Hosted Login Flow Overview
Get an overview of the authentication process using AuthN Hosted Login flow
AuthN Hosted Login allows your users to sign up and sign in to your application on a Pangea-hosted login page using login methods and security controls developed and maintained by Pangea. The hosted page can run on a custom domain and you can brand it to match the look and feel of your application, so your users have a seamless experience when signing in. After users are authenticated, they are redirected back to your application with their session and profile information. If your application maintains local users, this information could be used for creating new user records or linked to the existing ones. Overall, the AuthN Hosted Login authentication flow is similar to social authentication implemented with OpenID Connect.
To implement a Pangea-hosted login flow, you need to sign up for a free Pangea account and enable and configure the AuthN service in your Pangea project.
In your application you need:
-
Add a link to your AuthN Hosted Login page, for example:
<a href="https://login.my.domain.cloud/?redirect_uri=https%3A%2F%2Fmy.domain.cloud%2Fredirect&state=j5U6PgvtZdNi">Sign up / Log in</a>
-
Process redirects from the login page and request user information using the AuthN /v2/client/userinfo API.
These are the only Pangea-specific actions you need to take to maintain user sessions locally. To keep the local user session synchronized with the user session at Pangea, you can use the /v2/client/token/check, /v2/client/session/refresh, and /v2/session/logout endpoints in the AuthN APIs.
Overall flow
- User clicks a login link in your application.
- User is sent to the Pangea-hosted login page.
- User completes sign-up and/or sign-in with methods and controls configured in your Pangea project.
- User is redirected back to your application with a confirmation of successful login.
- The application requests the user session tokens and profile from Pangea and receives an active user token for session validation and a refresh token for renewing the expired active token.
- Your application uses the user data received from Pangea to create a local user (if necessary) and populate the local user session.
- If the active token value is opaque, your application uses the /v2/client/token/check endpoint to verify the user's session and get their profile.
- If the active token value is a signed JWT, the validated and decoded token can serve as the session confirmation and the source of user profile data.
Was this article helpful?