OIDC Login via API Example

Access Token Example: Code Authorization Flow

The following example will show you how to create a token using only the UE Auth API.

Specifically, we will be using the Code Authorization flow. Two examples are provided, one with PKCE and one without. To follow these examples, you must:

Doing this Locally

Alternatively, these instructions could be modified to work with your local instance if you have that up and running. You would simply have to query the necessary components directly as there is no UI. You can access your local instance at http://localhost:3000

Get your Auth Group ID and a Client ID and Secret

  1. Click "Settings" and your "Auth Group ID" is listed on the window as long as "Auth Group" is highlighted on the left navigation. You can also use your Auth Group Alias. For our example below we will reference the fake alias "ag_alias". Remember to replace it with yours.
  2. Close settings and open click "Products" on the left nav of the platform.
  3. You will see two pre-populated products and one of them will include the words "Admin Portal" in the name. Click this one.
  4. On the resulting rightmost panel of the window, you will see a Client ID and Client Secret. Copy them and save them for later.

Code Authorization Flow with PKCE

PKCE (Proof of Key Exchange) is a secure way to validate a login without sending the Client Secret across the request. You can read more about it here: https://oauth.net/2/pkce/

Before you begin, you will need to generate CODE_VERIFIER and CODE_CHALLENGE values. We've tried to make this easy by providing a node tool for the job. In the UE Auth GitHub project you'll find the script. Run this command in your terminal and save the resulting values for the API calls coming up.

node ./test/tool/codeChallenge.js

Construct the following URL and paste it into your browser.

LOGIN REQUEST - https://auth.unitedeffects.com/ag_alias/auth?
response_type=code&
client_id=[CLIENTID]&
code_challenge=[CODE_CHALLENGE]&
code_challenge_method=s256&
redirect_uri=https://core.unitedeffects.com&
resource=https://auth.unitedeffects.com/ag_alias&
scope=openid access email&
nonce=123&
state=123

This url should trigger a login screen. In UE Auth commercial, we have disengaged passwords for UE Auth logins (which is the client being used here). The result will be an option to use passwordless login, which will then send you a magic link email. If you click this email link, it will redirect you to "core.unitedeffects.com" with "code=some-value" as a query parameter on the URL.

TOKEN REQUEST - curl -X 'POST'
'https://auth.unitedeffects.com/ag_alias/token'
-H 'accept: application/json'
-H 'Content-Type: application/x-www-form-urlencoded'
-d 'code_verifier=[CODE_VERIFIER]&
redirect_uri=https://core.unitedeffects.com&
code=[CODERECIEVED]&
client_id=[CLIENTID]&
grant_type=authorization_code'

  • This will result in an access token in JWT form which you can verify on jwt.io

Code Authorization Flow without PKCE

By default, the Client generated for UE Auth login (which is the one you are using for the example) is configured for PKCE login. You would have to create a new Product and Login Service (OAuth Client) where the following fields are set as defined to allow a non-PKCE login. The example is provided for completeness but we leave it to you use the UI to generate the client as needed.

  • Token Endpoint Auth Method = "client_secret_basic"
  • Introspection Endpoint Auth Method = "client_secret_basic"
  • Revocation Endpoint Auth Method = "client_secret_basic"

LOGIN REQUEST - https://auth.unitedeffects.com/ag_alias/auth?
response_type=code&
client_id=[CLIENTID]&
redirect_uri=https://core.unitedeffects.com&
resource=https://auth.unitedeffects.com/ag_alias&
scope=openid access email&
nonce=123&
state=123

TOKEN REQUEST - curl -X 'POST'
'https://auth.unitedeffects.com/ag_alias/token'
-H 'accept: application/json'
-H 'Content-Type: application/x-www-form-urlencoded'
-d 'client_secret=[CLIENTSECRET]&
redirect_uri=https://core.unitedeffects.com&
code=[CODE]&
client_id=[CLIENTID]&
grant_type=authorization_code'