with areas of your app that do not require authentication.
  2. Your application notifies App ID that the user wants to interact with your app as an anonymous user.
  3. App ID creates an ad hoc user profile and calls the OAuth login that issues anonymous tokens for the anonymous user.
  4. Using the anonymous tokens from App ID, you can create, read, update, and delete the attributes that are stored in the anonymous user profile.
  5. The user might choose to sign in to access more features of your app.
  6. Your application notifies App ID that the user wants to interact with your app as an identified user.
  7. App ID returns the login widget to your app.
  8. The user selects their preferred identity provider and provides their credentials.
  9. Your application informs App ID that the user selected an identity provider.
  10. App ID authenticates the call with the identity provider.
  11. The identity provider confirms whether the login was successful.
  12. App ID uses the anonymous token to find the anonymous profile and attaches the user's identity to it.
  13. After App ID creates the new tokens, the service invalidates the user's anonymous token.
  14. App ID returns the new access and identity tokens. The new tokens contain the public information that is shared by the identity provider and the attributes of the user's formerly anonymous profile.
  15. The user is granted access to your app.