Skip to main content

πŸ•΅οΈ Advanced authorization flows

We suggest using the Authorization Code Flow. But you can also use the Implicit Flow for example if you run a Single Page Application and have no place to securely store your client_secret.

Implicit ID Token Flow​

This is a faster, but also less secure flow to get the Trusted ID to sign in, sign up or verify users with Trusted Accounts.

danger

Note, that the Implicit Flow has some security concerns to it. Here is a video on the topic.

Library

This example uses the Implicit ID Token Flow of the passport library.

To start, create a Client instance for Trusted Accounts authorization server.

const client = new trustedIssuer.Client({
  client_id: 'your_client_id', //you get it with your platform credentials
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['id_token'],
  // id_token_signed_response_alg (default "RS256")
}); // => Client

Now send your end-users to Trusted Accounts's authorization_endpoint to authorize. Consult the web framework of your choice on how to redirect. Here's how to get the authorization endpoint's URL to redirect to. It has all the parameters already encoded in the query.

import { generators } from 'openid-client';
const nonce = generators.nonce();
// store the nonce in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.

const state = string; //Create a random string as a state per request for additional security

client.authorizationUrl({
  scope: 'openid offline',
  response_mode: 'query',
  nonce,
  state: state
});

Handle the callback​

After the user successfully authenticated via Trusted Accounts he or she will get redirected back to your platform's Callback URL.

When end-users hit back your Callback URL with a POST (authorization request included form_post response mode) your application consumes the callback and passes the nonce in to include it in the ID Token verification steps.

// assumes req.body is populated from your web framework's body parser
const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { nonce, state });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims());

Client Credentials Flow​

Use this flow to obtain an access token outside of the context of a user. This is used by platforms/clients to access resources about themselves rather than to access a user’s resources.

Consult your plugin of choice on how to integrate an Authorization Code Flow. Trusted Accounts is compatible with any OAuth/OIDC plugin. Go to the Setup to find a list of plugins.

Resource Owner Password Grant​

This flow is deprecated and will not work for Trusted Accounts. Letting users enter their username and password on other platforms than Trusted Accounts itself, would cause unnecessary risk to the users of Trusted Accounts.

Deprecated

This flow is deprecated and not supported.