Authentication concepts

Jutro provides a simple OpenID Connect (OIDC) authentication client. You can use this client to authenticate with Identity Providers (IdPs) who support the OIDC standard.

The client supports authentication out of the box, but not authorization. However, you are free to implement authorization in your application. See the authorization section for more details.

OIDC concepts

OpenID Connect (OIDC) allows you to enable authentication for your application. It works in connection with an Identity Provider (IdP) that is responsible for authentication and authorization. The IdP is usually a third-party service that you need to configure and manage.

In short, your application redirects the user to the IdP login page. After successful authentication, the user is redirected back to your application with an authorization code. Your application then exchanges the authorization code for an access token and a refresh token. The access token is used to access protected resources, and the refresh token is used to renew the access token when it expires.

In OIDC, this process is called the Authorization Code Flow. You can learn more about OIDC and the Authorization Code Flow in the following articles:

• OpenID Connect
• OpenID Connect Core 1.0 incorporating errata set 1

Please note that in @jutro/auth, Proof Key for Code Exchange (PKCE) is always enabled. You can learn more about PKCE in the following places:

• Proof Key for Code Exchange by OAuth Public Clients
• An interactive example of how PKCE works

The @jutro/auth package provides a generic OIDC client which allows you to use potentially any IdP which is compliant with the OIDC standard. It provides handy components, hooks, and functions which can speed up your implementation of authentication.

Authorization

As explained in the Authorization flow between Jutro and Cloud APIs page, authorization is not handled by the authentication client. After authentication an authorization request will be sent to the CloudAPI. This will return an encoded access token that can be used to determine if the user is authorized.

You should not decode this token, but Jutro can determine what a user is authorized to do without fully decoding the token.

For example, depending on your Identity Provider (IdP), group info may be inside a userInfo object returned from the useAuth function. In that case, you can use the userInfo property from the useAuth hook to get the groups.

import { useAuth } from '@jutro/auth';

const { userInfo } = useAuth();
const groups = userInfo?.groups;

Additionally, the API response from Guidewire Cloud API apps can tell you what actions a user is authorized to do. For more information, check the documentation about the links section of the response for your app (for example, ClaimCenter users can check here).

If you're using the Digital SDK, a list of actions for a user will be present in your function return values. See the Actions overview section of the Digital SDK docs for more information.