Authentication

Authentication Flows Access Token Login Sign Up

Authentication implementation With OAuth Authorization Code Grant.

Authorization Code Grant Flow for Client without Secret

Authorization Code Grant Flow without Refresh Token

User contacts this url

https://<cognito domain>/oauth2/authorize?response_type=code&client_id=<client_id>&redirect_uri=<callBack URL for login>

It is a normal HTTP GET no authorization or other headers are needed. cognito_domain : provided after the client is set up by the HxDR team client_id : provided after the client is set up by the HxDR team callBack url for log in : Url for callback (this is the login URL callback set in the client) e.g. http://localhost:4200 (opens in a new tab)

Getting the Authorization Code

If the client_id and the redirect_uri used in the previous step are recognized by the OAuth IDP, then a authorization_code is generated. This code is passed as query parameter to the redirect_uri used in the previous step.

authorization_code cognito_domain The body of the request is of content-type application/x-www-form-urlencoded.

This must be set in the Content-Type header of the POST request.

The body must contain the following fields:

grant_type: Set to authorization_code for this grant.
code: The authorization_code that’s vended to the user.
client_id: Same as from the request in Step 1.
redirect_uri: Same as from the request in Step 1, no explicit URL-encoding needed, use it as string.

Retrieve the tokens

The result of step 2 if successful will be a json answer with the follwing fields :

id_token – A valid user pool ID token. Note that an ID token is only provided if the openid scope was requested.
access_token – A valid user pool access token.
refresh_token – A valid user pool refresh token. This can be used to retrieve new tokens by sending it through a POST request to https://AUTH_DOMAIN/oauth2/token, specifying the refresh_token and client_id parameters, and setting the grant_type parameter to “refresh_token“.
expires_in – The length of time (in seconds) that the provided ID and/or access token(s) are valid for.
token_type – Set to “Bearer“.

The application endpoints expects an AccesToken in the authorization header.

Authorization Code Grant Flow with Refresh Token

POST to get access and refresh tokens using the authorization code

       const urlParams = new URLSearchParams(window.location.search);
       const codeParam = urlParams.get('code');
 
       fetch(TOKEN_ENDPOINT, {
         method: 'POST',
         body: new URLSearchParams({
           grant_type: 'authorization_code',
           client_id: CLIENT_ID,
           code: codeParam,
           redirect_uri: 'http://localhost:4200',
         }),
       });
 ```
 
### POST to get acces token using the refresh token
 
 ```javascript
 fetch(TOKEN_ENDPOINT, {
   method: 'POST',
   body: new URLSearchParams({
     grant_type: 'refresh_token',
     client_id: CLIENT_ID,
     refresh_token: refreshToken,
   }),
 });
 ```
 
### Generate login redirect url with PKCE
 
```javascript
import {v4 as uuidv4} from 'uuid';
 
function base64UrlEncode(str: ArrayBuffer) {
 return btoa(String.fromCharCode.apply(null, new Uint8Array(str) as unknown as number[]))
     .replace(/\+/g, "-")
     .replace(/\//g, "_")
     .replace(/=+$/, "")
}
 
async function sha256(str: string): Promise<ArrayBuffer> {
 return await crypto.subtle.digest("SHA-256", new TextEncoder().encode(str));
}
 
export async function generateLoginRedirectEndPoint() {
 const state = uuidv4();
 const codeVerifier = uuidv4();
 const codeChallenge = base64UrlEncode(await sha256(codeVerifier));
 
 window.sessionStorage.setItem(state, codeVerifier);
 return `${AUTHORIZATION_ENDPOINT}?response_type=code&client_id=${CLIENT_ID}&redirect_uri=${REDIRECT_URI}&state=${state}&code_challenge=${codeChallenge}&code_challenge_method=S256`
}

POST to get access and refresh tokens using the authorization code with PKCE

const urlParams = new URLSearchParams(window.location.search);
const codeParam = urlParams.get('code');
const stateParam = urlParams.get('state');
const codeVerifier = window.sessionStorage.getItem(stateParam);
 
fetch(TOKEN_ENDPOINT, {
  method: 'POST',
  body: new URLSearchParams({
    grant_type: 'authorization_code',
    client_id: CLIENT_ID,
    code: code,
    redirect_uri: 'http://localhost:4200',
    code_verifier: codeVerifier,
  }),
});

GraphQL API reference

This section lists a few examples. Please refer to HxDR GraphQL Playground (opens in a new tab) to explore complete schema.

query GetUser {
    getUser {
        id
        accountRole
        tenantRole
        lastLoginAt
    }
}

To successfully execute a request on HxDR GraphQL playground, See following :

Using HxDR GraphQL API→Authentication→Access token→

SignupV4

This mutation creates a new account with a new account admin, using the provided details. If the signature is provided, the information inside the signature will be used. The address provided will be validated. Current version of HxDR only allows signature-based sign ups.

JS-SDK reference

Auth
Identity authentication

Account Integrations