Hosted Login UI
You can easily get started with Quasr using the Hosted Login UI and by connecting your app using OAuth 2.0 / OpenID Connect 1.0. If you're not already familiar please visit oauth.net. In this section we'll just explain the basics to get started.
We recommend you use a standard OAuth 2.0 / OpenID Connect 1.0 library or module for your chosen application framework. Some sources:
https://oauth.net/code/ (Client Libraries)
https://openid.net/certified-open-id-developer-tools/ (Relying Party)
Be mindful using other open-source libraries, or building your own using partial libraries (JWT), you could introduce undesired security issues. Best to always use expert-vetted libraries that comply with standard.
High-level the process is as follows:
Your application requests authorization from Quasr and is redirected to the Hosted Login UI.
The user signs up or logs in on the Hosted Login UI and once finished will be redirect back to a specific return URL in your application.
Your application receives an ID token and/or an authorization code. The ID token is a JWT and can be used by your application to personalise the experience (it contains the user ID and can contain various personal attributes such as name). The authorization code can be exchanged.
If desired your application can exchange the authorization code for an access token (and also an ID and a refresh token). The access token is also a JWT and can be used to access Quasr, and/or your own API backend.
The initial call is as follows:
GET https://{tenant_id}.api.quasr.io/oauth2/authorize
Request authorization for a specific client.
Query Parameters
client_id*
String
ID of the client
response_type*
String
code and/or id_token (if unsure choose id_token)
scope
String
requested scopes
state
String
application state - mechanism to pass state from your application through the flow
nonce
String
random value to be passed back in the id_token as check
redirect_uri
String
the URL where to provide the code and/or id_token to (must be registered on client)
code_challenge
String
random value (PKCE) - required for response_type=code
code_challenge_method
String
plain or S256 (PKCE) - required for response_type=code (if unsure choose plain)
prompt
String
currently only login is supported - forces the Hosted Login UI to discard a user's existing session (if present)
mode
String
currently only test is supported - forces the Hosted Login UI to bypass the API cache
As we align with OAuth 2.1 we require Proof Key for Code Exchange (PKCE) which means that your application will need to generate a unique key (code_challenge) for every request and include this in either clear (plain) or hashed format (S256) in the initial call to the authorize endpoint. Subsequently when you're exchanging the authorization code for tokens you must now also provide this key in clear text as validation.
Last updated