Add Magic Link Authentication executor

Implement Magic Link authentication support for the flow engine:
* Magic link token generation and email delivery
* Token verification with expiration handling
* Email template for magic link sign-in
* MagicLinkAuthnService in registry for executor integration

Refactor magic link URL parameters to use 'queryParams' instead of 'flowId'

Update clientSecret values and example in API documentation

Update README to reflect changes in magic link query parameters for native flow authentication

Add Default Basic + Magic Link Authentication Flow configuration

Author: RandithaK

backend/.mockery.public.yml

@@ -220,6 +220,14 @@ packages:
       pkgname: githubmock
       filename: "{{.InterfaceName}}_mock.go"
 
+  github.com/asgardeo/thunder/internal/authn/magiclink:
+    config:
+      all: true
+      dir: tests/mocks/authn/magiclinkmock
+      structname: '{{.InterfaceName}}Mock'
+      pkgname: magiclinkmock
+      filename: "{{.InterfaceName}}_mock.go"
+
   github.com/asgardeo/thunder/internal/authn/passkey:
     interfaces:
       PasskeyServiceInterface:

backend/cmd/server/bootstrap/flows/authentication/auth_flow_basic_magic_link.json

@@ -0,0 +1,96 @@
+{
+    "name": "Default Basic + Magic Link Authentication Flow",
+    "handle": "default-basic-magic-link-flow",
+    "flowType": "AUTHENTICATION",
+    "nodes": [
+        {
+            "id": "start",
+            "type": "START",
+            "onSuccess": "prompt_credentials"
+        },
+        {
+            "id": "prompt_credentials",
+            "type": "PROMPT",
+            "prompts": [
+                {
+                    "inputs": [
+                        {
+                            "ref": "input_001",
+                            "identifier": "username",
+                            "type": "TEXT_INPUT",
+                            "required": true
+                        },
+                        {
+                            "ref": "input_002",
+                            "identifier": "password",
+                            "type": "PASSWORD_INPUT",
+                            "required": true
+                        }
+                    ],
+                    "action": {
+                        "ref": "action_001",
+                        "nextNode": "basic_auth"
+                    }
+                }
+            ]
+        },
+        {
+            "id": "basic_auth",
+            "type": "TASK_EXECUTION",
+            "executor": {
+                "name": "BasicAuthExecutor"
+            },
+            "onSuccess": "collect_email",
+            "onIncomplete": "prompt_credentials"
+        },
+        {
+            "id": "collect_email",
+            "type": "TASK_EXECUTION",
+            "executor": {
+                "name": "AttributeCollector",
+                "inputs": [
+                    {
+                        "ref": "input_003",
+                        "identifier": "email",
+                        "type": "EMAIL_INPUT",
+                        "required": false
+                    }
+                ]
+            },
+            "onSuccess": "send_magic_link"
+        },
+        {
+            "id": "send_magic_link",
+            "type": "TASK_EXECUTION",
+            "properties": {
+                "magicLinkURL": "https://localhost:3000/signin"
+            },
+            "executor": {
+                "name": "MagicLinkAuthExecutor",
+                "mode": "send"
+            },
+            "onSuccess": "verify_magic_link"
+        },
+        {
+            "id": "verify_magic_link",
+            "type": "TASK_EXECUTION",
+            "executor": {
+                "name": "MagicLinkAuthExecutor",
+                "mode": "verify"
+            },
+            "onSuccess": "auth_assert"
+        },
+        {
+            "id": "auth_assert",
+            "type": "TASK_EXECUTION",
+            "executor": {
+                "name": "AuthAssertExecutor"
+            },
+            "onSuccess": "end"
+        },
+        {
+            "id": "end",
+            "type": "END"
+        }
+    ]
+}

backend/cmd/server/bootstrap/flows/authentication/auth_flow_magic_link.json

@@ -0,0 +1,65 @@
+{
+    "name": "Default Magic Link Authentication Flow",
+    "handle": "default-magic-link-flow",
+    "flowType": "AUTHENTICATION",
+    "nodes": [
+        {
+            "id": "start",
+            "type": "START",
+            "onSuccess": "prompt_email"
+        },
+        {
+            "id": "prompt_email",
+            "type": "PROMPT",
+            "prompts": [
+                {
+                    "inputs": [
+                        {
+                            "ref": "input_001",
+                            "identifier": "email",
+                            "type": "EMAIL_INPUT",
+                            "required": true
+                        }
+                    ],
+                    "action": {
+                        "ref": "magic_link_action",
+                        "nextNode": "send_magic_link"
+                    }
+                }
+            ]
+        },
+        {
+            "id": "send_magic_link",
+            "type": "TASK_EXECUTION",
+            "properties": {
+                "magicLinkURL": "https://localhost:3000/signin"
+            },
+            "executor": {
+                "name": "MagicLinkAuthExecutor",
+                "mode": "send"
+            },
+            "onSuccess": "verify_magic_link"
+        },
+        {
+            "id": "verify_magic_link",
+            "type": "TASK_EXECUTION",
+            "executor": {
+                "name": "MagicLinkAuthExecutor",
+                "mode": "verify"
+            },
+            "onSuccess": "auth_assert"
+        },
+        {
+            "id": "auth_assert",
+            "type": "TASK_EXECUTION",
+            "executor": {
+                "name": "AuthAssertExecutor"
+            },
+            "onSuccess": "end"
+        },
+        {
+            "id": "end",
+            "type": "END"
+        }
+    ]
+}

