Versions Compared

Old Version 61

changes.mady.by.user Jonathan Cohen

Saved on

compared with

New Version 62

changes.mady.by.user Jonathan Cohen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Page Tree Search
rootPageCognito Client Integration Guide
Updated links to point to the stage environment. Added a new URL for the lightweight registration page.

Change Log

WayGee

  • Initial Creation

WayGee

  • Added 1 liner about LW reg screen performs duplicate check

WayGee

Jonathan

  • Added link to jwt.io

WayGee

  • Added logout_uri parameter to Lightweight Registration link in step 6. This parameter is necessary to accommodate a cancel button that was added to the lightweight registration screen. If the user hits cancel, then they are logged out and redirected to the logout_uri.

WayGee

  • Added cookie naming and storage requirements for Step 4.

Jonathan

  • Added state parameter to /login and /authorize endpoints

WayGee

Jonathan

  • Refreshed examples to use public Toy client

Related Documents

Confluence Link

Include Page
Cognito Client Integration Guide
Cognito Client Integration Guide

...

Expand
titleStep 2: Add link to Cognito Hosted Login

Add a link in the form of:

https://stage-account.usta.com/login?
client_id=[your_client_id]&
response_type=code&
scope=openid+email+profile+api-customer/customer:read&
state=29ca0dd4-966d-400d-9abc-570568f5c339&
redirect_uri=[your_redirect_uri]

When the token for the authorized customer is needed Client API application needs to follow typical OAuth 2.0 flow using authorization code grant type. To perform such flow Client API should be registered in the USTA authentication service and should have valid:

  • clientId - generated for every API Client during registration

  • secret - generated for every API Client during registration

  • callbackUri - an endpoint where authorization code will be passed after successful login - should be configured for all clients

  • state - a random generated value such as UUID to prevent CSRF attacks. ie '29ca0dd4-966d-400d-9abc-570568f5c339'

Code Block
curl --request POST 'https://stage-account.usta.com/login' \
--data-urlencode 'client_id=1la1cpfbluheh4jkr8dsvdgr32' \
--data-urlencode 'response_type=code' \
--data-urlencode 'scope=api-customer/customer:read+aws.cognito.signin.user.admin+email+openid+profile' \
--data-urlencode 'state=29ca0dd4-966d-400d-9abc-570568f5c339' \
--data-urlencode 'redirect_uri=http://localhost:8000/logged_in.html'

To perform login as a customer, API Client application should follow such steps:

  1. Client App redirect to login or authorize URLs:

    • https://stage-account.usta.com/login - can be used if the customer should be asked if want to continue as current logged in user before authentication

    • https://stage-account.usta.com/oauth2/authorize - can be used if application should NOT ask the customer if they want to continue as a current, logged-in user (from SSO session) - user will be logged-in automatically if SSO session is in place with url parameters:

    • client_id={clientId} - mandatory, for example: 25idmdru0ucur4loa3hklcvpsa

    • response_type=code - mandatory

    • scope={requested scopes} - optional, if empty, all required scopes will be assigned to the token

    • state - a random generated value such as UUID to prevent CSRF attacks. ie '29ca0dd4-966d-400d-9abc-570568f5c339'

    • redirect_uri={callbackUri} - mandatory, for example: https://www.usta.com/idpresponse

  2. After redirection customer can sign in or sign up using the email address and password or Facebook account:

...

Expand
titleStep 6: Redirect to Lightweight Profile Registration Page if Hybris Profile does not exist or incomplete LW profile

Customers can create a USTA profile there, by filling-out basic, mandatory data. When a customer clicks the “Register” button and all data is valid then the browser is redirected back to the passed redirectUri and access_token can be used against services.

...