The Paylogic Auth Service is a Single Sign-On platform where a user can log in. Once logged in on the SSO, a user is logged in in all applications that implement the SSO.
Send a user to the SSO, which will send an authenticated user back to your application.
Send a user’s browser to the SSO at https://auth.paylogic.com/authorize with the following required query parameters: client_id, redirect_uri and response_type. The full URL looks something like https://auth.paylogic.com/authorize?client_id=myclientid&redirect_uri=https%3A%2F%2Fuser.example.org%2Fuser%2F&response_type=token%20id_token. Paylogic will issue a client_id value which is usually a short, lowercase version of your organisation’s name.
If the user is already logged in on the SSO, we immediately redirect the user back to the value specified in redirect_uri with a fresh ID token and/or Access token. The access token can be used for direct communication with the Cognito API. Example redirect_uri with tokens: https://account.example.org/#id_token=...&access_token=...&token_type=Bearer&expires_in=3600.
If the user is not logged in on the SSO, we ask the user to log in or sign up. Once the user has signed up and/or logged in, we send the user back to your application as described in step 2 of this list.
Paylogic will need a list of allowed redirect_uri’s, e.g. [https://example.org/*, https://demo.example.org/user/*]. The path component of each redirect URI can contain wildcards using the * character.
When a user logs in to the Auth Service the user will be logged in for 30 days. The user stays logged in for 30 days. Tokens passed by the Auth Service to client applications are valid for one hour.
If a user is logged out in your application, either because the user never logged in to your app or because the token expired, you can log in the user without any user interaction. Send the user to https://auth.paylogic.com/authorize and use the same parameters as step 1 of Basic login flow, but with prompt=none in the request parameters.
If the user is logged in on the SSO, the user is redirected back to your application with a fresh ID token and/or Access token.
If the user is no longer logged in on the SSO, the user is redirected back to your application with an error=interaction_required query parameter, meaning there’s interaction required from the user because they’re not logged in.
Send a user to the logout page at https://auth.paylogic.com/logout with required query parameters: client_id and redirect_uri and optional parameter state. This results in a URl looking like https://auth.paylogic.com/logout?client_id=myclientid&redirect_uri=https%3A%2F%2Faccount.example.org%2F.
Paylogic will log out the user on the SSO, and from the Cognito domain in case the user logged in with an external provider.
You should also log out the user locally in your own application by removing local id and/or access tokens in cookies or other storage.
You can verify that a user is logged out by checking the userinfo endpoint on the Cognito domain with the user’s access token, in which case the endpoint will respond with a 401 error.
Once you have a valid Access token for a user, you can communicate directly with Cognito, for example to fetch or update user details.
You can find the full documentation for Cognito here.
Cognito has SDK’s for all popular programming languages, like Python, Go, PHP and JavaScript.