# Backend

# Authorization

The authorization flow for web applications is performed using the OpenID 2.0 protocol (opens new window), specifically following the Authorization Code Flow with PKCE (opens new window).

For mobile applications, login is done using a mix of Resource Owner Password Flow (opens new window) and Authorization Code Flow with PKCE. This is done to avoid redirects and embed a login screen in a browser. This approach is fine because you work with first party applications, you are the owner of the application, the server and the database. You can see the two mobile login endpoints in the Reference section.

The response provides an authorisation token (access token) and an authentication token (identification token).

The access token allows us to send requests to VYou endpoints; however, in web frontend projects, we can opt out of this and use cookies instead (in this case, there is a restriction, which is that the frontend webapp and VYou must be deployed in the same domain).

We also have a refresh token which is used to renew expired tokens. The expiration time can be set in the VYou backoffice, in the tenant configuration.

There are several endpoints that require authorization to be executed. These endpoints can be identified in the Reference section with a padlock icon.

To authorize an endpoint, it is mandatory to enter this header in every endpoint call:

Authorization: Bearer <access_token>

This access token is obtained at the end of the sign up process. Take a look of the OpenIdCredentials object:

  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlVLUTJ(...)",
  "tenant_compliant": true,
  "tenant_consent_compliant": true,
  "token_type": "bearer",
  "id_token": "eyJraWQiOiJVS1EyaTdZY3JTaDZpQ3dkdjlmTXRCR3FBclVBOVdLMTV(...)",
  "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IlVLUT(...)",
  "expires_in": 3598,
  "scope": "read write openid trust"
Field Type Description
access_token string token to authorize VYOU endpoints.
tenant_compliant boolean Indicates if the user has filled in the fields following the rules of the tenant.
tenant_consent_compliant boolean Indicates if the user has given their consent according to RGPD.
token_type string bearer.
id_token string token to authenticate VYOU users. Contains information about them.
refresh_token string token to renew expired access token.
expires_in long time in seconds in which an access token will be expired.
scope string read write openid trust

Finally, is highly recommended to use sdk for sign up.

# Reference