Complete Authentication
Complete user sign-in in your application and request user profile and session tokens from AuthN
Application redirect route
If the provided in the login URL redirect_uri has a match in Redirect (Callback) Settings, Pangea will use it to send the user back to your application after their successful authentication.
If no redirect_uri is provided in the login URL, after a successful login, the user is redirected to the Default Hosted Redirect URI.
The redirect route in your application will receive the following parameters in the redirect URI query:
state
Your application should proceed with user authentication only if the value of the state parameter stored by your application matches the state parameter value received in the redirect route URL query. If the values do not match, the redirect is not considered a response to your application's login request. The state value is request-specific and should be discarded after this check is performed.
code
The code value included in the redirect URI query is a short-lived, one-time-use opaque credential linked to the authenticated user session at Pangea. After your application verifies the state value, it can exchange the code for the user's session tokens and profile information using AuthN APIs.
Example redirect URL
http://localhost:5173/redirect?code=pmc_uvzpd6qtyfsxusfxfmqa2gnegz34vtvp&state=j5U6PgvtZdNi
Request user profile and session tokens
The code value you receive in your application redirect route does not bear any meaningful information by itself, but it is linked to the user session in your Pangea project. You need to make a request to the AuthN /v2/client/userinfo endpoint to exchange the code value for the user profile and session tokens thus completing the login process in your application.
The endpoint requires authorization with an AuthN service token. You should use either the AuthN Default Token created when you activated the service or a token created and explicitly associated with AuthN under Project Settings >> Tokens . Send your exchange request to the domain associated with the AuthN service, which can be copied from the AuthN Overview >> Configuration Details.
Example request
export PANGEA_DOMAIN="aws.us.pangea.cloud"
export PANGEA_AUTHN_TOKEN="pts_2lusaf...dj47sy"
// Set PANGEA_DOMAIN and PANGEA_AUTHN_TOKEN
// ...
const redirect = async (route) => {
const state = localStorage.getItem('state');
localStorage.removeItem('state');
if (state !== route.query.state) {
return false;
}
const response = await fetch(`https://authn.${PANGEA_DOMAIN}/v2/client/userinfo`, {
method: 'POST',
headers: {
'Authorization': `Bearer ${PANGEA_AUTHN_TOKEN}`,
'Content-Type': 'application/json'
},
body: JSON.stringify({
code: route.query.code
})
});
userinfo = await response.json();
if (userinfo?.status === 'Success') {
setSession(userinfo);
} else {
return false;
}
};You can explore other options for interacting with the /v2/client/userinfo endpoint in the interactive AuthN API Reference.
Example response
In the authentication response, you will receive the user profile information and the session tokens. The format of the user active token will depend on the AuthN Session Configuration settings in the Pangea User Console:
-
Opaque Session Tokens - The active token value is a unique identifier that references a session managed by Pangea. Your application uses the /v2/client/token/check endpoint to verify the user's session and get their profile.
-
JSON Web Tokens (JWT) - The active token is a standard, optionally signed JWT with encoded user and claims information. The validated and decoded token can serve as the session confirmation and the source of user profile data.
{
"status": "Success",
"result": {
"active_token": {
"token": "ptu_kuoqvvxk4yhirapuhw6bs7nunp",
"id": "pmt_e3nqvvxk4yhirapuhw6bs7n7sk",
"type": "user",
"life": 172799,
"expire": "2024-05-12T21:16:19.029336Z",
"enabled": true,
"identity": "pui_cgwqvvxk4yhirapuhw6bs7nbxr",
"email": "example.user@example.com",
"owner": "example.user@example.com",
"profile": {
"email": "example.user@example.com",
"first_name": "Example",
"last_name": "User",
"phone": "907...",
...
},
"created_at": "2024-05-10T21:16:19.037372Z",
"intelligence": {
"embargo": false,
"ip_intel": {
"is_bad": false,
"reputation": {
...
},
"geolocation": {
...
},
"is_vpn": false,
"is_proxy": true
},
"domain_intel": {
"is_bad": false,
"reputation": {
...
}
},
"user_intel": false
}
},
"refresh_token": {
"token": "ptr_tukqvvxk4yhirapuhw6bs7nj3k",
"id": "pmt_7agqvvxk4yhirapuhw6bs7npay",
"type": "session",
"life": 172799,
"expire": "2024-05-12T21:16:19.029336Z",
"enabled": true,
"identity": "pui_cgwqvvxk4yhirapuhw6bs7nbxr",
"email": "example.user@example.com",
"owner": "example.user@example.com",
"profile": {
"email": "example.user@example.com",
"first_name": "Example",
"last_name": "User",
"phone": "907...",
...
},
"created_at": "2024-05-10T21:16:19.030784Z",
"intelligence": {
"embargo": false,
"ip_intel": {
"is_bad": false,
"reputation": {
...
},
"geolocation": {
...
},
"is_vpn": false,
"is_proxy": true
},
"domain_intel": {
"is_bad": false,
"reputation": {
...
}
},
"user_intel": false
}
}
},
...
}Was this article helpful?