Using Authgear without SDK (Client side)
Integrate Authgear on the client side in mobile apps without SDK
Authgear is built based on OIDC 2.0 standard, you can integrate it into any application framework without SDK.
Supported grant types
Authorization Code Flow with Proof Key for Code Exchange (PKCE)
For public clients like mobile apps and SPAs, PKCE flow should be used. It uses code_challenge_method
& code_challenge
parameters in the authentication requests and the code_verifier parameter in the code exchange step. It ensures that the application that starts the code flow is the same one that finishes it.
OpenID Connect Configurations
This endpoint serves as a JSON document containing the OpenID Connect configuration of your Authgear project. That includes the authorization endpoint, the token endpoint, and the JWKs endpoint. The URL looks like:
Initiate Signup and Login
To singup or login, redirect the user to the /authorize
endpoint. The URL should look like this:
Code Example
“S256” is supported in code_challenge_method.
The
code_verifier
is a string of length between 43 and 128 generated on the client side. It should be unique for each authorization request. Thecode_challenge
is a SHA-256 hash of the verifier.The state parameter is optional. Authgear will include the value of the state parameter when redirecting the user back to the client application. Learn more at How to Use the OAuth 2.0 State Parameter
After login, the user will be redirected to
[redirect_uri]?code=[AUTH_CODE]
, theAUTH_CODE
is needed in the next stepSee the supported scopes at Supported Scopes
Handling Callback
After receiving the AUTH_CODE
in your application, make a POST request to the /token
endpoint.
Include the
code_verifier
used for generating thecode_challenge
to prove both requests come from the same client.The response may contain the ID token, the access token and the refresh token depending on the
scope
supplied by the previous step.
Logout
When the user logs out, revoke the refresh token by making a POST request to the revocation_endpoint
with the refresh token in the body in application/x-www-form-urlencoded
as content-type. The endpoint looks like https://AUTHGEAR_ENDPOINT/oauth2/revoke
, it can be found in OpenID Connect configuration document.
Then clear the access token and refresh token stored locally in your app.
Verifying JWT Access Token
Include the access token in the Authorization headers of the frontend requests to verify your user’s identity. Follow this guide to learn about validating the JWT in your application server Validate JWT in your application server
Last updated