Identity (OAuth2, OpenID)
The Xumm platform can act as the OAuth2 provider. The Xumm platform supports the OAuth2 / OpenID Connect flow. Authenticate and identify end users using their self custodial XRPL accounts.
Last updated
Was this helpful?
The Xumm platform can act as the OAuth2 provider. The Xumm platform supports the OAuth2 / OpenID Connect flow. Authenticate and identify end users using their self custodial XRPL accounts.
Last updated
Was this helpful?
The Xumm OAuth2 / OpenID Connect provider supports the authorization code flow and the implicit flow.
The PKCE flow (which is the new & more secure industry standard and replaces the Implicit flow) is also available.
All supported OAuth2 flows have their own use cases, advantages and caveats. The right one depends on your project & audience.
Backend
Frontend
Frontend
API Key + Secret
API Key
API Key
Custom implementation, custom sessions / token persistence if needed.
Xumm SDK handles user sign in & session retrieval
Xumm SDK handles user sign in & session retrieval
As secure as your own implementation
Secure (Man in the Middle attack not possible)
Secure (but Man in the Middle attack possible)
You deal with the mobile return flow state persistence. You will have to make sure you restore your session to cover sessions where user return in another browser.
Only works on mobile when users leave and return from & to the same browser. E.g. when starting off in a Twitter embedded browser frame & returning to the native OS browser, the sign in will fail.
Works on mobile even when users start in one browser and get redirected to another browser (e.g. the OS native browser). Basically always works.
You deal with the desktop sign in flow (redirect / popup / ...)
Xumm SDK (TypeScript/Javascript) will trigger a pop up & handle sign state & events.
Xumm SDK (TypeScript/Javascript) will trigger a pop up & handle sign state & events.
To use the Xumm Platform as OAuth2 / OpenID Connect provider, one or more valid OAuth2 redirect URI's must be whitelisted in the , on an application level.
The same API Key and API Secret the Xumm Developer Console offers to be used calling our API's and using our SDK's can be used as OAuth2 client id and secret.
The Xumm platform returns a Bearer token (JWT) with limited validity. The token can not be refreshed: after expiration a new user sign in is mandatory to obtain a new JWT token.
force_network allows you to specify a network the payload will have to be signed on. Sample values are MAINNET TESTNET XAHAU XAHAUTESTNET, etc.
signers allows you to specify one or more forced signers, by r-address, seperated by a comma (if multiple are to be provided where the user can choose from, providing they have signing capabilities for the account(s))
Sample Auth URL using the above params:
Authorization
Token
Userinfo
JWKS
OpenID Connect Metadata
All other JWT compatible Xumm API's
When using the (TypeScript & Javascript) all OAuth2/JWT interaction, authorisation & implementation will be abstracted away, which is by far the easiest way to interact with the Xumm platform.
Building your own integration, or using a standard OAuth2 consumer? All JWT tokens obtained through from a Xumm OAuth2 flow can be used with the (from a user locked context). The way to interact with the JWT endpoints is similar to the JWT flow for xApps, except the JWT is obtained through the OAuth2 flow instead of inside the xApp.
https://oauth2.xumm.app/
https://oauth2.xumm.app/
https://oauth2.xumm.app/
https://oauth2.xumm.app/
https://oauth2.xumm.app/
See our API docs: