Skip to main content

👉 2. Start setup

Install library

You can find a list of available libraries for your favorite tech stack on the Libraries page.

Use your library's documentation and follow the Authorization Code Flow guide.

SPA (Single Page Application)

If you run a SPA you might want to use the Implicit Flow. Be aware that the Implicit Flow is known to have its downsides when it comes to security.

Example configuration

Library

This example uses the passport library. You can also use any other OAuth/OpenID Connect library.

Install the library.

npm install openid-client

Then configure your client.

import { Issuer } from 'openid-client';

const trustedIssuer = await Issuer.discover('https://auth.trustedaccounts.org');

const client = new trustedIssuer.Client({
  client_id: 'your_client_id',
  client_secret: 'your_client_secret',
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['code']
});

Now you can already create a link to send your users to Trusted Accounts for verification.

import { generators } from 'openid-client';
const code_verifier = generators.codeVerifier();
// store the code_verifier in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.

const code_challenge = generators.codeChallenge(code_verifier);

client.authorizationUrl({
  scope: 'openid offline',
  resource: 'https://my.api.example.com/resource/32178',
  code_challenge,
  code_challenge_method: 'S256'
}); // ==> Show this URL to the user as a link or "Verify with Trusted" button to navigate
Run the code

Run your application, click on the link and authenticate via Trusted Accounts. After a successful authentication see how you will be navigated back to your platform.

When the user is redirected back to your callback_url consume the callback and pass in the code_verifier to include it in the authorization code grant token exchange.

const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { code_verifier });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims()); //This will output the ID Token
Run the code

Run your application again. After a successful authentication via Trusted Accounts, have a look in your console. You should now see the ID Token.

The ID Token contains everything we need to verify, sign in and register Trusted Accounts on your platform.