Single Sign On
Learn how to use the auth service to authenticate users via SSO
Overview
The auth service supports Single Sign On (SSO) via the following providers:
- Google (
/google/...) - Microsoft (
/microsoft/...)
In the following, please replace <sso-provider> with the provider base url you want to use (e.g. /google or /microsoft).
Login
Create a frontend form to POST /<sso-provider>/login with the following form parameters:
- Form Param
tenant_id=<tenant-id> - Form Param
redirect_uri=<redirect-uri>
The final response will redirect to the redirect_uri with the following query parameters:
| Parameter | Description |
|---|---|
error | String value that describes a potential error. This parameter is only present if an error occurred. |
Registration
Create a frontend form to POST /<sso-provider>/register with the following form parameters:
- Form Param
tenant_id=<tenant-id> - Form Param
redirect_uri=<redirect-uri>
The final response will redirect to the redirect_uri with the following query parameters:
| Parameter | Description |
|---|---|
error | String value that describes a potential error. This parameter is only present if an error occurred. |
regstrationJwt | The registration JWT token for the user. This parameter is only present if the user does not yet exist and can be registered. |
The returned registrationJwt contains all the data about the user that is provided by the SSO provider.
Therefore its not only signed by the AUTH_SECRET but also encrypted with the AUTH_SECRET.
You can access its payload like the following code describes:
import { jwtVerify, compactDecrypt } from 'jose';
const authSecret: string;
const regstrationJwt: string;
const { plaintext } = await compactDecrypt(regstrationJwt, authSecret);
const signedJwt = new TextDecoder().decode(plaintext);
const { payload } = await jwtVerify(signedJwt, authSecret);
console.log(payload);