👉 2. Start setup
Install library
You can find a list of available libraries for your favorite tech stack on the Libraries page.
Use your library's documentation and follow the Authorization Code Flow
guide.
If you run a SPA you might want to use the
Implicit Flow
. Be aware that
the Implicit Flow
is known to have its downsides when it comes to security.
Example configuration
This example uses the passport library. You can also use any other OAuth/OpenID Connect library.
Install the library.
npm install openid-client
Then configure your client
.
import { Issuer } from 'openid-client';
const trustedIssuer = await Issuer.discover('https://auth.trustedaccounts.org');
const client = new trustedIssuer.Client({
client_id: 'your_client_id',
client_secret: 'your_client_secret',
redirect_uris: ['http://localhost:3000/cb'],
response_types: ['code']
});
Now you can already create a link to send your users to Trusted Accounts for verification.
import { generators } from 'openid-client';
const code_verifier = generators.codeVerifier();
// store the code_verifier in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.
const code_challenge = generators.codeChallenge(code_verifier);
client.authorizationUrl({
scope: 'openid offline',
resource: 'https://my.api.example.com/resource/32178',
code_challenge,
code_challenge_method: 'S256'
}); // ==> Show this URL to the user as a link or "Verify with Trusted" button to navigate
Run your application, click on the link and authenticate via Trusted Accounts. After a successful authentication see how you will be navigated back to your platform.
When the user is redirected back to your callback_url
consume the callback
and pass in the code_verifier
to include it in the authorization code grant token exchange.
const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { code_verifier });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims()); //This will output the ID Token
Run your application again. After a successful authentication via Trusted Accounts, have a look in your console.
You should now see the ID Token
.
The ID Token
contains everything we need to verify, sign in and register Trusted Accounts on your platform.