https://supertokens.com/ logo
Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Powered by
how to implement the implicit flow in
r

rp

04/18/2023, 6:07 AM
how to implement the implicit flow in supertokens given that they are not yet and oauth provider?
hi
This is how implicit flow can be implemented: - Let’s say we have client1.com and auth.com. client1.com wants to login using SSO via auth.com. auth.com has integrated with supertokens (frontend + backend SDK + core). - user visits client1.com and they are not logged in (using our frontend SDK you can check if a session exists on client1.com). User clicks on the login button. The login button redirects the user to auth.com?redirect_uri=https://client.com/callback (notice the redirect_uri query param here). - auth.com validates that the redirect_uri is known to it (via an API call to the backend). At the moment, this API would need to be implemented on your end and would require you to maintain a list of accepted redirect_uri . If the redirect_uri doesn’t match, show an error. If it does match, save the redirect_uri in localstorage. auth.com then shows the login screen and the user signs in as usual (via the usual supertokens guides flows). Post login, they have a session on auth.com. Make sure that this session is using the JWT feature. - The frontend can then extract the JWT from the session and redirect the user back to redirect_uri with the jwt like this: client1.com/callback?token=…., where the value of token is the jwt. This is the key part in the implicit grant flow.
- On the callback screen on client1.com, the frontend can take the JWT from the query param and call an API on the backend. This API will verify the JWT using the JWKS endpoint exposed by the backend of auth.com (the api layer which is integrated with our backend sdk exposes a jwks.json endpoint). - If the JWT is valid, you can get the sub claim from it and use our session recipe to create a new session in client1.com (using session.createNewSession function). This will log the user into client1.com. - When the user clicks logout on client1.com, only their session on client1.com will get revoked and they will still be logged into auth.com. If you want to revoke the auth.com session as well, then you will need to query the supertokens core from backend of client1.com to revoke the session handle of auth.com. The session handle of auth.com can be added to the jwt token that’s created at auth.com, and then this session handle can be added to client1.com’s session as well.
st-bot-test-case
#bot-trainingJoin Discord
Powered by