You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: examples/ConnectedAccounts.md
+42-33Lines changed: 42 additions & 33 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,51 +6,52 @@ The Connect Accounts feature uses the Auth0 My Account API to allow users to lin
6
6
>DPoP sender token constraining is not yet supported in this SDK. My Account API can be configured to support it (default behaviour) but must not be configured to require it.
7
7
8
8
9
-
When using Connected Accounts, Auth0 acquires tokens from upstream Identity Providers (like Google) and stores them in a secure [Token Vault](https://auth0.com/docs/secure/tokens/token-vault). These tokens can then be used to access third-party APIs (like Google Calendar) on behalf of the user.
9
+
When using [Connected Accounts for Token Vault](https://auth0.com/docs/secure/tokens/token-vault/connected-accounts-for-token-vault), Auth0 acquires tokens from upstream Identity Providers (like Google) and stores them in a secure [Token Vault](https://auth0.com/docs/secure/tokens/token-vault). These tokens can then be used to access third-party APIs (like Google Calendar) on behalf of the user.
10
10
11
11
The tokens in the Token Vault are then accessible to [Applications](https://auth0.com/docs/get-started/applications) configured in Auth0. The application can issue requests to Auth0 to retrieve the tokens from the Token Vault and use them to access the third-party APIs.
12
12
13
13
This is particularly useful for applications that require access to different resources on behalf of a user, like AI Agents.
14
14
15
-
## Configure the SDK
15
+
## Pre-requisites
16
+
Connected Account functionality makes use of the Auth0 [My Account API] (https://auth0.com/docs/manage-users/my-account-api) and [Multiple Resource Refresh Tokens (MRRT)](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token). To use this functionality in this SDK you must first ensure that you first [activate My Account API](https://auth0.com/docs/manage-users/my-account-api#activate-the-my-account-api) on your Auth0 tenant and enable access for you client Application. You must also [configure MRRT](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token/configure-and-implement-multi-resource-refresh-token#configure-applications-for-mrrt) on your client application's refresh token policies to allow access to the My Account audience (`https://{yourDomain}/me/`) for the `create:me:connected_accounts` scope as well as any other APIs and scopes you intend to access in your application.
16
17
17
-
The Auth0 client Application must be configured to use refresh tokens and [MRRT (Multiple Resource Refresh Tokens)](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token) since we will use the refresh token grant to get Access Tokens for the My Account API in addition to the API we are calling.
18
+
## Configure the SDK
18
19
19
20
```python
20
21
server_client = ServerClient(
21
22
domain="YOUR_AUTH0_DOMAIN",
22
23
client_id="YOUR_CLIENT_ID",
23
24
client_secret="YOUR_CLIENT_SECRET",
24
25
secret="YOUR_SECRET",
25
-
authorization_params={
26
-
"redirect_uri":"YOUR_CALLBACK_URL",
27
-
"audience": "YOUR_API_IDENTIFIER"
28
-
}
26
+
29
27
)
30
28
```
31
29
32
30
## Login to the application
33
31
34
-
Use the login methods to authenticate to the application and get a refresh and access token for the API.
32
+
Use the login methods to authenticate to the application and get a refresh token in order to use MRRT to call the My Account API. If you are also intending to authorize access to any custom API, you may optionally specify an audience and any relevant scopes but you must at a minimum include the `offline_access` scope to ensure you obtain a refresh token.
35
33
36
34
```python
37
-
# Login specifying any scopes for the Auth0 API
38
-
35
+
# Login to authenticate your aplication, optionally specifying any scopes for your Auth0 API
Redirect user to the provided url, after authenticating with Auth0, the user will be returned to the provided `CALLBACK_URL` with additional `state` and `code` query parameters. In the handler for this callback, complete the interactive login passing the full callback url (including any query parameters).
48
50
49
-
# redirect user
50
-
51
+
```python
51
52
# handle redirect
52
53
result =await server_client.complete_interactive_login(
@@ -59,49 +60,57 @@ result = await server_client.complete_interactive_login(
59
60
60
61
Start the flow using the `start_connect_account` method to redirect the user to the third-party Identity Provider to connect their account.
61
62
62
-
The `authorization_params` is used to pass additional parameters required by the third-party IdP
63
+
The `authorization_params` is used to pass additional parameters required by the third-party IdP.
64
+
65
+
The `scopes` parameter is used to override the scopes requested from the third-party IdP. By default, if no `scopes` parameter is provided, Auth0 will request any scopes configured in the connection settings through the Auth0 Management API/Dashboard.
66
+
63
67
The `app_state` parameter allows you to pass custom state (for example, a return URL) that is later available when the connect process completes.
Using the url returned, redirect the user to the third-party Identity Provider to complete any required authorization. Once authorized, the user will be redirected back to the provided `redirect_uri` with a `connect_code` and `state` parameter.
93
+
Using the url returned, redirect the user to the third-party Identity Provider to complete any required authorization. Once authorized, the user will be redirected back to the provided `CALLBACK_URL` with a `connect_code` and `state` parameter. The `CALLBACK_URL` provided may be the same that is used for the interative login or it may be distinct. However if the same endpoint is used, the handler should be able distinguish between a login callback vs a connect accounts callback (typically via the presence of the `code` and `connect_code` parameter respectively).
92
94
93
95
## Complete the account connection
94
96
95
-
Call the `complete_connect_account` method using the full callback url returned from the third-party IdP to complete the connected account flow. This method extracts the connect_code from the URL, completes the connection, and returns the response data (including any `app_state` you passed originally).
97
+
In the callback handler, call the `complete_connect_account` method using the full callback url returned from the third-party IdP to complete the connected account flow. This method extracts the connect_code from the URL, completes the connection, and returns the response data (including any `app_state` you passed originally).
>The `callback_url` must include the necessary parameters (`state` and `connect_code`) that Auth0 sends upon successful authentication.
107
+
>The `callback_url` must include the necessary parameters (`state` and `connect_code`) that Auth0 sends upon successful authorization.
108
+
109
+
You can now call the API with your access token and the API can use [Access Token Exchange with Token Vault](https://auth0.com/docs/secure/tokens/token-vault/access-token-exchange-with-token-vault) to get tokens from the Token Vault to access third-party APIs on behalf of the user.
106
110
107
-
You can now call the API with your access token and the API can use [Access Token Exchange with Token Vault](https://auth0.com/docs/secure/tokens/token-vault/access-token-exchange-with-token-vault) to get tokens from the Token Vault to access third-party APIs on behalf of the user.
0 commit comments