how to implement the implicit flow in


04/18/2023, 6:07 AM
how to implement the implicit flow in supertokens given that they are not yet and oauth provider?
This is how implicit flow can be implemented: - Let’s say we have and wants to login using SSO via has integrated with supertokens (frontend + backend SDK + core). - user visits and they are not logged in (using our frontend SDK you can check if a session exists on User clicks on the login button. The login button redirects the user to (notice the redirect_uri query param here). - validates that the redirect_uri is known to it (via an API call to the backend). At the moment, this API would need to be implemented on your end and would require you to maintain a list of accepted redirect_uri . If the redirect_uri doesn’t match, show an error. If it does match, save the redirect_uri in localstorage. then shows the login screen and the user signs in as usual (via the usual supertokens guides flows). Post login, they have a session on Make sure that this session is using the JWT feature. - The frontend can then extract the JWT from the session and redirect the user back to redirect_uri with the jwt like this:…., where the value of token is the jwt. This is the key part in the implicit grant flow.
- On the callback screen on, the frontend can take the JWT from the query param and call an API on the backend. This API will verify the JWT using the JWKS endpoint exposed by the backend of (the api layer which is integrated with our backend sdk exposes a jwks.json endpoint). - If the JWT is valid, you can get the sub claim from it and use our session recipe to create a new session in (using session.createNewSession function). This will log the user into - When the user clicks logout on, only their session on will get revoked and they will still be logged into If you want to revoke the session as well, then you will need to query the supertokens core from backend of to revoke the session handle of The session handle of can be added to the jwt token that’s created at, and then this session handle can be added to’s session as well.