Home

for Developers

Documentation

All you need to run your APIs

 
chevron_rightDirect Earn
chevron_rightEnrol and Earn
chevron_rightPay with Avios
chevron_rightCollect and Spend
chevron_rightAll

Regular Web Application

A Regular Web Application is a traditional web application that runs on the server (server-side application).

Sessions

Applications with backend may track sessions with a server-side application session, with a server-side cookie. This cookie may track its expiration by depending on the token response from IdP. For example, if the cookie expires the backend has a few options to get the token response from the IdP and then slide the application session:

  • Redirect the user, with a HTTP 302, to the IdP /authorize endpoint, and if the session is still valid on the IdP, then new tokens are replied back on the callback service without asking for the user to re-login.
  • During the initial authentication, and if applicable, request for a refresh token. Later, when the application session expires, the backend can use the refresh token to get the new tokens. This approach makes the backend a stateful service and can be extended to be a centralised session management service. The session cookie may only store an anchor (an identifier stored in it) and every time the frontend makes a call to the backend, the cookie is associated with the request. If required, the backend will get the refresh token from the storage using the mapped identifier (or anchor) in the application session cookie. However, this solution will be useful only when the frontend and backend are tied to the same TLD.

Set up

The guides below demonstrates how to integrate your Regular Web Application with the Identity Product, on our development, testing, staging and production environments.

Express (JS)

Before we are able to create your application and share the needed details you need to provide:

  • Callback url
    Is a URL in your application that you would like the Identity Product to redirect users to after they have authenticated. If not set, users will not be returned to your application after they log in.
    Example: for local development you can use http://localhost:3000/callback
  • Logout url
    Is a URL in your application that you would like the Identity Product to redirect users to after they have logged out, by using returnTo query parameter. If not set, users will not be able to log out from your application and will receive an error.
    Example: for local development you can use http://localhost:3000/logout

Others

  • ID Token and Refresh token expirations.

After sharing the needed details (above) we will provide, per environment:

  • IdP Domain (issuerBaseURL)
  • Client ID
  • Client Secret

Implementation

Your application should install our preferred package, express-openid-connect. Install the Express OIDC SDK by executing the following commands on your terminal:

1 2 cd <your-project-directory> npm install express-openid-connect'

Configure Router

The Express OpenID Connect library provides the auth router in order to attach authentication routes to your application. You will need to configure the router with the following configuration keys:

  • baseURL - The URL where the application is served
  • secret - A long, random string, which you must not share. It can be generated with the terminal command $ openssl rand -hex 32 .
  • issuerBaseURL - IAGL Identity Product domain
  • clientID - The URL where the application is served

Below you can find an example configuration used on localhost development:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 const { auth } = require('express-openid-connect'); const config = { authRequired: false, auth0Logout: true, authorizationParams: { response_type: 'code' }, secret: 'a long, randomly-generated string', baseURL: 'http://localhost:3000', clientID: 'lHE0Lq3400FXQv6ebMVxetKC9w1xPwBo', issuerBaseURL: 'https://identity.iagl.digital' }; // auth router attaches /login, /logout, and /callback routes to the baseURL app.use(auth(config)); // req.isAuthenticated is provided from the auth router app.get('/', (req, res) => { res.send(req.oidc.isAuthenticated() ? 'Logged in' : 'Logged out'); });

Test your application

Now your application should be fully integrated with Identity Product. Default routes for logging in and out are provided. For login visit /login , and for logout visit /logout .

Next.js

Before we are able to create your application and share the needed details you need to provide:

  • Callback url
    Is a URL in your application that you would like the Identity Product to redirect users to after they have authenticated. If not set, users will not be returned to your application after they log in.

    Example: for local development you can use http://localhost:3000/callback
  • Logout urlIs a URL in your application that you would like the Identity Product to redirect users to after they have logged out, by using returnTo query parameter. If not set, users will not be able to log out from your application and will receive an error.
    Example: for local development you can use http://localhost:3000/logout

Others

  • ID Token and Refresh token expirations.

After sharing the needed details (above) we will provide, per environment:

  • IdP Domain (issuerBaseURL)
  • Client ID
  • Client Secret

Implementation

Your application should install our preferred package, auth0/nextjs-auth0. Install the Next.js SDK by executing the following commands on your terminal:

1 2 cd <your-project-directory> npm install @auth0/nextjs-auth0'

The SDK exposes methods and variables that help you integrate your Next.js application using API Routes on the backend and React Context with React Hooks on the frontend.

