Connect your app

You connect your app to Quasr using OpenID Connect and use the Quasr hosted login page.

OpenID Connect

OpenID Connect is an Internet standard for identity federation, meaning it allows your apps to use a centralized identity provider. The standard builds upon OAuth 2.0 which is relevant for API access control. Hence it combines both identity and access control for your apps.

Don't worry it's an easy standard, in short:

Your app redirects to the authorization endpoint on Quasr which triggers the login.
Your user signs up or logs in using the Quasr login page.
When finished Quasr redirects back to your application with tokens, both an identity and an access token. Both tokens are signed JWT tokens. Your application can consume the identity token to learn about the user; the acces token you can use towards your backend APIs.

See: Hosted Login UI

Detailed Flow

Below sequence diagram detailing the entire flow.

If your app is a mobile app be mindful it will need to follow redirects and open a browser for the login experience. Also the redirect URI will need to open the app from the browser (see: https://stackoverflow.com/questions/25883113/open-ios-app-from-browser).

You connect your app to Quasr using OpenID Connect and use your own custom login page.

OpenID Connect

OpenID Connect is an Internet standard for identity federation, meaning it allows your apps to use a centralized identity provider. The standard builds upon OAuth 2.0 which is relevant for API access control. Hence it combines both identity and access control for your apps.

Don't worry it's an easy standard, in short:

Your app redirects to the authorization endpoint on Quasr which triggers the login.
Your user signs up or logs in using your own custom login page.
When finished Quasr redirects back to your application with tokens, both an identity and an access token. Both tokens are signed JWT tokens. Your application can consume the identity token to learn about the user; the access token you can use towards your backend APIs.

See: Hosted Login UI

Authentication API

You build your custom login page using the Authentication API provided by Quasr.

Don't panic it's an easy flow, in short:

You sign up or login using the authentication factors and obtain a session token.
Once you reach the required score you can get a consent token with your session.
You redirect back to the authorization endpoint on Quasr using the consent token.

See: Custom Login UI

Detailed Flow

Below sequence diagram detailing the entire flow.

If your app is a mobile app be mindful it will need to follow redirects and open a browser for the login experience. Also the redirect URI will need to open the app from the browser (see: https://stackoverflow.com/questions/25883113/open-ios-app-from-browser).

You connect your app to Quasr using the Authentication API and embed login in your app.

Authentication API

You call the Authentication API provided by Quasr directly from your application.

The flow is straightforward:

You sign up or login using the authentication factors and obtain a session token.
Once you reach the required score you can get a consent token with your session.
You exchange the consent token for identity and access tokens at the token endpoint.

See: Embedded Login UI

Detailed Flow

Below sequence diagram detailing the entire flow.

The token request above exchanges the consent token for identity and/or access tokens (this in contrast with the OIDC flows where an authorization code is used). This flow uses the OAuth 2.0 JWT grant type (urn:ietf:params:oauth:grant-type:jwt-bearer) and currently only accepts consent tokens.

Due to the embedded nature of this setup your app can contain up to five tokens:

session token (used for signup, login and consent = 2) only used against Quasr, short/long-lived and multiple use
consent token (used to exchange for other tokens = 3/4/5) only used against Quasr, short-lived and single use
identity token (to be used by your app for user info) only used by your app, short-lived and single use
access token (to be used against your API backend) only used against Quasr and/or your API; short/long-lived and multiple use
refresh token (to be used for obtaining new tokens = 3/4/5) only used against Quasr; long-lived and single use

All play a distinct separate role and should be kept secure.