Assign accessgroups that say "false" if user is not authorized to ViewModels.

When a deeplink is executed towards this ViewModel, we check if the user is Authenticated already. If AccessGroup still says no(for some other reason), we will show special ViewModel AccessDenied; otherwise (not authenticated), we will navigate to Account/Login?returnUrl=UrlToTheViewModelYouTriedToReach

Implement the AccountLogin ViewModel to control how the login page displays. Make sure to add a string variable redirectUrl that will get the value from above - here, you can add a PeriodicAction that auto-navigates the user further on in the authentication process. For example, you may want to send user directly to OpenIdConnet authentication flow. Action expression for this:

selfVM.NavigateUrl( 'Account/TryExternalLogin?provider=OpenIdConnect&returnUrl='+SysSingleton.oclSingleton.UrlEncode(returnUrl,false),false )

Note the UrlEncode ExternalLateBound function to make the url play nicely with url stacking.

When the openIdConnect flow is finished, it will use the returnUrl to navigate to the users desired view.