Authentication (Single-page application)

ReachFive supports and recommends to use Authorization Code Flow with Proof Key for Code Exchange (PKCE) for all apps: native, mobile apps, and Single Page Apps.

The ReachFive Identity SDK facilitates the PKCE implementation by handling the generation of the code verifier and code challenge. The SDK hashes the Code Verifier using S256 as the code challenge method.

Configure a PKCE client in the ReachFive Console

Create an Identity client with your settings, and pay attention to the steps below which are specific to PKCE:

  1. Select None under Token Endpoint Authentication Method.

  2. Under Allowed Callback URLs, add your redirect URI (for example

  3. Select the Enforce PKCE security for authentication with the authorization code flow checkbox.

  4. Make sure to whitelist all domains where the ReachFive SDK will be used under Allowed Origins (CORS), and click Save (in this example,

User authorization

Use the Identity SDK loginWithPassword command where redirect_uri is the URL that ReachFive uses to intercept the authorization code once authorization has been granted by the user:

  email: '',
  password: 'N5uiKvve',
  auth: {
    redirectUri: ''

The code is appended to the query string in the response:

Get an access token

Use the Identity SDK exchangeAuthorizationCodeWithPkce command:

  code: '2_7XpD...bgmRT4',
  redirectUri: ''

The redirectUri must be the same as in the previous step.

The command returns an access token:

  "access_token": "tb37Sz...h3eh6q",
  "id_token": "eEoQAi...yJ04ae",
  "refresh_token": "djnxBN...eXbEbL",
  "token_type": "Bearer",
  "expires_in": 86400

You can inspect the access_token using the Introspection endpoint.

After user authentication

Send ID Token to server

var xhr = new XMLHttpRequest();'POST', 'https://YOUR_BACKEND_URL');
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.onload = function() {console.log('Signed in as: ' + xhr.responseText);};
xhr.send('idtoken=' + idToken);

Verify Token on the backend side

ID Tokens are signed using the JSON Web Token (JWT) open standard which defines a compact and self-contained way for securely transmitting information between parties.

Use a JWT library to verify your ID Token and get the payload.

Here is an example of a decoded ID Token:

  "aud": ["AtnY5xDg4fbanentihip"],
  "authType": "facebook",
  "birthdate": "1983-11-13",
  "email": "",
  "emailVerified": true,
  "exp": 1512225317,
  "familyName": "Doe",
  "gender": "male",
  "givenName": "John",
  "iat": 1512138917,
  "iss": "",
  "locale": "en_US",
  "name": "John Doe",
  "newUser": false,
  "picture": "",
  "profile": "",
  "sub": "AVqvOB58Fg6nZfQ0ZqXt",
  "updatedAt": "2017-12-01T14:35:17.218Z"

See ID Token Payload. NEED MODELS

For security reasons, you must check the following elements for each decoded ID Token:

  • aud: Audience. It should contain your ReachFive Client ID.

  • iss: Issuer. It should be equal to your ReachFive Domain URL.

  • exp: Expiration time. It should not be exceeded.

Do not accept user IDs without checking them. You must use a verified ID Token to securely get the user ID.

For a server to server integration, refer to Authentication for Web App.