Skip to main content

🧑‍💻 User authorization

The recommended way to integrate Trusted Accounts on your platform is the Authorization Code Flow.

SPA (Single Page Application)

If you run a SPA you might want to use the Implicit Flow. Be aware that the Implicit Flow is known to have its downsides when it comes to security.

Start the flow

Library

This example uses the Authorization Code Flow of the passport library.

To start, create a Client instance for Trusted Accounts authorization server.

const client = new trustedIssuer.Client({
  client_id: 'your_client_id', //you get it with your platform credentials
  client_secret: 'your_client_secret', //you get it with your platform credentials
  redirect_uris: ['http://localhost:3000/cb'],
  response_types: ['code'],
  // id_token_signed_response_alg (default "RS256")
}); // => Client

Now send your end-users to Trusted Accounts's authorization_endpoint to authorize. Consult the web framework of your choice on how to redirect. Here's how to get the authorization endpoint's URL to redirect to. It has all the parameters already encoded in the query.

import { generators } from 'openid-client';
const code_verifier = generators.codeVerifier();
// store the code_verifier in your framework's session mechanism, if it is a cookie based solution
// it should be httpOnly (not readable by javascript) and encrypted.

const code_challenge = generators.codeChallenge(code_verifier);
const state = string; //Create a random string as a state per request for additional security

client.authorizationUrl({
  scope: 'openid offline',
  resource: 'https://my.api.example.com/resource/32178',
  code_challenge,
  code_challenge_method: 'S256',
  state: state
});

When end-users are redirected back to your callback_url your application consumes the callback and passes in the code_verifier to include it in the authorization code grant token exchange.

const params = client.callbackParams(req);
const tokenSet = await client.callback('https://client.example.com/callback', params, { code_verifier });
console.log('received and validated tokens %j', tokenSet);
console.log('validated ID Token claims %j', tokenSet.claims()); //This will output the ID Token

Success

Congrats! 🎉 The user successfully authenticated with Trusted Accounts on your platform. Next, we will use the information from the ID Token to verify Trusted Accounts on your platform.