Implementation

Login in with GlobaliD is where you redirect users to log in with GlobaliD, after which they are redirected back to your app with an authorization code.

When users navigate to your Login with the GlobaliD URL, they are presented with a QR code that they must scan with their GlobaliD mobile app. If they do not have the GlobaliD mobile app, they can scan the QR code to get a link to the mobile app in the App Store or on Google Play. From there, they will need to sign up for a GlobaliD account.

Prerequisites

This document assumes you have a Developer App.

Tips

You can implement the flow without using a library. Still, we recommend you use one of these OAuth libraries based on your language or any other OAuth/OpenID library. It will greatly help you if this is your first time implementing OAuth/OpenID. Here is some basic information you will need to log in with GlobaliD.

Steps to implement

1. Redirect the user to the GlobaliD authorization page

When the user wants to log in with GlobaliD, you must redirect them to the GlobaliD authorization page. The GlobaliD authorization page URL will include parameters like your client ID, the response type (usually "code" for OAuth2), and a redirect URI the provider will send the user back to after they've authorized your app. If you use one of the suggested libraries, you can generate this URL with them. We also suggest you use the PKCE authorization URL - [RFC-7636]. A few extra parameters are needed, but libraries will help you with them.

2. User authorizes your application

On the GlobaliD authorization page, users will see a QR code; they must scan it with the GlobaliD mobile application to log in. They'll then be asked if they want to give your application access to their data. If they agree, the provider will redirect them back to your application.

3. GlobaliD redirects back to your application

GlobaliD will redirect the user to your application using the redirect URI you provided earlier. It will include an authorization code as a parameter in this redirect.

https://your-redirect-url.com?
    state=<STATE_VALUE>&
    session_state=<SESSION_STATE>&
    iss=https://auth.global.id/realms/globalid&
    code=<AUTHORIZATION_CODE>

4. Your application exchanges the authorization code for an access token

Your application can now make a POST request to the GlobaliD token endpoint, sending the authorization code, client ID, client secret, and the same redirect URI. In response, the provider will send back an access token ( it is JWT that you can validate ). You can read a guide here if you don't know what JWT is.

5. Your application uses the access token to access the user's data

Your application can now use the access token to request the provider's API on behalf of the user. The access token is included as a Bearer token in the Authorization header of the HTTP request.

6. Handle token expiration

Access tokens have a limited lifetime, and your application needs to handle cases where the token has expired. This could involve refreshing the token using a refresh token or redirecting the user back to the GlobaliD authorization page to log in.

Congratulations, you successfully implemented Login with GlobaliD

Last updated