OIDC Login via API Example

Access Token Example: Code Authorization Flow

The following example will show you how to create a token using only the UE Auth API.

Specifically, we will be using the Code Authorization flow. Two examples are provided, one with PKCE and one without. To follow these examples, you must:

Have registered with UE Auth commercial and set up your company. This will provide you with an Auth Group ID and a sample Client ID and Client Secret for your instance tied to the UE Auth admin portal.
Access the API guide here - https://docs.unitedeffects.com/reference/getting-started-with-your-api

Doing this Locally

Alternatively, these instructions could be modified to work with your local instance if you have that up and running. You would simply have to query the necessary components directly as there is no UI. You can access your local instance at http://localhost:3000

Get your Auth Group ID and a Client ID and Secret

Click "Settings" and your "Auth Group ID" is listed on the window as long as "Auth Group" is highlighted on the left navigation. You can also use your Auth Group Alias. For our example below we will reference the fake alias "ag_alias". Remember to replace it with yours.
Close settings and open click "Products" on the left nav of the platform.
You will see two pre-populated products and one of them will include the words "Admin Portal" in the name. Click this one.
On the resulting rightmost panel of the window, you will see a Client ID and Client Secret. Copy them and save them for later.

Code Authorization Flow with PKCE

PKCE (Proof of Key Exchange) is a secure way to validate a login without sending the Client Secret across the request. You can read more about it here: https://oauth.net/2/pkce/

Before you begin, you will need to generate CODE_VERIFIER and CODE_CHALLENGE values. We've tried to make this easy by providing a node tool for the job. In the UE Auth GitHub project you'll find the script. Run this command in your terminal and save the resulting values for the API calls coming up.

node ./test/tool/codeChallenge.js

Construct the following URL and paste it into your browser.

LOGIN REQUEST - https://auth.unitedeffects.com/ag_alias/auth?
response_type=code&
client_id=[CLIENTID]&
code_challenge=[CODE_CHALLENGE]&
code_challenge_method=s256&
redirect_uri=https://core.unitedeffects.com&
resource=https://auth.unitedeffects.com/ag_alias&
scope=openid access email&
nonce=123&
state=123

This url should trigger a login screen. In UE Auth commercial, we have disengaged passwords for UE Auth logins (which is the client being used here). The result will be an option to use passwordless login, which will then send you a magic link email. If you click this email link, it will redirect you to "core.unitedeffects.com" with "code=some-value" as a query parameter on the URL.

Copy the value provided for "code" and run the following API call either through curl or here on the API reference: https://docs.unitedeffects.com/reference/post_group-token
If you wish to experience the password flow, you can create your own Product and Login Service (OAuth Client) and ensure that the following property on the client is set to false: "client_only_passwordless"
Use the registration API to create OAuth Clients independent of any products as a shortcut for testing: https://docs.unitedeffects.com/reference/post_group-reg

TOKEN REQUEST - curl -X 'POST'
'https://auth.unitedeffects.com/ag_alias/token'
-H 'accept: application/json'
-H 'Content-Type: application/x-www-form-urlencoded'
-d 'code_verifier=[CODE_VERIFIER]&
redirect_uri=https://core.unitedeffects.com&
code=[CODERECIEVED]&
client_id=[CLIENTID]&
grant_type=authorization_code'

This will result in an access token in JWT form which you can verify on jwt.io

Code Authorization Flow without PKCE

By default, the Client generated for UE Auth login (which is the one you are using for the example) is configured for PKCE login. You would have to create a new Product and Login Service (OAuth Client) where the following fields are set as defined to allow a non-PKCE login. The example is provided for completeness but we leave it to you use the UI to generate the client as needed.

Token Endpoint Auth Method = "client_secret_basic"
Introspection Endpoint Auth Method = "client_secret_basic"
Revocation Endpoint Auth Method = "client_secret_basic"

LOGIN REQUEST - https://auth.unitedeffects.com/ag_alias/auth?
response_type=code&
client_id=[CLIENTID]&
redirect_uri=https://core.unitedeffects.com&
resource=https://auth.unitedeffects.com/ag_alias&
scope=openid access email&
nonce=123&
state=123

TOKEN REQUEST - curl -X 'POST'
'https://auth.unitedeffects.com/ag_alias/token'
-H 'accept: application/json'
-H 'Content-Type: application/x-www-form-urlencoded'
-d 'client_secret=[CLIENTSECRET]&
redirect_uri=https://core.unitedeffects.com&
code=[CODE]&
client_id=[CLIENTID]&
grant_type=authorization_code'