Initiating Authentication

To initiate the authentication process, your application needs to redirect the user to the FuturePass authorization endpoint.

Steps:

Generate Code Verifier and Challenge: Use PKCE (Proof Key for Code Exchange) to enhance security.
Generate State and Nonce: These are used to prevent CSRF attacks and replay attacks, respectively.
Build Authorization URL: Include required parameters such as response_type, client_id, redirect_uri, scope, code_challenge, code_challenge_method, state, and nonce.

Example Authorization URL:

const params = {
  response_type: 'code',
  client_id: clientId,
  redirect_uri: redirectUri,
  scope: 'openid profile email',
  code_challenge: codeChallenge,
  code_challenge_method: 'S256',
  state: state,
  nonce: nonce,
}

const queryString = new URLSearchParams(params).toString()
const url = `${authorizationEndpoint}?${queryString}`
window.location.href = url

Authorization Request Parameters

Parameter Description

Parameter	Description
`response_type`	Specifies the type of response. For authorization code flow, use `code`.
`client_id`	The client ID you obtained during client registration.
`redirect_uri`	The URI to which the response will be sent. It must match the redirect URI registered with the client.
`scope`	A space-separated list of scopes. Use `openid`.
`code_challenge`	The PKCE code challenge.
`code_challenge_method`	The method used to generate the code challenge. Use `S256`.
`state`	A random string to maintain state between the request and callback. Helps prevent CSRF attacks.
`nonce`	A random string to associate with the ID token. Helps prevent replay attacks.
`response_mode`	Specifies how the result should be returned. For this example, use `query`.
`prompt`	Specifies whether the user should be prompted for reauthentication.
`login_hint`	`email:`, `social:google`, `social:facebook`

response_type

Specifies the type of response. For authorization code flow, use code.

client_id

The client ID you obtained during client registration.

redirect_uri

The URI to which the response will be sent. It must match the redirect URI registered with the client.

scope

A space-separated list of scopes. Use openid.

code_challenge

The PKCE code challenge.

code_challenge_method

The method used to generate the code challenge. Use S256.

state

A random string to maintain state between the request and callback. Helps prevent CSRF attacks.

nonce

A random string to associate with the ID token. Helps prevent replay attacks.

response_mode

Specifies how the result should be returned. For this example, use query.

prompt

Specifies whether the user should be prompted for reauthentication.

login_hint

email:, social:google, social:facebook

Example Authorization Request URL

https://login.futureverse.dev/auth?
response_type=code&
client_id=YOUR_CLIENT_ID&
redirect_uri=http://localhost:3000/callback&
scope=openid&
code_challenge=CODE_CHALLENGE&
code_challenge_method=S256&
state=STATE&
nonce=NONCE&
response_mode=query&
prompt=login&
login_hint=email:

PreviousAPI NextHandling the Callback

Last updated 3 months ago