backend/cmd/server/repository/resources/templates/magic_link.yaml

@@ -0,0 +1,21 @@
+id: "magic-link"
+displayName: "Magic Link Sign-In Email"
+scenario: "MAGIC_LINK"
+type: "email"
+subject: "Sign in to your account"
+contentType: "text/html"
+body: |
+  <!DOCTYPE html>
+  <html>
+  <body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
+  	<h2>Sign in to your account</h2>
+  	<p>Use the secure link below to sign in:</p>
+  	<p><a href="{{ctx(magicLink)}}" style="display: inline-block; padding: 10px 20px;
+  		background-color: #ff7300; color: #fff; text-decoration: none;
+  		border-radius: 4px;">Sign in</a></p>
+  	<p>This link expires in {{ctx(expiryMinutes)}} minutes.</p>
+  	<p>If the button above doesn't work, copy and paste the following link into your browser:</p>
+  	<p style="word-break: break-all;"><a href="{{ctx(magicLink)}}">{{ctx(magicLink)}}</a></p>
+  	<p>If you did not request this, you can safely ignore this email.</p>
+  </body>
+  </html>

backend/cmd/server/servicemanager.go

@@ -180,16 +180,6 @@ func registerServices(mux *http.ServeMux) jwt.JWTServiceInterface {
 	// Initialize user provider based on configuration
 	userProvider := userprovider.InitializeUserProvider(userService)
 
-	// Initialize authentication services.
-	_, authSvcRegistry := authn.Initialize(
-		mux, mcpServer, idpService, jwtService, userService,
-		userProvider, otpService, authnProvider, consentService,
-	)
-
-	attributeCacheService := attributecache.Initialize()
-
-	// Initialize flow and executor services.
-	flowFactory, graphCache := flowcore.Initialize()
 	var emailClient email.EmailClientInterface
 	emailClient, err = email.Initialize()
 	if err != nil {
@@ -201,6 +191,17 @@ func registerServices(mux *http.ServeMux) jwt.JWTServiceInterface {
 	if err != nil {
 		logger.Fatal("Failed to initialize template service", log.Error(err))
 	}
+
+	// Initialize authentication services.
+	_, authSvcRegistry := authn.Initialize(
+		mux, mcpServer, idpService, jwtService, userService,
+		userProvider, otpService, authnProvider, consentService, emailClient, templateService,
+	)
+
+	attributeCacheService := attributecache.Initialize()
+
+	// Initialize flow and executor services.
+	flowFactory, graphCache := flowcore.Initialize()
 	execRegistry := executor.Initialize(flowFactory, ouService,
 		idpService, otpService, jwtService, authSvcRegistry, authZService, userSchemaService, observabilitySvc,
 		groupService, roleService, userProvider, attributeCacheService, emailClient, templateService)

backend/internal/authn/common/constants.go

@@ -29,6 +29,7 @@ const DefaultHTTPTimeout = 5 * time.Second
 const (
 	AuthenticatorCredentials = "CredentialsAuthenticator"
 	AuthenticatorSMSOTP      = "SMSOTPAuthenticator"
+	AuthenticatorMagicLink   = "MagicLinkAuthenticator"
 	AuthenticatorGoogle      = "GoogleOIDCAuthenticator"
 	AuthenticatorGithub      = "GithubOAuthAuthenticator"
 	AuthenticatorOAuth       = "OAuthAuthenticator"

backend/internal/authn/common/error_constants.go

@@ -21,6 +21,7 @@ package common
 import (
 	"github.com/asgardeo/thunder/internal/system/error/apierror"
 	"github.com/asgardeo/thunder/internal/system/error/serviceerror"
+	"github.com/asgardeo/thunder/internal/system/i18n/core"
 )
 
