External Authentication
The following APIs facilitate authentication against any external OAuth2 provider, including all Social Login providers.
See also: Authentication using a password.
Fields
| Field | Value | Req/Default | Notes |
|---|---|---|---|
id |
id | Auto-generated | Provider’s ID. Always starts with “ap_”. Example: |
provider_type |
string | See Auth Providers. |
|
realm_id |
realm_id | ID of Realm this Provider belongs to. | |
request |
hash | Hash of request attributes to add to Event. See notes. |
Required permissions
| Method | Permissions |
|---|---|
| List URLs, Get URL | read |
| Authenticate, Authenticate Token | write |
List authorization URLs
List authorization URLs for all active social and third-party auth providers in the current realm.
Use the returned URLs to build links or buttons when building your own login page. Returned URLs are valid for 30 minutes.
Not needed when using hosted logins (LoginRocket).
Parameters
| Param | Value | Default | |
|---|---|---|---|
redirect_uri |
url | URL in your app that will receive the incoming OAuth token (and send it back to AuthRocket). | |
nonce |
string | Optional, but encouraged. A random string stored in the user's session in your app. Basically a CRSF check. |
Request
Example
GET /v2/auth_providers/authorize?redirect_uri=https%3A%2F%2Fyour.app%2Foauth
var resp = await authrocket.authProviders.authorizeUrls({
redirect_uri: "https://your.app/oauth"
})$res = $authrocket->authProviders->authorizeUrls([
"redirect_uri" => "https://your.app/oauth"
]);AuthRocket::AuthProvider.authorize_urls(redirect_uri: 'https://your.app/oauth',
realm_id: 'rl_0v76O8itSEiwfhA64ZFvKj')Response
Example
Status: 200
{ "more_results" : false,
"collection" : [
{ "id" : "ap_0v9XwmNDu1eHFAnDgYxHgb",
"provider_type" : "facebook",
"auth_url" : "https://www.facebook.com/v...clFSZz09"
}
]
}
console.log(resp.results)
[ { id: "ap_0v9XwmNDu1eHFAnDgYxHgb",
provider_type: "facebook",
auth_url: "https://www.facebook.com/v...clFSZz09"
}
]var_dump($res->results);
array(1) {
[0]=>
array(3) {
["id"]=> string(25) "ap_0v9XwmNDu1eHFAnDgYxHgb"
["provider_type"]=> string(8) "facebook"
["auth_url"]=> string(391) "https://www.facebook.com/v...clFSZz09"
}
}[#<AuthRocket::AuthProvider:0x3fc21aab662c>
id: "ap_0v9XwmNDu1eHFAnDgYxHgb",
attribs: {
"provider_type"=>"facebook",
"auth_url"=>"https://www.facebook.com/v...clFSZz09"
},
metadata: {
"more_results"=>false
}
]Get a provider's authorization URL
Retrieve the authorization URL for one active social or third-party auth provider in the current realm.
Use the returned URL to build a link or button when building your own login page. Returned URL is valid for 30 minutes.
Not needed when using hosted logins (LoginRocket).
Parameters
| Param | Value | Default | |
|---|---|---|---|
redirect_uri |
url | URL in your app that will receive the incoming OAuth token (and send it back to AuthRocket). | |
nonce |
string | Optional, but encouraged. A random string stored in the user's session in your app. Basically a CRSF check. |
Request
Example
GET /v2/auth_providers/:provider_id/authorize?redirect_uri=https%3A%2F%2Fyour.app%2Foauth
GET /v2/auth_providers/:provider_type/authorize?redirect_uri=https%3A%2F%2Fyour.app%2Foauth
The :provider_type form is not allowed when provider_type is oauth2.
var resp = await authrocket.authProviders.authorizeUrl('ap_0v9XwmNDu1eHFAnDgYxHgb', {
redirect_uri: "https://your.app/oauth"
})
var resp = await authrocket.authProviders.authorizeUrl('facebook', {
redirect_uri: "https://your.app/oauth"
})$res = $authrocket->authProviders->authorizeUrl('ap_0v9XwmNDu1eHFAnDgYxHgb', [
"redirect_uri" => "https://your.app/oauth"
]);
$res = $authrocket->authProviders->authorizeUrl('facebook', [
"redirect_uri" => "https://your.app/oauth"
]);AuthRocket::AuthProvider.authorize_url('ap_0v9XwmNDu1eHFAnDgYxHgb',
redirect_uri: 'https://your.app/oauth')
AuthRocket::AuthProvider.authorize_url('facebook', redirect_uri: 'https://your.app/oauth',
realm_id: 'rl_0v76O8itSEiwfhA64ZFvKj')
provider = AuthRocket::AuthProvider.find 'ap_0v9XwmNDu1eHFAnDgYxHgb'
provider.authorize_url redirect_uri: 'https://your.app/oauth'Response
Example
Status: 200
{ "id" : "ap_0v9XwmNDu1eHFAnDgYxHgb",
"provider_type" : "facebook",
"auth_url" : "https://www.facebook.com/v...clFSZz09"
}
console.log(resp.results)
{ id: "ap_0v9XwmNDu1eHFAnDgYxHgb",
provider_type: "facebook",
auth_url: "https://www.facebook.com/v...clFSZz09"
}var_dump($res->fields);
array(3) {
["id"]=> string(25) "ap_0v9XwmNDu1eHFAnDgYxHgb"
["provider_type"]=> string(8) "facebook"
["auth_url"]=> string(391) "https://www.facebook.com/v...clFSZz09"
}#<AuthRocket::AuthProvider:0x3fc21aab662c>
id: "ap_0v9XwmNDu1eHFAnDgYxHgb",
attribs: {
"provider_type"=>"facebook",
"auth_url"=>"https://www.facebook.com/v...clFSZz09"
}Authenticate using a provider's token
Accepts a provider’s token (authorization code), verifies it, and completes a login for the user.
