Skip to content

Login

The following steps describe a custom user login flow and accessing user data on your website or in your application. Wicket implements the OAuth 2 PKCE flow for integration.

sequenceDiagram
    autonumber
    participant U as User
    participant I as Integrator app
    participant W as Wicket
    U->>I: Click login
    I->>I: Generate and save Code Verifier and Code Challenge
    I->>W: Redirect to Wicket with Code Challenge
    W->>U: Ask to login/register, require necessary data, consents 
    W->>I: Redirect with Authorization Code
    I->>W: Request tokens by Authorization Code and Code Verifier
    W->>W: Validate Code Verifier and Challenge
    W->>I: Return requested Tokens

1. Redirect to Wicket

In order initiate the login process, redirect the user to Wicket login form.

Redirect URL structure

https://<wicket-base-url>/<wicket-route>?<application_id>&<backurl>&<code_challenge>&<code_challenge_method>

<wicket-base-url> - Wicket application URL.

<wicket-route> - Wicket route for intended view, ex. login or register view

<application_id> - ID specific for each integrator.

<backurl> - URL for redirecting the user back to the website / application: typically the exact url from which the login process was initiated. This value should be encoded using encodeUriComponent if you intend to use queryparams in the backurl

<code_challenge> - SHA256 hash of <code_verifier>

<code_verifier> - Random, cryptografically strong string of 64 to 128 characters

<code_challenge_method> - Optional, default (and currently the only supported) method is SHA256

Tip

When providing backurl to two Wicket routes: /logowanie and /rejestracja the user will be redirected back when/if logged in with all required agreements and data. Providing the backurl to other routes when user is logged in will allow user to go to the account and go back when the return button is pressed or the user logs-out.

2. Login or Register (Wicket application)

User logs into wicket by one of the available methods or registers a new Wicket account, confirms the account and logs in.

3. Redirect from Wicket

After successful login or logout, the user is redirected from Wicket back to the URL from which the login process was initiated. The user state is described by the parameter in the redirect URL.

  • code=<Authorization Code> - if this parameter is present, user has logged in (request and store user login response object)
  • logout=true - if this parameter is present, user has logged out (remove user from local storage and clear all data)

4. Request and store user login response data

At this point, user token has already been created and can be accessed, through Wicket API /api/v2/identity/auth/token.

This endpoint will verify the Code and Code Verifier and provide you with tokens as the response 

{
  "token_type": "Bearer",
  "id_token": "string",
  "access_token": "string",
  "refresh_token": "string"
}

6. You can now use Wicket API as the user!

Now you are authorized correctly and can start using the profile API. For example, you can get user's personal data by Wicket API /api/v2/data/user endpoint.