Sample Use Cases: Scopes and Claims

Sample Use Cases: Scopes and Claims

In these examples, we use the Authorization Code Flow to authenticate a user and request the necessary permissions (scopes) and tokens. For details on the request parameters or to learn how to fully implement this flow, read our tutorial: Add Login to Regular Web Applications.

Authenticate a user and request standard claims

In this example, we want to authenticate a user and get user details that will allow us to personalize our user interface. To do this, we need to get an ID token that contains the user's name, nickname, profile picture, and email information.

Initiate the authentication flow by sending the user to the authorization URL:

https://{yourDomain}/authorize?
  response_type=code&
  client_id={yourClientId}&
  redirect_uri={<https://yourApp/callback>}&
  scope=openid%20profile%20email&
  state=YOUR_STATE_VALUE

Notice that in this example:

The response_type parameter includes one value:
- code: because we are using the regular web app flow, our initial request is for an authorization code; when we request our tokens using this code, we will receive the ID Token we need for authentication.
The scope parameter includes three values; the requested OIDC scopes:
- openid: to indicate that the application intends to use OIDC to verify the user's identity.
- profile: to get name, nickname, and picture.
- email: to get email and email_verified.

After the user consents (if necessary) and Login 3.0 redirects back to your app, request tokens.

Extract the ID token from the response and decode it. You should see the following claims:

{
  "name": "John Doe",
  "nickname": "john.doe",
  "picture": "<https://myawesomeavatar.com/avatar.png>",
  "updated_at": "2017-03-30T15:13:40.474Z",
  "email": "john.doe@test.com",
  "email_verified": false,
  "iss": "https://{yourDomain}/",
  "sub": "login3.0|USER-ID",
  "aud": "{yourClientId}",
  "exp": 1490922820,
  "iat": 1490886820,
  "nonce": "crypto-value",
  "at_hash": "IoS3ZGppJKUn3Bta_LgE2A"
}

Your app can now retrieve the user attributes and use them to personalize your UI.

Request custom API access

In this example, we request a custom scope for a calendar API that will authorize the calling application to read appointments for the user. To do this, we want to get an access token containing the proper scope to read appointments from the API.

Before using a custom API, you need to know what scopes are available for the API you are calling. If the custom API is under your control, you need to register both your application and API with Login 3.0 and define the scopes for your API using the Login 3.0 Dashboard. You can also use defined permissions to customize the consent prompt for your users.

Initiate the authorization flow by sending the user to the authorization URL:

https://{yourDomain}/authorize?
  response_type=code&
  client_id={yourClientId}&
  redirect_uri={<https://yourApp/callback>}&
  scope=read:appointments&
  audience=YOUR_API_AUDIENCE&
  state=YOUR_STATE_VALUE

Notice that in this example:

The response_type parameter still includes one value:
- code: because we are using the regular web app flow, our initial request is for an authorization code; when we request our tokens using this code, we will receive the Access Token that we can use to call our API.
The scope parameter includes one value; the requested API scope:
- read:appointments: to allow us to read the user's appointments from the API.
The audience parameter is new and includes one value:
- The unique identifier of the API from which we want to read the user's appointments.

As in the previous example, after the user consents (if necessary) and Login 3.0 redirects back to your app, request tokens.

Extract the access token from the response, and call the API using the access token as credentials.

Authenticate a user and request standard claims and custom API access

In this example, we combine our previous two examples to authenticate a user, request standard claims, and also request a custom scope for a calendar API that will allow the calling application to read appointments for the user. To do this, get two tokens:

ID token that contains:
- User name
- Nickname
- Profile picture
- Email information
Access token that contains the proper scope to read appointments from the API.

Initiate the authentication flow by sending the user to the authorization URL:

https://{yourDomain}/authorize?
  response_type=code&
  client_id={yourClientId}&
  redirect_uri={<https://yourApp/callback>}&
  scope=openid%20profile%20email%20read:appointments&
  audience=YOUR_API_AUDIENCE&
  state=YOUR_STATE_VALUE

Notice that in this example:

The response_type parameter still includes one value:
- code: because we are using the regular web app flow, our initial request is for an authorization code; when we request our tokens using this code, we will receive both the ID token we need for authentication and the access token that we can use to call our API.
The scope parameter is used for both OIDC scopes and API scopes, so now includes four values:
- openid: to indicate that the application intends to use OIDC to verify the user's identity.
- profile: to get name, nickname, and picture.
- email: to get email and email_verified.
- read:appointments: to allow us to read the user's appointments from the API.
The audience parameter includes one value:
- The unique identifier of the API from which we want to read the user's appointments.

As in the previous examples, after the user consents (if necessary) and Login 3.0 redirects back to your app, request tokens.

Extract the ID token from the response, decode it, and retrieve the user attributes and use them to personalize your UI.

Extract the access token from the response, and call the API using the access token as credentials.

PreviousOpenID Connect Scopes NextPlan and Design

Last updated 6 months ago

Was this helpful?