LogoLogo
PlatformReference
  • Welcome to Rollup
  • An Introduction to OpenID Connect (OIDC)
  • The Rollup Identity Graph
  • Getting Started
    • Create an Application
    • Setup Auth Flow
    • API Access
  • Guides
    • Storing Tokens
    • Session Management
    • Using Scopes
      • Requesting Email
      • Requesting Connected Accounts
      • Requesting Smart Contract Wallets
    • Third Party Auth Tools
      • Setup with Auth0
      • Setup with Supabase
      • Setup with NextAuth.js
  • Platform
    • Console
      • Dashboard
      • OAuth
      • Blockchain
      • Designer
      • Custom Domain
      • Users
      • KYC
      • Messaging
      • Audience Builder
      • Teams & Contact
      • Billing
    • Passport
    • Galaxy
  • Advanced
    • Tokens
    • Pop Up Auth Flow
    • Create Custom Claims
    • Migration Guide
  • Reference
    • Galaxy API
    • Passport API
    • Scopes
  • Troubleshooting
    • FAQ
  • Roadmap
  • Contributing
  • Login to Console
Powered by GitBook
On this page
  • Step 1: Initiate the Auth Request
  • Step 2: User Authentication & Authorization
  • Step 3: Authorization Code Exchange
  • Step 4: Access Token & ID Token
  • Step 5: Refresh Tokens (optional)

Was this helpful?

Edit on GitHub
Export as PDF
  1. Getting Started

Setup Auth Flow

Logging in users into your application.

PreviousCreate an ApplicationNextAPI Access

Last updated 1 year ago

Was this helpful?

For this step you will need the Client ID and the Client Secret from the .

The Rollup ID authentication flow is built upon the , ensuring a secure and standardized process. This guide will walk you through the steps involved in this flow.

For this step, since Rollup ID is standards-compliant, you can use off-the-shelf to build your OAuth flow.

Many open source OAuth client libraries like will automatically create the necessary routes and manage client state and requests for your application that you wil see below.

We have created a reference implementation using and the library which we will refer to several times in this step.

Step 1: Initiate the Auth Request

To log in or register to a user your application the first step is to send an authorization request to your Rollup ID application. This is typically handled by a redirect route (e.g./auth) in your application.

This request contains essential parameters, including the client_id (your application's ID), response_type, scope, state and redirect_url.

The state parameter is a CSRF token used to protect against potential attacks and to maintain any state that might be useful after the authentication process (more on this later). Before redirecting users to the Rollup ID auth flow, it is important that the state parameter is persisted in a cookie or other storage method for reference in a later step.

For example, your authorization URL should look like this: https://passport.rollup.id/authorize?client_id=<your_app_id>&state=<generated_state>&scope=email.

For PRO apps, are allowed and would replace passport.rollup.id with your domain name and more customization features would be available in the .

Step 2: User Authentication & Authorization

Rollup ID will use the provided client_id to look up your application details, displaying your application name and branding information.

If the user is not signed in they will be displayed the authentication page where they can choose from various authentication methods. After successful authentication, the user will be shown the authorization screen to provide consent for the requested scopes, allowing your application to access specific data.

Upon completion, users will be redirected back to your app using the redirect_url set in the previous step.

Step 3: Authorization Code Exchange

Your redirect_url should be ready to accept an exchange token and state parameters in the following format:

// https://<redirect_url>?code=<exchange code>&state=<state>
  • Code: the exchange code needed request an access token

  • State: this state should match the state you created for the user/client in Step 1. Typically your chosen OAuth library will manage this for you.

To exchange the code for an access token use this information to call the exchange token endpoint using the "authorization_code" value for "grant_type"

Step 4: Access Token & ID Token

Inside the ID token object you will find a unique claim called sub which will be consistent across all logins. This will match the value of the sub claim in access and refresh tokens also.

Ensure you handle this data with care, respecting user privacy and adhering to data protection regulations.

Step 5: Refresh Tokens (optional)

Refresh tokens allow your application to obtain new access tokens, ensuring uninterrupted access to user data.

If you ever find yourself with an expired refresh token you can consider this as the user being "logged out" and redirect them to repeat the auth flow.

Redirect URL: the redirect url set in your app in the . For development, "localhost" is an accepted redirect url host.

With the obtained access token, your application can now fetch the from the Rollup ID /userinfo to fetch or any authorized endpoint from the .

Access tokens are valid for 1 hour, with the expiry time stored in the "exp" property in the JWT. If your application requires prolonged access to user data without prompting the user for re-authentication, consider implementing refresh tokens using the .

previous step
previous step
OpenID Connect (OIDC) protocol
open-source libraries
Auth.js
Remix
Remix OAuth
here
custom hostnames
designer
Galaxy API
exchange token endpoint
endpoint
id token