Skip to main content

Example Flow

Review the authentication steps implemented with Hosted Login

User initiates login and signs in

Diagram

Annotations

  1. A signed-out end user clicks a login link or tries to access a restricted area in your application.
  2. The application checks if the user's request is authenticated. The application can check for a session cookie or a valid token in the Authorization header.
  3. Because the user is signed out, the application can't find any credentials authorizing the request and directs the user to the Pangea Hosted Login page.
  4. The browser redirects to the Pangea Hosted Login page.
  5. The user completes their signup and/or signs in with the Log in / Sign up Flow methods and optional Security Controls that you have configured and enabled in the Pangea User Console, including MFA, EULA, IP Intel checks, etc.

User is redirected (back) to App and App requests User's profile and session tokens from Pangea using AuthN APIs

Diagram

Annotations

  1. The Pangea server redirects the user to the application's redirect route including the state and a code in the URI query.
  2. The user's browser redirects to the application with the state and the code in the URL query.
  3. The application checks if the state value in the response matches the one in the request, confirming that the current user started the authentication request. This can also be used for customizing the login process initiated from different parts of the application.
  4. The application calls the /v2/client/userinfo endpoint to exchange the code value for the user's profile and the session tokens: an active token and a refresh token. The active token value can be used to validate the user's session at Pangea. The refresh token can be used to renew an expired active token.
  5. If the request is properly authorized and the code is valid, the Pangea server responds with the user profile and session tokens. If the active token value received from Pangea is opaque, the application uses AuthN APIs to verify the user session at Pangea and obtain user data. If the session token is a signed JWT, the application validates and decodes the token and can use it to identify the user in consequent requests.

The next chapter describes in detail how to complete authentication within your application redirect route using the /v2/client/userinfo endpoint.