User ОАuth Flow
Aurinko's User OAuth Flow enables user-delegated authorization, producing a user session token or httpOnly cookie for managing application user sessions.
Last updated
Aurinko's User OAuth Flow enables user-delegated authorization, producing a user session token or httpOnly cookie for managing application user sessions.
Last updated
Aurinko provides multiple Unified OAuth Flows that аre backed by providers' OAuth2 (i.e. Google, Office 365, Zoho Mail, Salesforce, HubSpot, SugarCRM) or by secure password-based authentication (i.e. MS Exchange, IMAP accounts).
This flow uses a user-delegated authorization and produces an Aurinko User with a user session token or httpOnly cookie. This flow is designed for managing application users (user sessions).
The user session token userSession
or the httpOnly cookie is used to access the app user session and all its linked accounts. Two main operations are supported:
Authorizing a primary account and initializing a user session (use &accountRole=primary
parameter)
Authorizing a secondary account for an existing user (use &accountRole=secondary
parameter)
Some key terms you'll encounter while integrating with Aurinko's OAuth2 flow:
The final callback URL, also known as returnUrl
, is the URL provided by your application and specified when calling the /authorize
API method within Aurinko. This is where Aurinko will redirect the user after successful authorization. It's crucial to register this URL within the Aurinko settings for your application.
The intermediate redirect URL is a temporary landing page used during the OAuth2 flow. By default, Aurinko uses https://api.aurinko.io/v1/auth/callback
for this purpose. However, developers have the flexibility to customize this URL within the Aurinko settings for their application.
The following diagram shows a custom OAuth flow with your own intermediate redirect URL.
Authorization request
From your application, redirect users to https://api.aurinko.io/v1/auth/authorizeUser
, with the query parameters used by the Account OAuth and specify the additional &accountRole=primary
parameter. Set responseType
to code
or cookie
(default value if not set).
Here's an example authorization request for creating a user :
Adding a secondary account (assuming the user session cookie is already set):
User Consent
Aurinko will present your user with the correct sign-in form based on the requested service type (Google, Office365, EWS). For Exchange users, the user has to enter a login name and an Exchange server url.
Getting the user session
Once the user has signed in and authorized your app's access, their browser will be redirected to the returnUrl
you provided.
Cookie Mode (responseType=cookie
)
If your authentication was successful Aurinko will set a secure httpOnly session cookie before redirecting to you returnUrl.
Example redirect URL: https://your-app.com/callback?state={state}&status=success
Authorization Code Mode (responseType=code
)
If your authentication was successful Aurinko will include the code
parameter in the query string.
Example redirect URL: https://your-app.com/callback?code={code}&state={state}&status=success
Make an HTTP POST call to https://api.aurinko.io/v1/auth/token/{code)}
to exchange the code
for a userSession
and userId
.
Response:
See /auth/token for details. Make sure to securely store the userSession
and provide it as an API Key in the X-Aurinko-Session
header to make API calls on behalf of the user (see Authentication details).