Configure the SDK

In the root directory of your project add a .env.local with the following content:

1 2 3 4 5 6 AUTH0_SECRET='use [openssl rand -hex 32] to generate a 32 bytes value' AUTH0_BASE_URL='http://localhost:3000' AUTH0_ISSUER_BASE_URL='https://identity.iagl.digital' AUTH0_CLIENT_ID='lHE0Lq3400FXQv6ebMVxetKC9w1xPwBo' AUTH0_CLIENT_SECRET='3zENCPDSg9IWIdMVt93QP-TAwDBtvuZKknO_-bd3Z2m55yHJ0q5eA6FmsdGNFs5v'
  • AUTH0_SECRET
    A long secret value used to encrypt the session cookie.
    You can generate a suitable string using openssl rand -hex 32 on the command line.
  • AUTH0_BASE_URL
    The base URL of your application.
  • AUTH0_ISSUER_BASE_URL
    Identity Product domain.
  • AUTH0_CLIENT_ID
    Your application's Client ID.
  • AUTH0_CLIENT_SECRET
    Your application's Client Secret.

Add the dynamic API route

Create an auth directory under the pages/api directory. Then, create a [...auth0].js file under the newly created auth directory. The path to your dynamic API route file should then be pages/api/auth/[...auth0].js.

Import in that file the handleAuth method from the SDK, and export the result of calling it.

1 2 3 // pages/api/auth/[...auth0].js import { handleAuth } from '@auth0/nextjs-auth0'; export default handleAuth();

Under the hood, handleAuth() creates the following routes:

  • /api/auth/login
    The route used to perform login with Identity Product.
  • /api/auth/logout
    The route used to log the user out.
  • /api/auth/callback
    The route that will redirect the user to after a successful login.
  • /api/auth/me
    The route to fetch the user profile from.

Add the UserProvider component

On the frontend side, the SDK uses React Context to manage the authentication state of your users. To make that state available to all your pages, you need to override the App component and wrap its inner component with a UserProvider. Create the file pages/ _ app.js as follows:s

1 2 3 4 5 6 7 8 9 10 11 // pages/_app.js import React from 'react'; import { UserProvider } from '@auth0/nextjs-auth0'; export default function App({ Component, pageProps }) { return ( <UserProvider> <Component {...pageProps} /> </UserProvider> ); }

The authentication state exposed by UserProvider can be accessed in any component using the useUser() hook.

Now that you have added the dynamic route and UserProvider , run your application to verify that your application is not throwing any errors.

Add Login to Your Application

A user can now log in to your application by visiting the /api/auth/login route provided by the SDK. Add a link to your login route using an anchor tag.

1 <a href="/api/auth/login">Login</a>

Show User Profile Information

The Next.js SDK helps you retrieve the profile information associated with the logged-in user, such as their name or profile picture, to personalize the user interface. The profile information is available through the user property exposed by the useUser() hook. Take this Profile component as an example of how to use it:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 import React from 'react'; import { useUser } from '@auth0/nextjs-auth0'; export default function Profile() { const { user, error, isLoading } = useUser(); if (isLoading) return <div>Loading...</div>; if (error) return <div>{error.message}</div>; return ( user && ( <div> <img src={user.picture} alt={user.name} /> <h2>{user.name}</h2> <p>{user.email}</p> </div> ) ); }

The user property contains sensitive information and artifacts related to the user's identity. As such, its availability depends on the user's authentication status. To prevent any render errors:

  • Ensure that the SDK has completed loading before accessing the user property by checking that isLoading is false.
  • Ensure that the SDK has loaded successfully by checking that no error was produced.
  • Check the user property to ensure that Identity Product has authenticated the user before React renders any component that consumes it.

Test your application

Now your application should be fully integrated with Identity Product.

Limitations

If a user has multiple browser tabs opened with your application

If that same user starts the authentication flow ( /login route ) on more than one tab, things will not work as expected. Here are the scenarios.

  • For all scenarios, the user has multiple tabs where he started the authentication flow

Scenario 1:

  • The user tries to authenticate on the most recent tab (the last tab to start the authentication flow). The user will authenticate successfully.
  • Then, the user tries to authenticate on the other tabs. These tabs will redirect the user to your application with an error ( status code 400 ), even though the user is already authenticated.

Scenario 2:

  • The user tries to authenticate on a tab that is not the most recent tab (not the last tab to start the authentication flow). The user will be redirected to your application with an error ( status code 400 ).
  • All the other authentication attempts, on the already opened tabs, will redirect the user to your application with an error ( status code 400 ).