Oauth2

Source Code

oauth2 supports various oauth2 login flows. There are many pre-configured providers like auth0 that you may use instead of directly using this scheme.

Usage

const $auth = useAuth()
$auth.loginWith('social')

Additional arguments can be passed through to the OAuth provider using the params key of the second argument:

const $auth = useAuth()
$auth.loginWith('social', { params: { another_post_key: 'value' } })

Token refresh

If your provider issues refresh tokens, these will be used to refresh the token before every axios request. Note: This feature is only supported for jwt tokens.

Behavior when the refresh token has expired

If the refresh token has expired, the token cannot be refreshed. You can find the different behavior for server and client side below.

The user is logged out and navigated to the home page.

Client side (Client initiated axios request)

The user is logged out and navigated to the logout page, for explicitly explaining what happened.

Options

auth: {
  strategies: {
        social: {
            scheme: 'oauth2',
            endpoints: {
                authorization: 'https://accounts.google.com/o/oauth2/auth',
                token: undefined,
                userInfo: 'https://www.googleapis.com/oauth2/v3/userinfo',
                logout: 'https://example.com/logout'
            },
            token: {
                property: 'access_token',
                type: 'Bearer',
                maxAge: 1800,
                httpOnly: false
            },
            refreshToken: {
                property: 'refresh_token',
                httpOnly: false
            },
            responseType: 'token',
            grantType: 'authorization_code',
            accessType: undefined,
            redirectUri: undefined,
            logoutRedirectUri: undefined,
            clientId: 'SET_ME',
            scope: ['openid', 'profile', 'email'],
            state: 'UNIQUE_AND_NON_GUESSABLE',
            codeChallengeMethod: '',
            responseMode: '',
            acrValues: '',
            // autoLogout: false
        }
    }
}

Additional Information

Each endpoint is used to make requests using axios. They are basically extending Axios Request Config.

`authorization`

REQUIRED - Endpoint to start login flow. Depends on oauth service.

If using Google code authorization flow (responseType: 'code') provide a URI for a service that accepts a POST request with JSON payload containing a code property, and returns tokens exchanged by provider for code. See source codeIf a false value is set, we only do login without fetching user profile.

`userInfo`

While not a part of oauth2 spec, almost all oauth2 providers expose this endpoint to get user profile.

`logout`

Endpoint to logout user from Oauth2 provider's system. Ensures that a user is signed out of the current authorization session.

`token`

Additional Information

`property`

Default: access_token

property can be used to specify which field of the response JSON to be used for the value. It can be false to directly use API response or being more complicated like auth.access_token.

If you need to use the IdToken instead of the AccessToken, set this option to id_token.

`expiresProperty`

Default: expires_in

expiresProperty can be used to specify which field of the response JSON to be used for the value.

`type`

Default: Bearer

It will be used in Authorization header of axios requests.

`maxAge`

Default: false

Here you set the expiration time of the token, in seconds. This time will be used if for some reason we couldn't decode the token to get the expiration date. Should be the same as the login page or the relative path to welcome screen.

`httpOnly`

Default: false

If set to true, the token will be made into a httpOnly cookie.

`refreshToken`

Additional Information

`property`

Default: refresh_token

property can be used to specify which field of the response JSON to be used for the value. It can be false to directly use API response or being more complicated like auth.refresh_token.

`expiresProperty`

Default: expires_in

expiresProperty can be used to specify which field of the response JSON to be used for the value.

`maxAge`

Default: 60 * 60 * 24 * 30

Here you set the expiration time of the refresh token, in seconds. This time will be used if for some reason we couldn't decode the token to get the expiration date.

`httpOnly`

Default: false

If set to true, the refresh token will be made into a httpOnly cookie.

This option is experimental.

`responseType`

Additional Information

Default: token

If you use code you may have to implement a server side logic to sign the response code.

`grantType`

Additional Information

Set to authorization_code for authorization code flow.

`accessType`

Additional Information

If using Google code authorization flow (responseType: 'code') set to offline to ensure a refresh token is returned in the initial login request. (See Google documentation)

`redirectUri`

Additional Information

Should be same as login page or relative path to welcome screen. (example)By default it will be inferred from redirect.callback option. (Defaults to /login)

`logoutRedirectUri`

Additional Information

Should be an absolute path to the welcome screen

`clientId`

Additional Information

REQUIRED - oauth2 client id.

`scope`

Additional Information

REQUIRED - Oauth2 access scopes.

`state`

Additional Information

The primary reason for using the state parameter is to mitigate CSRF attacks. (read more) By default is set to random generated string.

`codeChallengeMethod`

Additional Information

By default is 'implicit' which is the current workflow implementation. In order to support PKCE ('pixy') protocol, valid options include 'S256' and 'plain'. (read more)