Warhorn Login

Warhorn Login allows people to log into your app or website and create an account using their Warhorn credentials. They do not need to create or remember a separate password.

Warhorn Login also enables you to to ask for permissions when people log in to your app. These permissions give your app access to facts about the user such as their name, email address or profile picture.

How it works

Warhorn Login is implemented using the OAuth 2.0 and OpenID Connect authorization and identity protocols. As the developer of a website or app that will use Warhorn Login, you’ll do the following:

  1. Register your application in your Warhorn account settings.
  2. Implement an authorization flow to allow your users to log into your app using their Warhorn account.
  3. Implement a userinfo request to get information about the identify of the logged-in user.

When a user initiates Warhorn Login through your app, Warhorn will require the user to log into Warhorn (if they aren’t already) and then consent to your app’s authorization request, including exposing their Warhorn profile information to your application.

Authorization flow

Warhorn Login is based on the OAuth 2.0 Authorization Code flow.

In this flow, your app:

  1. Makes an authorization request to the Warhorn authorization endpoint,
  2. Receives a short-lived authorization code,
  3. Makes a token request to the Warhorn token endpoint with that authorization code, and
  4. Receives an access token and an OpenID Connect ID token.

Client authentication

Your app must authenticate itself on each request using the client credentials generated for the app during registration.

See the client authentication API reference for more details.

Authorization request

To begin the flow, your app makes an authorization request.

The first time your app asks to authorize a particular user, Warhorn responds by presenting a consent page, prompting the user to allow your app to access their Warhorn account. If the user is not already logged in, they will be required to log in before consenting. After the user indicates approval by clicking the “Allow” button on the consent page, Warhorn redirects back to your app using the callback URL provided in the authorization request.

For subsequent authorization requests, Warhorn asks the user to log in if needed, then redirects back to your app’s callback URL.

See the authorization API reference for details.

Token request

To complete the authorization flow, your app issues a token request, exchanging the authorization code embedded in the callback URL for a user access token and an ID token. The access token will be used for subsequent GraphQL API requests, and the ID token is used to get more information about the user.

You can think of the access token as being a session identifier for the user. When the user logs out of your app, just throw the access token away. The next time the user logs in, your app should go through the authorization flow again.

See the user access token API reference for details.

Userinfo request

Warhorn Login uses the OpenID Connect userinfo mechanism to provide information about the user’s identity to your app.

After completing the authorization flow and receiving an ID token, your app can issue a userinfo request to get important identify information about the user, such as name, email address and time zone. This means that your app doesn’t have to capture such information from the user directly.

The set of information available to your app in a userinfo request is defined by the authorization scopes requested by your app and granted by the user during authorization flows.

See the userinfo API reference for more information.

Reference

oauth.com has a fantastic, plain-spoken reference guide for everything related to OAuth 2.0 (and the most important bits of OpenID Connect as well). That’s our first recommendation for learning more about these protocols.