 // API errors
@@ -90,6 +91,19 @@ var (
 		Error:            "User not found",
 		ErrorDescription: "No user found with the provided attributes",
 	}
+	// ErrorUserNotFoundWithI18n is the i18n version of ErrorUserNotFound.
+	ErrorUserNotFoundWithI18n = serviceerror.I18nServiceError{
+		Type: serviceerror.ClientErrorType,
+		Code: "AUTHN-1008",
+		Error: core.I18nMessage{
+			Key:          "authn.error.user_not_found",
+			DefaultValue: "User not found",
+		},
+		ErrorDescription: core.I18nMessage{
+			Key:          "authn.error.user_not_found_description",
+			DefaultValue: "No user found with the provided attributes",
+		},
+	}
 	// ErrorInvalidAssertion is the error returned when the provided assertion token is invalid.
 	ErrorInvalidAssertion = serviceerror.ServiceError{
 		Type:             serviceerror.ClientErrorType,

backend/internal/authn/handler_test.go

@@ -48,6 +48,7 @@ func TestAuthenticationHandlerTestSuite(t *testing.T) {
 
 func (suite *AuthenticationHandlerTestSuite) SetupTest() {
 	suite.mockService = NewAuthenticationServiceInterfaceMock(suite.T())
+	suite.handler = newAuthenticationHandler(suite.mockService)
 	suite.handler = &authenticationHandler{
 		authService: suite.mockService,
 	}

backend/internal/authn/init.go

@@ -28,6 +28,7 @@ import (
 	"github.com/asgardeo/thunder/internal/authn/credentials"
 	"github.com/asgardeo/thunder/internal/authn/github"
 	"github.com/asgardeo/thunder/internal/authn/google"
+	"github.com/asgardeo/thunder/internal/authn/magiclink"
 	"github.com/asgardeo/thunder/internal/authn/oauth"
 	"github.com/asgardeo/thunder/internal/authn/oidc"
 	"github.com/asgardeo/thunder/internal/authn/otp"
@@ -37,8 +38,10 @@ import (
 	consentmgt "github.com/asgardeo/thunder/internal/consent"
 	"github.com/asgardeo/thunder/internal/idp"
 	"github.com/asgardeo/thunder/internal/notification"
+	"github.com/asgardeo/thunder/internal/system/email"
 	"github.com/asgardeo/thunder/internal/system/jose/jwt"
 	"github.com/asgardeo/thunder/internal/system/middleware"
+	"github.com/asgardeo/thunder/internal/system/template"
 	"github.com/asgardeo/thunder/internal/user"
 	"github.com/asgardeo/thunder/internal/userprovider"
 )
@@ -51,6 +54,7 @@ type AuthServiceRegistry struct {
 	OIDCAuthnService        oidc.OIDCAuthnServiceInterface
 	GithubOAuthAuthnService github.GithubOAuthAuthnServiceInterface
 	GoogleOIDCAuthnService  google.GoogleOIDCAuthnServiceInterface
+	MagicLinkAuthnService   magiclink.MagicLinkAuthnServiceInterface
 	AuthAssertGenerator     assert.AuthAssertGeneratorInterface
 	PasskeyService          passkey.PasskeyServiceInterface
 	ConsentEnforcerService  consent.ConsentEnforcerServiceInterface
@@ -67,9 +71,11 @@ func Initialize(
 	otpSvc notification.OTPServiceInterface,
 	authnProvider authnprovider.AuthnProviderInterface,
 	consentSvc consentmgt.ConsentServiceInterface,
+	emailClient email.EmailClientInterface,
+	templateService template.TemplateServiceInterface,
 ) (AuthenticationServiceInterface, *AuthServiceRegistry) {
 	authServiceRegistry := createAuthServiceRegistry(idpSvc, jwtSvc,
-		userSvc, userProvider, otpSvc, authnProvider, consentSvc)
+		userSvc, userProvider, otpSvc, authnProvider, consentSvc, emailClient, templateService)
 	authnService := newAuthenticationService(
 		idpSvc,
 		jwtSvc,
@@ -103,8 +109,10 @@ func createAuthServiceRegistry(
 	otpSvc notification.OTPServiceInterface,
 	authnProvider authnprovider.AuthnProviderInterface,
 	consentSvc consentmgt.ConsentServiceInterface,
+	emailClient email.EmailClientInterface,
+	templateService template.TemplateServiceInterface,
 ) *AuthServiceRegistry {
-	return &AuthServiceRegistry{
+	registry := &AuthServiceRegistry{
 		CredentialsAuthnService: credentials.Initialize(authnProvider),
 		OTPAuthnService:         otp.Initialize(otpSvc, userProvider),
 		OAuthAuthnService:       oauth.Initialize(idpSvc, userProvider),
@@ -115,6 +123,13 @@ func createAuthServiceRegistry(
 		AuthAssertGenerator:     assert.Initialize(),
 		ConsentEnforcerService:  consent.Initialize(consentSvc, jwtSvc),
 	}
+
+	// Only register Magic Link authenticator if email client is configured.
+	if emailClient != nil {
+		registry.MagicLinkAuthnService = magiclink.Initialize(jwtSvc, emailClient, userProvider, templateService)
+	}
+
+	return registry
 }
 
 // registerRoutes registers the routes for the authentication.