Handling Authentication with Cotter
After successful authentication, Cotter returns ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard:
The ID Token contains information about the authenticated user such as email , phone number ,
client_user_id(the user's id in your server), andauth_time(last authenticated time).The Access Token contains scopes and the authentication method used to authenticate the user:
OTP,TRUSTED DEVICE,PINorBIOMETRIC.The Refresh Token contains the information necessary to obtain a new ID and access token.
🔒It is important to secure all tokens in transit and storage.
Currently, we have the following libraries available to handle Cotter's OAuth Tokens:
Javascript Library:
cotter-jwt-js
Cotter's Access token is a JSON Web Tokens (JWTs) that is used to tell your backend API that the user has been authorized to call the API and perform some action (defined in the scopes attribute of the token).
Access tokens expires every 1 hour. Check the guide on renewing access and id tokens.
Token example:
eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJjbGllbnRfdXNlcl9pZCI6IjEyMjMiLCJhdXRoZW50aWNhdGlvbl9tZXRob2QiOiJUUlVTVEVEX0RFVklDRSIsInR5cGUiOiJjbGllbnRfYWNjZXNzX3Rva2VuIiwic2NvcGUiOiJhY2Nlc3MiLCJhdWQiOiJlOGYzNGI2NC01MmQwLTRjNzgtYjlhOS0wMTJiY2RhYzY1ZDMiLCJleHAiOjE1ODYyMzExMzYsImlhdCI6MTU4NjIyNzUzNiwiaXNzIjoiaHR0cHM6Ly93d3cuY290dGVyLmFwcCIsInN1YiI6IlVTRVI6ZTA5ZWZiMWItZTUwZi00MWZkLTg1MzAtODhmZmJjZDgwZjU5In0.Dy5lw_SG994eg0e7YHaQRleo9EBu8AePxRWlKKCtn2g3iMxcw1MhVBaudI4gV4tYVNd6gMYeCRKoqZL16Tk7bg
☝️Try decoding this token in jwt.io:
{"client_user_id": "xyzABC123", // Your user id"authentication_method": "TRUSTED_DEVICE", // How the user is authenticated"type": "client_access_token","scope": "access", // Scope of this access token (coming soon)"aud": "<your API KEY ID>", // Your API_KEY_ID"exp": 1586231136, // Expires at"iat": 1586227536, // Issued at"iss": "https://www.cotter.app","sub": "USER:e09efb1b-e50f-41fd-8530-88ffbcd80f59"}
1. On every API call to your server, attach the access token as a header
Authorization: Bearer <access token>
2. In your server, using a middleware, check if the access token is valid
3. If the access token is valid, allow the API call to proceed.
Cotter's ID token is a JSON Web Tokens (JWTs) that is used to provide information about the user. ID tokens expires every 1 hour. Check the guide on renewing access and id tokens.
{"client_user_id": "xyzABC123", // Your user id"auth_time": "1586228581", // Last authenticated time (Unix timestamp)"identifiers": [ // email/phone number associated with this user"+12345678910"],"type": "client_id_token","aud": "<your API KEY ID>", // your API KEY ID"exp": 1586232181, // Expires at"iat": 1586228581, // Issued at"iss": "https://www.cotter.app","sub": "USER:e09efb1b-e50f-41fd-8530-88ffbcd80f59"}
You should not trust this information after it's expired
Cotter's Refresh Token is an opaque token (i.e. a random string) that is used to generate a new access token and id token when they're expired. Refresh tokens expires every 30 days. You need to re-authenticate the user to get a new refresh token. Check the guide on renewing access and id tokens.
14:Pmw3r3rgaw0rLupUDU4hjwJFisv8EaHRaoy5gw54ZmSebaWHDh
Easily get tokens using the SDK by adding a simple paramater, ex. getOAuthToken = true
The SDK generally automatically store tokens securely for you, and provides a function to easily remove the tokens to logout your users.
The SDK generally automatically renews expired access_token and id_token whenever a valid refresh_token exists.
You need to verify the JWT tokens in your backend server. Fortunately, there are a lot of good libraries that does this.
