Sign in customers
Sign customers into your website and grant them access to protected content.
Last updated
Sign customers into your website and grant them access to protected content.
Last updated
Pliro supports signing customers into your website using the OpenID Connect Authorization Code Flow:
Here's how it works step-by-step:
When the customer clicks the sign in button on your website you'll need to redirect them to Pliro's authorization endpoint:
This endpoint requires the following query parameters:
response_type
: Must be set to code
.
scope
: A space-separated list of requested scopes. Must include openid
. Can optionally include email
to request that the customer's email is included in ID tokens, and profile
to request the inclusion of the customer's name and subscription plan. Example: openid email profile
.
client_id
: Must be set to the client ID shown for your OAuth application in the Pliro dashboard.
redirect_uri
: Must be set to the redirect URI you have specified for your OAuth application in the Pliro dashboard. The provided URI can optionally include query parameters not included in the registered redirect URI.
After you have redirected the customer to this endpoint, Pliro will prompt the customer to sign in. When the customer has signed in, Pliro will redirect them to the provided redirect_uri
with an authorization code in the code
query parameter. For example:
The authorization endpoint also accepts the following optional parameters:
state
: Recommended. If set, a state
query parameter with the same value will be added to the redirect_uri
before redirecting the customer back to your website. We recommend storing this value in the customer's session in a way that can't be tampered with before redirecting them to Pliro, and then checking that the state
parameter in the request to the redirect URI matches the one stored in the session. This provides CSRF protection.
prompt
: When set to none
, Pliro won't prompt the customer to sign in. See the section Silent re-authentication below for more information on this.
If the authorization request fails due to an invalid redirect_uri
or client_id
, the customer will not be redirected to the redirect_uri
.
In case of other errors, the customer will be redirected to the redirect_ur
with an error code in the error
query parameter. For example:
Pliro can return the following error codes:
invalid_request
: The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
unauthorized_client
: The client is not authorized to request an authorization code using this method.
unsupported_response_type
: The server does not support obtaining an authorization code using this method.
invalid_scope
: The requested scope is invalid, unknown, or malformed.
server_error
: The server encountered an unexpected condition that prevented it from fulfilling the request.
login_required
: The customer needs to sign in. This error is returned when the prompt
parameter is set to none
and the customer is currently signed out of Pliro.
When your website processes the request to the redirect_uri
(and has verified its authenticity using the state
parameter), it can exchange the code
for access and ID tokens by making a request to the token endpoint:
The request needs to include Basic authentication using your application's client ID as the username and client secret as the password.
The successful response includes access and ID tokens:
If the token request fails, the server responds with an HTTP 400 or 401 status code and includes an error code in the response body:
invalid_request
: The request is missing a required parameter, includes an unsupported parameter value (other than grant type), repeats a parameter, includes multiple credentials, utilizes more than one mechanism for authenticating the client, or is otherwise malformed.
invalid_client
: Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method).
invalid_grant
: The provided authorization grant (e.g., authorization code) is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
unauthorized_client
: The authenticated client is not authorized to use this authorization grant type.
unsupported_grant_type
: The authorization grant type is not supported by the authorization server.
You can now sign the customer into your website (e.g., by setting a session cookie). You should also store the following information in their session:
Their access token: This is required to retrieve updated customer information.
Their id token: This is required to sign customers out of Pliro.
The ID token contains additional information, in the form of a JSON Web Token, that you may want to store separately:
The customer's Pliro session ID (sid
): This can be useful when processing sign-out notifications.
The customer's email (if the email
scope was included in the authorization request).
The customer's name (if the profile
scope was included in the authorization request).
The slug for the plan that the customer subscribes to (if the profile
scope was included in the authorization request). This can be useful when managing the customer's access to protected content.
To access this information, the ID token needs to be decoded. This can be done with one of the many existing JWT libraries. Use Pliro's signing keys when verifying the token's signature.
Whenever the customer attempts to access a protected piece of content you can use the information stored in their session to authorize their access. At some point you may want to update this information.