Assign accessgroups that says "false" if user is not authorized to ViewModels

When a deeplink is executed towards this ViewModel we check if the user is Authenticated already - if so we will show special ViewModel AccessDenied, otherwise we will navigate to Account/Login?returnUrl=UrlToTheViewModelYouTriedToReach

Implement the AccountLogin viewmodel to control how the login page displays, make sure to add a string variable redirectUrl that will get the value from above - here you can add a PeriodicAction that auto navigates the user further on in the autentication process. For example you may want to send user directly to OpenIdConnet authentication flow. Action expression for this:

selfVM.NavigateUrl( 'Account/TryExternalLogin?provider=OpenIdConnect&returnUrl='+SysSingleton.oclSingleton.UrlEncode(returnUrl,false),false )

Note the UrlEncode ExternalLateBound function to make the url play nicely with url stacking.