Authentication concepts

Jutro provides a simple OpenID Connect (OIDC) authentication client. You can use this client to authenticate with Identity Providers (IdPs) who support the OIDC standard.

The client supports authentication out of the box, but not authorization. However, you are free to implement authorization in your application. See the authorization section for more details.

OIDC concepts

OpenID Connect (OIDC) allows you to enable authentication for your application. It works in connection with an Identity Provider (IdP) that is responsible for authentication and authorization. The IdP is usually a third-party service that you need to configure and manage.

In short, your application redirects the user to the IdP login page. After successful authentication, the user is redirected back to your application with an authorization code. Your application then exchanges the authorization code for an access token and a refresh token. The access token is used to access protected resources, and the refresh token is used to renew the access token when it expires.

In OIDC, this process is called the Authorization Code Flow. You can learn more about OIDC and the Authorization Code Flow in the following articles:

• OpenID Connect
• OpenID Connect Core 1.0 incorporating errata set 1

Please note that in @jutro/auth, Proof Key for Code Exchange (PKCE) is always enabled. You can learn more about PKCE in the following places:

• Proof Key for Code Exchange by OAuth Public Clients
• An interactive example of how PKCE works

The @jutro/auth package provides a generic OIDC client which allows you to use potentially any IdP which is compliant with the OIDC standard. It provides handy components, hooks, and functions which can speed up your implementation of authentication.

Authorization

Authorization is not handled by the authentication client. You can implement authorization by decoding the token and checking the claims. For example, you can check the groups claim to see if the user is a member of a specific group.

import { useAuth, decodeToken } from '@jutro/auth';

const { accessToken } = useAuth();
const decodedToken = decodeToken(accessToken);
const decodedJWTTokenPayload = decodeJWTTokenPayload(accessToken);

Depending on your IdP, group info may be inside userInfo. In that case, you can use the userInfo property from the useAuth hook to get the groups.

import { useAuth } from '@jutro/auth';

const { userInfo } = useAuth();
const groups = userInfo?.groups;