Step 1: Generate code_verifier and code_challenge
Generate code_verifier and code_challenge as follows:code_verifier
and code_challenge
, a new pair must be generated for every authentication attempt.
Step 2: Redirect Users To Authorization Endpoint
The Authorization Endpoint is as follows:<domain>
as well as <client_id>
after registering with AuthPortal. All <redirect_uri>
s must be identical to those previously registered with AuthPortal. You may optionally pass an optional state
parameter, which will be returned to the redirect_uri
.
Redirect your users to the authorization endpoint, where they will be prompted to log in.
Step 3: Handle Redirect & Call Token Endpoint
After successful login, AuthPortal redirect users back to<redirect_uri>
, and two query parameters will be set: code
and iss
. If state
was provided in the query above, it will also be set. You must verify that the iss
matches https://<domain>
.
To obtain the firebase user object, a final background API call to the Token Endpoint is necessary. Obtain the stored code_challenge
and make the following HTTP POST API call:
OAuth 2.0 Compatibility
AuthPortal Flow is based on OAuth 2.0 Authorization Code Flow (as per RFC6749). It extends OAuth 2.0 by requiring ascope=firebase_user
parameter, which returns a firebase_user
object in the token response after successful authorization. PKCE (as per RFC7636) is mandatory. iss
(as per RFC9207) is always returned. response_mode=web_message
for sign-in via popup is supported.