loginWithCredentials

client.loginWithCrendentials({
  // Optional arguments
  mediation: string,
  auth: AuthOptions
})

About this command

Authenticate the user from stored credentials in the browser using the Credentials Management API.

This feature is experimental, please check your browser compatibility.

Examples

client
  .loginWithCredentials({ mediation: 'silent' })
  .then(authResult => {
    // Retrieve the access token
  })
  .catch(err => console.error(err))

Parameters

mediation string

The mediation type to request the credentials.

Allowed values: silent, optional and required.

auth AuthOptions

List of authentication options

responseType string

The desired OAuth2 grant type. Use code to request an authorization code (recommended) or token for a token set (implicit grant, discouraged).

Defaults to code when redirectUri is provided, and to token otherwise. For messenger account linking, responseType should be set to messenger_code.

redirectUri string

The absolute URI the user-agent will be redirected to following flow completion. It will either carry the response type, or the appropriate error in case of failure. Any specified state string will also be included.

This parameter is required with code response type and defaults to the current page with token response type. For messenger account linking, redirectUri should be set with the redirect_uri query param provided by Facebook on URL.

redirectUri is still required when setting useWebMessage to true despite there being no redirection involved.

state string

An opaque value used to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.

The parameter should be used for preventing cross-site request forgery as described in Section 10.12 of RFC 6749.

prompt string

Specify whether the social provider should explicitly prompt the user for reauthentication or consent.

The defined values are:

  • none: Require that no user interaction take place. This is typically used to silenty check for existing authentication and/or consent.

  • login: The social provider should prompt the user for reauthentication before consent, otherwise an error must be returned to the client (login_required).

  • consent: The social provider should prompt for consent, otherwise an error must be returned to the client (consent_required).

Only for login with social provider.

nonce string

String value used to associate a client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified to the ID Token. Sufficient entropy must be present in the nonce values used to prevent attackers from guessing values. See Section 15.5.2 of OpenID Connect for more implementation details.

persistent boolean

When persistent is true, the session duration configured in the ReachFive Console (Settings  Security  SSO) applies.

If persistent is not set or is false, the default session duration of 1 day applies.

Defaults to false.

popupMode boolean

Whether or not to use popup mode.

Defaults to false.

This mode is not recommended due to known bugs in Android or Firefox in iOS.

useWebMessage boolean

When set to true, the SDK will leverage the web_message response mode in order to avoid having to redirect the user-agent to obtain the authorization response.

Defaults to false. If set to true and responseType is code, the authorization code will be automatically exchanged at the token endpoint along with any potential code_verifier.

origin string

Free text parameter describing the source of the login (only for reporting purposes).

scope string[]

List of space-delimited, case-sensitive strings representing the requested scope.

Optional if the fetchBasicProfile option is set to true and the profile, email, phone and openid scope values are allowed in client configuration.

fetchBasicProfile boolean

Fetch basic user profile information when they sign in. Automatically adds profile, email, phone and openid to the requested scope.

Defaults to true.

accessToken string

Access token of the current user. Enables social login linking to an existing account with a fresh token (less than 5 minutes old).

providerScope string

List of space-delimited, case-sensitive strings representing the requested scope at the social provider.

Defaults to the scope configured for the given provider in your ReachFive console.

Only for login with social provider.

requireRefreshToken boolean

If set to true, an OAuth 2.0 Refresh Token will be present in the token response.

Defaults to false.

Fetch user basic profile information when they sign in. Adds profile, email, phone and openid to the requested scope.

Refresh Tokens are only available with confidential Clients (with a configured authentication method) or for public Clients that enforce PKCE in the authorization code grant. The Refresh Token option must also be selected.

Response

Type: Promise<AuthResult>

AuthResult object fields

Field Type Description

accessToken

string

The user’s access token. This a security token that gives access to authorized resources without further identification. It is represented as a JSON Web Token (JWT).

expiresIn

number

The lifetime of the access token (in seconds).

If expiresIn is less than or equal to 0, the accessToken is expired.

tokenType

string

The type of token that is issued.

This is always Bearer.

idToken

string

The user’s ID token. This is a security token that contains authentication claims about the user. It is represented as a JSON Web Token (JWT).

Claims are pieces of information made about a particular subject.

For example, ID tokens might contain a claim called name that makes the claim that the name of the user authenticating is "Nicole Dubois".

{
    "sub": "987654321",
    "name": "Nicole Dubois",
    ...
}

idTokenPayload

JSON

The body of the ID token which outlines the claims. See ID token payload for more details.

For a full list of claims, check out the JWT Claims Registry.

code

string

The authorization code received from the initial authorization call.

state

string

An opaque value used to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.


ID token payload

The possible claims to assert about an authenticated user are outlined in the table below.

Field Type Description

authType

string

The type of authentication used.

allowed values:
  • password

  • phone_number_password

  • magic_link

  • sms

  • external

  • refresh

  • login_as

  • third_party

  • webauthn

birthdate

string

The birthdate of the profile, represented as an ISO 8601 YYYY-MM-DD format.

email

string

The primary email address of the profile.

emailVerified

boolean

True if the user’s e-mail address has been verified; otherwise false.

exp

number

The expiration time claim identifies the expiration time (in seconds) on or after which the JWT must not be accepted for processing.

familyName

string

The family name of the profile.

Also known as surname or last name.

givenName

string

The given name of the profile.

Also known as first name.

gender

string

The gender of the profile.

Currently allowed values are female, male and other.

iat

number

The issued at claim identifies the time (in seconds) at which the JWT was issued.

iss

string

The issuer claim identifies the principal that issued the JWT.

locale

string

The profile’s language code in lowercase and country code in uppercase, separated by a dash (eg en, fr-FR …​).

name

string

The full name of the profile.

newUser

boolean

Whether the profile is new.

sub

string

The subject claim that identifies the profile.

picture

string

The URL of one of the user’s profile pictures. This URL refers to an image file (PNG, JPEG, or GIF image file).

profile

string

The URL of one of the user’s profile pages (usually a social provider’s page).

updatedAt

string

The time the profile’s information was last updated.

Feedback