Does for social and third-party authentication what Authenticate a User does for password logins, including creating login events and sessions.
Will auto-associate a social or third-party profile with an existing user, based on email address. If one is not found, creates a new User.
Existing users must be active.
If you are starting with an access token (instead of an authorization code), most likely from an iOS or Android SDK, use Authenticate using an access token instead.
Parameters
| Param | Value | Default | |
|---|---|---|---|
code |
string |
|
|
error |
string | If the external provider sends you |
|
nonce |
string | If provided to /authorize above, must send the same value here. You do not need to verify them; we will do it. | |
state |
string |
|
Request
Example
POST /v2/auth_providers/authorize
{ "code" : "ACQ51...KnJAS",
"state" : "ZWhCF...J3dmc",
"request" : {
"ip" : "127.0.0.1",
"client" : "user's User-Agent header"
}
}
var resp = await authrocket.authProviders.authorize({
code: "ACQ51...KnJAS",
state: "ZWhCF...J3dmc"
})$res = $authrocket->authProviders->authorize([
"code" => "ACQ51...KnJAS",
"state" => "ZWhCF...J3dmc"
]);session = AuthRocket::AuthProvider.authorize(code: params['code'],
error: params['error'], state: params['state'])Response
Example
Status: 200 with same body as Authenticate a User.
Status: 422 if there was an error. When possible, includes a retry URL and other information with the error:
{ ... ,
"provider_id" : "ap_SAMPLE",
"retry_url" : "4JagCZeSCVH...ae2kd9ZOaWo",
"user_email" : "john@example.com"
}
The retry URL is the same as from Get an Authorization URL above, with the addition of anything required by the provider to indicate this is a retry.
On success, returns a session object with token, same as Authenticate a User.
On failure, returns an object with errors:
resp.hasErrors()
// => true
console.log(resp.errors)
// => ["State is invalid"]Will also add a retry URL, which is the same as from Get an Authorization URL above, with the addition of anything required by the provider to indicate this is a retry.
resp.metadata.retry_url
// => "https://www.facebook.com/v...clFSZz09"On success, returns a session object with token, same as Authenticate a User.
On failure, returns an object with errors:
$res->hasErrors();
// => true
var_dump($res->errors);
array(1) {
[0]=> string(16) "State is invalid"
}Will also add a retry URL, which is the same as from Get an Authorization URL above, with the addition of anything required by the provider to indicate this is a retry.
$res->metadata["retry_url"];
// => "https://www.facebook.com/v...clFSZz09"On success, returns a session object with token, same as Authenticate a User.
On failure, returns an object without an id, but with errors:
# => #<AuthRocket::Session:0x3fde5fa18df8> id: nil, ...
session.errors?
# => true
session.valid?
# => false
session.errors
# => ["State is invalid"]Will also add a retry URL, which is the same as from Get an Authorization URL above, with the addition of anything required by the provider to indicate this is a retry.
session.metadata[:retry_url]
# => "https://www.facebook.com/v...clFSZz09"Events
On success, triggers a user.login.succeeded event.
If a new Credential was added to an existing user (it was their first login with this provider), triggers a user.updated event.
If a new user was created, triggers a user.created event.
Authenticate using an access token
Accepts a provider’s access token (already converted from an auth code) and completes a login for the user.
This is used when implementing authorization in native apps (typically iOS or Android), with a social vendor’s SDK that automatically converts authorization codes into access tokens for you. If you are starting with an authorization code, use Authenticate using a provider’s token instead.
Performs authentications, auto-association with users, and creates events like Authenticate using a provider’s token above.
If the token is expired or otherwise unusable, does not return a retry_url (in contrast to Authenticate using a provider’s token).
Parameters
| Param | Value | Default | |
|---|---|---|---|
access_token |
string | Valid access_token for the external provider. Required. |
Request
Example
POST /v2/auth_providers/:id/authorize
{ "access_token" : "JD7fD...jd8Nb2",
"request" : {
"ip" : "127.0.0.1",
"client" : "user's User-Agent header"
}
}
var resp = await authrocket.authProviders.authorizeToken('ap_0v9XwmNDu1eHFAnDgYxHgb', {
access_token: "JD7fD...jd8Nb2"
})$res = $authrocket->authProviders->authorizeToken('ap_0v9XwmNDu1eHFAnDgYxHgb', [
"access_token" => "JD7fD...jd8Nb2"
]);provider = AuthRocket::AuthProvider.find 'ap_0v9XwmNDu1eHFAnDgYxHgb'
session = provider.authorize_token(access_token: params['access_token'])Response
Example
Status: 200 with same body as Authenticate a User.
Status: 422 if there was an error.
On success, returns a user object with token, same as Authenticate a User.
On failure, returns an object with errors:
resp.hasErrors()
// => true
console.log(resp.errors)
// => ["Access token is invalid"]On success, returns a user object with token, same as Authenticate a User.
On failure, returns an object with errors:
$res->hasErrors();
// => true
var_dump($res->errors);
array(1) {
[0]=> string(23) "Access token is invalid"
}On success, returns a user object with token, same as Authenticate a User.
On failure, returns an object without an id, but with errors:
# => #<AuthRocket::Session:0x3fde5fa18df8> id: nil, ...
session.errors?
# => true
session.valid?
# => false
session.errors
# => ["Access token is invalid"]Events
On success, triggers same events as Authenticate using a provider’s token.