Quasr
  • Introduction
    • Welcome to Quasr
    • Concepts
      • Flexible Authentication
      • User-Centric Privacy
      • Modern Development
    • Terminology
    • FAQs
  • Getting Started
    • Sign up with Quasr
    • Setup your tenant
      • Factor Configuration
      • Enrolling additional factors
      • Test with the Sample Client
      • Understanding Scopes & Scores
      • Setting up an API Client (M2M)
    • Connect your app
      • Hosted Login UI
      • Custom Login UI
      • Embedded Login UI
  • Account Administration
    • Introduction
    • Account & Billing
      • Metrics
    • Tenants
    • Usage & Statistics
    • Security
  • Tenant Administration
    • Introduction
    • Dashboard
    • Tenant Settings
    • Your Security
    • Accounts
      • Tenant Admins
    • Factors
      • Factors and Scoring
      • Username (ID)
      • Identity Provider (IDP)
        • Apple
        • Facebook
        • GitHub
        • Google
        • LinkedIn
        • Slack
      • Time-based One-time Password (TOTP)
      • One-Time Password (OTP)
      • Password
      • Secret
    • Controls
      • Configuration
      • Permissions
      • Consents
      • Rules
    • Attributes
      • Capturing Claims
      • Sourcing Claims
      • Viewing Claims
      • Searching Claims / Users
      • Sharing Claims
    • Extensions
      • Synchronous
      • Asynchronous
    • Tokens
      • Session Token (OAuth 2.0)
      • Access Token (OAuth 2.0)
      • Refresh Token (OAuth 2.0)
      • ID Token (OIDC 1.0)
      • Consent Token
      • Authorization Code (OAuth 2.0)
    • Hosted Login Page
    • APIs
      • Authentication API
      • Management API (GraphQL)
  • Legal
    • Terms of Service
    • Acceptable Use Policy
    • DPA & Subprocessors
  • More Info
    • Standards
    • Security
      • Vulnerability Disclosure
      • Wall of Recognition
    • Support
    • Status
Powered by GitBook
On this page
  1. Getting Started

Connect your app

PreviousSetting up an API Client (M2M)NextHosted Login UI

Last updated 1 year ago

You have 3 options on how to connect your applications:

If you choose the embedded setup your users won't experience Single Sign-On (SSO), meaning that if a user wants to log into another application on the same device they'll have to log in again. Hence we advise you only choose this approach if you operate on constrained devices that only run a single app. If your device can open a browser it can still be beneficial not to go the embedded route if you want to improve user experience across different channels.

You connect your app to Quasr using OpenID Connect and use the Quasr hosted login page.

OpenID Connect

OpenID Connect is an Internet standard for identity federation, meaning it allows your apps to use a centralized identity provider. The standard builds upon OAuth 2.0 which is relevant for API access control. Hence it combines both identity and access control for your apps.

Don't worry it's an easy standard, in short:

  1. Your app redirects to the authorization endpoint on Quasr which triggers the login.

  2. Your user signs up or logs in using the Quasr login page.

  3. When finished Quasr redirects back to your application with tokens, both an identity and an access token. Both tokens are signed JWT tokens. Your application can consume the identity token to learn about the user; the acces token you can use towards your backend APIs.

See:

Detailed Flow

Below sequence diagram detailing the entire flow.

You connect your app to Quasr using OpenID Connect and use your own custom login page.

OpenID Connect

OpenID Connect is an Internet standard for identity federation, meaning it allows your apps to use a centralized identity provider. The standard builds upon OAuth 2.0 which is relevant for API access control. Hence it combines both identity and access control for your apps.

Don't worry it's an easy standard, in short:

  1. Your app redirects to the authorization endpoint on Quasr which triggers the login.

  2. Your user signs up or logs in using your own custom login page.

  3. When finished Quasr redirects back to your application with tokens, both an identity and an access token. Both tokens are signed JWT tokens. Your application can consume the identity token to learn about the user; the access token you can use towards your backend APIs.

Authentication API

You build your custom login page using the Authentication API provided by Quasr.

Don't panic it's an easy flow, in short:

  1. You sign up or login using the authentication factors and obtain a session token.

  2. Once you reach the required score you can get a consent token with your session.

  3. You redirect back to the authorization endpoint on Quasr using the consent token.

Detailed Flow

Below sequence diagram detailing the entire flow.

You connect your app to Quasr using the Authentication API and embed login in your app.

Authentication API

You call the Authentication API provided by Quasr directly from your application.

The flow is straightforward:

  1. You sign up or login using the authentication factors and obtain a session token.

  2. Once you reach the required score you can get a consent token with your session.

  3. You exchange the consent token for identity and access tokens at the token endpoint.

Detailed Flow

Below sequence diagram detailing the entire flow.

The token request above exchanges the consent token for identity and/or access tokens (this in contrast with the OIDC flows where an authorization code is used). This flow uses the OAuth 2.0 JWT grant type (urn:ietf:params:oauth:grant-type:jwt-bearer) and currently only accepts consent tokens.

Due to the embedded nature of this setup your app can contain up to five tokens:

  1. session token (used for signup, login and consent = 2) only used against Quasr, short/long-lived and multiple use

  2. consent token (used to exchange for other tokens = 3/4/5) only used against Quasr, short-lived and single use

  3. identity token (to be used by your app for user info) only used by your app, short-lived and single use

  4. access token (to be used against your API backend) only used against Quasr and/or your API; short/long-lived and multiple use

  5. refresh token (to be used for obtaining new tokens = 3/4/5) only used against Quasr; long-lived and single use

All play a distinct separate role and should be kept secure.

If your app is a mobile app be mindful it will need to follow redirects and open a browser for the login experience. Also the redirect URI will need to open the app from the browser (see: ).

See:

See:

If your app is a mobile app be mindful it will need to follow redirects and open a browser for the login experience. Also the redirect URI will need to open the app from the browser (see: ).

See:

https://stackoverflow.com/questions/25883113/open-ios-app-from-browser
Hosted Login UI
Custom Login UI
https://stackoverflow.com/questions/25883113/open-ios-app-from-browser
Embedded Login UI
Hosted Login UI

HOSTED (recommended)

You connect your app with Quasr using OpenID Connect and use the Quasr Hosted Login UI.

Choose this if you want to get started quickly.

CUSTOM

You connect your app with Quasr using OpenID Connect and use your own custom login UI (using the Authentication API).

Choose this if you want to customize your login page.

EMBEDDED (warning)

You connect your app with Quasr using the Authentication API and embed your own custom login UI in your app.

Choose this if your app sits on a constrained device (or you require no redirect / singular app).

Standard OpenID Connect (OIDC) flow with Hosted Login Page
Standard OpenID Connect (OIDC) flow with Custom Login Page
Embedded flow