Sign in customers
Sign customers into your website and grant them access to protected content.
Last updated
Sign customers into your website and grant them access to protected content.
Last updated
Pliro supports signing customers into your website using :
Here's how it works step-by-step:
When the customer clicks the sign in button on your website you'll need to redirect them to Pliro's authorization endpoint:
This endpoint requires the following query parameters:
response_type: Must be set to code.
scope: A space-separated list of requested scopes. Must include openid. Can optionally include email to request that the customer's email is included in ID tokens, and profile to request the inclusion of the customer's name and subscription plan. Example: openid email profile.
client_id: Must be set to the client ID shown for your OAuth application in the Pliro dashboard.
redirect_uri: Must be set to the redirect URI you have specified for your OAuth application in the Pliro dashboard. The provided URI can optionally include query parameters not included in the registered redirect URI.
After you have redirected the customer to this endpoint, Pliro will prompt the customer to sign in. When the customer has signed in, Pliro will redirect them to the provided redirect_uri with an authorization code in the code query parameter. For example:
The authorization endpoint also accepts the following optional parameters:
If the authorization request fails due to an invalid redirect_uri or client_id, the customer will not be redirected to the redirect_uri.
In case of other errors, the customer will be redirected to the redirect_ur with an error code in the error query parameter. For example:
Pliro can return the following error codes:
invalid_request: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
unauthorized_client: The client is not authorized to request an authorization code using this method.
unsupported_response_type: The server does not support obtaining an authorization code using this method.
invalid_scope: The requested scope is invalid, unknown, or malformed.
server_error: The server encountered an unexpected condition that prevented it from fulfilling the request.
login_required: The customer needs to sign in. This error is returned when the prompt parameter is set to none and the customer is currently signed out of Pliro.
When your website processes the request to the redirect_uri (and has verified its authenticity using the state parameter), it can exchange the code for access and ID tokens by making a request to the token endpoint:
The successful response includes access and ID tokens:
If the token request fails, the server responds with an HTTP 400 or 401 status code and includes an error code in the response body:
invalid_request: The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
invalid_client: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).
invalid_grant: The provided authorization grant (e.g., authorization code) is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
unauthorized_client: The authenticated client is not authorized to use this authorization grant type.
unsupported_grant_type: The authorization grant type is not supported by the authorization server.
You can now sign the customer into your website (e.g., by setting a session cookie). You should also store the following information in their session:
The customer's email (if the email scope was included in the authorization request).
The customer's name (if the profile scope was included in the authorization request).
The slug for the plan that the customer subscribes to (if the profile scope was included in the authorization request). This can be useful when managing the customer's access to protected content.
state: Recommended. If set, a state query parameter with the same value will be added to the redirect_uri before redirecting the customer back to your website. We recommend storing this value in the customer's session in a way that can't be tampered with before redirecting them to Pliro, and then checking that the state parameter in the request to the redirect URI matches the one stored in the session. This provides protection.
prompt: When set to none, Pliro won't prompt the customer to sign in. See the section below for more information on this.
The request needs to include using your application's client ID as the username and client secret as the password.
Their access token: This is required to .
Their id token: This is required to .
The ID token contains additional information, in the form of a , that you may want to store separately:
The customer's Pliro session ID (sid): This can be useful when .
To access this information, the ID token needs to be decoded. This can be done with one of . Use when verifying the token's signature.
Whenever the customer attempts to access a protected piece of content you can use the information stored in their session to authorize their access. At some point you may want to .