Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Page Tree Search | ||
---|---|---|
|
Login
USTA’s implementation of Cognito redirects the user to the Cognito Hosted Login Page (Cognito Native Login). When the user signs in for the first time, we employ a just in time migration strategy. Users are presented with the ability to Sign Up (create a new account) or Sign In with an existing account.
It is the responsibility of the Secure Client page to check if the user’s lightweight profile is completed. If it is not, the user will be redirected to the lightweight profile screen until the required fields are filled out and saved.
Note: Janrain has been deprecated as of 2022.
Expand | ||
---|---|---|
| ||
|
Approach
Expand | ||
---|---|---|
| ||
Before you begin the development of your browser-based application, contact USTA to discuss what data you will need to access from USTA. Credentials will be issued for use to connect via HTTP. Credentials:
USTA Admin will register your application as a client in the Cognito configuration. |
Expand | ||
---|---|---|
| ||
Add a link in the form of: https://stage-account.usta.com /login?client_id=[your_client_id]&response_type=code&redirect_uri=[your_redirect_url] When the token for the authorized customer is needed Client API application needs to follow typical OAuth 2.0 flow using authorization code grant type. To perform such flow Client API should be registered in the USTA authentication service and should have valid:
To perform login as a customer, API Client application should follow such steps:
|
Add Logic to Client Secure Landing Page
Expand | ||
---|---|---|
| ||
When valid credentials are provided then the browser is redirected to {callbackUri} with code={authorizationCode} param in the url |
Expand | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
USTA recommends naming cookies based on the client id. Cookies should also be stored on the subdomain level (i.e. subdomain.usta.com). Cookies should not be stored on http://usta.com domain as cookie collisions can occur and may be overwritten in unexpected ways. |
Expand | ||||
---|---|---|---|---|
| ||||
Call /customers/me endpoint and check validation errors:
|
Expand | ||
---|---|---|
| ||
Customers can create a USTA profile there, by filling-out basic, mandatory data. When a customer clicks the “Register” button and all data is valid then the browser is redirected back to the passed redirectUri and access_token can be used against services. |
Working with JWT Tokens
JWT tokens are encrypted JSON format and contain fields called claims. Once you generate an Access Token, you can examine the contents at http://jwt.io . This is a valuable debugging tool.
Dont Make the User Type In Credentials Again
With OAuth2 application developers often make the mistake of retrieving an Access Token before each API call. This is not efficient. Instead, use the long lived Refresh Token that is supplied with the short-lived Access Token when the Authentication Code is exchanged for the Access Token. Use the Refresh Token to rerequest another Access Token without making the user type in their credentials again.
Request:
Code Block |
---|
POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token > Content-Type='application/x-www-form-urlencoded'& Authorization=Basic aSdxd892iujendek328uedj grant_type=refresh_token& client_id=djc98u3jiedmi283eu928& refresh_token=REFRESH_TOKEN |
Response:
Code Block |
---|
HTTP/1.1 200 OK Content-Type: application/json { "id_token":"eyJz9sdfsdfsdfsd", "access_token":"dmcxd329ujdmkemkd349r", "token_type":"Bearer", "expires_in":3600 } |
Check For 401 Status Response To Determine Whether To Use Refresh Token
One simple way t deterine if the Access Token has expired is to check each API call for a 401 status in the response. In this case, use the Refresh Token to get a new short-lived Access Token without additional authentication.
Keep Track Of Expiration Time To Live
A more involved method is to track the expiration TTL when you retrieve your Access Token. If the time has expired, then use the Refresh Token to get a new short-lived Access Token and repeat the API call with the new Access Token.
Info |
---|
Related Article: How to check if a user is logged in |
Panel | ||
---|---|---|
| ||
On This Page: |
Table of Contents |
---|
Panel | ||
---|---|---|
| ||
More Reading: |
Info |
---|
Related Article: How to check if a user is logged in |