Setup Auth Flow
Logging in users into your application.
Last updated
Was this helpful?
Logging in users into your application.
Last updated
Was this helpful?
For this step you will need the Client ID and the Client Secret from the .
The Rollup ID authentication flow is built upon the , ensuring a secure and standardized process. This guide will walk you through the steps involved in this flow.
For this step, since Rollup ID is standards-compliant, you can use off-the-shelf to build your OAuth flow.
To log in or register to a user your application the first step is to send an authorization request to your Rollup ID application. This is typically handled by a redirect route (e.g./auth) in your application.
This request contains essential parameters, including the client_id (your application's ID), response_type, scope, state and redirect_url.
The state parameter is a CSRF token used to protect against potential attacks and to maintain any state that might be useful after the authentication process (more on this later). Before redirecting users to the Rollup ID auth flow, it is important that the state parameter is persisted in a cookie or other storage method for reference in a later step.
For example, your authorization URL should look like this: https://passport.rollup.id/authorize?client_id=<your_app_id>&state=<generated_state>&scope=email.
Rollup ID will use the provided client_id to look up your application details, displaying your application name and branding information.
If the user is not signed in they will be displayed the authentication page where they can choose from various authentication methods. After successful authentication, the user will be shown the authorization screen to provide consent for the requested scopes, allowing your application to access specific data.
Upon completion, users will be redirected back to your app using the redirect_url set in the previous step.
Your redirect_url should be ready to accept an exchange token and state parameters in the following format:
Code: the exchange code needed request an access token
State: this state should match the state you created for the user/client in Step 1. Typically your chosen OAuth library will manage this for you.
To exchange the code for an access token use this information to call the exchange token endpoint using the "authorization_code" value for "grant_type"
Ensure you handle this data with care, respecting user privacy and adhering to data protection regulations.
Refresh tokens allow your application to obtain new access tokens, ensuring uninterrupted access to user data.
If you ever find yourself with an expired refresh token you can consider this as the user being "logged out" and redirect them to repeat the auth flow.
Redirect URL: the redirect url set in your app in the . For development, "localhost" is an accepted redirect url host.
With the obtained access token, your application can now fetch the from the Rollup ID /userinfo to fetch or any authorized endpoint from the .
Access tokens are valid for 1 hour, with the expiry time stored in the "exp" property in the JWT. If your application requires prolonged access to user data without prompting the user for re-authentication, consider implementing refresh tokens using the .
