This repository provides an example server implementation for FusionAuth Web SDKs. FusionAuth Web SDKs can be utilized in one of two ways:
- Hosting Your Own Server: Implementing a server that handles OAuth token exchange and fulfills the server code requirements for FusionAuth Web SDKs.
- Using the FusionAuth Hosted Server: Leveraging the server hosted on your FusionAuth instance, eliminating the need to write your own server code.
If you opt for hosting your own server, this repository will serve as an example. The provided example is in JavaScript and utilizes Express. If you opt to implement your own server you are free to use any technology stack as long as it meets the server code requirements.
To get started, follow these steps:
- From the root directory, run
npm install
. - Run
npm run start
.
You should observe the console output FusionAuth example server listening on port 9000
.
The endpoints described below serve as a summary of requirements and expected behaviors of each endpoint. For additional details on these endpoints you can reference the Hosted Backend documentation.
Your server must have the following endpoints:
This endpoint must:
- Generate PKCE code.
- The code verifier should be saved in a secure HTTP-only cookie.
- The code challenge is passed along
- Encode and save
redirect_url
from the client app tostate
. - Redirect browser to
/oauth2/authorize
with aredirect_uri
to/app/token-exchange
This endpoint must:
-
Call /oauth2/token to complete the Authorization Code Grant request. The
code
comes from the request query parameter andcode_verifier
should be available in the secure HTTP-only cookie, while the rest of the parameters should be set/configured on the server side. -
Once the token exchange succeeds, read the
app.at
from the response body and set it as a secure, HTTP-only cookie with the same name. -
If you wish to support refresh tokens, repeat step 2 for the
app.rt
cookie. -
Save the expiration time in a readable
app.at_exp
cookie. This value should be represented as seconds since the epoch. -
And save the
app.idt
id token in a readable cookie. -
Redirect browser back to encoded url saved in
state
.
This endpoint is similar to /login
. It must:
- Generate PKCE code.
- The code verifier should be saved in a secure HTTP-only cookie.
- The code challenge is passed along
- Encode and save
redirect_url
from the client app tostate
. - Redirect browser to
/oauth2/register
with aredirect_uri
to/app/callback
This endpoint must:
- Use
app.at
from cookie and use as the Bearer token to call/oauth2/userinfo
- Return json data
This endpoint must:
- Clear the
app.at
andapp.rt
secure, HTTP-only cookies. - Clear the
app.at_exp
andapp.idt
secure cookies. - Redirect to
/oauth2/logout
This endpoint is necessary if you wish to use refresh tokens. This endpoint must:
-
Call /oauth2/token to get a new
app.at
andapp.rt
. -
Update the
app.at
,app.at_exp
,app.idt
, andapp.rt
cookies from the response.
This library may periodically receive updates with bug fixes, security patches, tests, code samples, or documentation changes.
These releases may also update dependencies, language engines, and operating systems, as we'll follow the deprecation and sunsetting policies of the underlying technologies that the libraries use.
This means that after a dependency (e.g. language, framework, or operating system) is deprecated by its maintainer, this library will also be deprecated by us, and may eventually be updated to use a newer version.