AuthSession
is the easiest way to add web browser based authentication (for example, browser-based OAuth flows) to your app, built on top of WebBrowser, Crypto, and Random. If you would like to understand how it does this, read this document from top to bottom. If you just want to use it, jump to the Authentication Guide.Android Device | Android Emulator | iOS Device | iOS Simulator | Web |
---|---|---|---|---|
expo-random
is a peer dependency and must be installed alongsideexpo-auth-session
.
→
expo install expo-auth-session expo-random
If you're installing this in a bare React Native app, you should also follow these additional installation instructions.
uri-scheme
package to easily add, remove, list, and open your URIs.mycoolredirect://
simply run:→
npx uri-scheme add mycoolredirect
→
npx uri-scheme list
# Rebuild the native apps, be sure to use an emulator
yarn android
yarn ios
# Open a URI scheme
npx uri-scheme open mycoolredirect://some/redirect
{ "expo": { "scheme": "mycoolredirect" } }
scheme
in your project app.config.js, or app.json, and then build your standalone app (it can't be updated with an update). If you do not include a scheme, the authentication flow will complete but it will be unable to pass the information back into your application and the user will have to manually exit the authentication modal (resulting in a cancelled event).The guides have moved: Authentication Guide.
Theauth.expo.io
proxy is only used whenstartAsync
is called, or whenuseProxy: true
is passed to thepromptAsync()
method of anAuthRequest
.
AuthSession
handles most of the app-side responsibilities for you:authUrl
, you must provide it) in a web browser that shares cookies with your system browser.AuthSession
simplifies setting up authorized redirect URLs by using an Expo service that sits between you and your authentication provider (read Security considerations for caveats). This is particularly valuable with Expo because your app can live at various URLs. In development, you can have a tunnel URL, a lan URL, and a localhost URL. The tunnel URL on your machine for the same app will be different from a co-worker's machine. When you publish your app, that will be another URL that you need to allowlist. If you have multiple environments that you publish to, each of those will also need to be allowlisted. AuthSession
gets around this by only having you allowlist one URL with your authentication provider: https://auth.expo.io/@your-username/your-app-slug
. When authentication is successful, your authentication provider will redirect to that Expo Auth URL, and then the Expo Auth service will redirect back to your application. If the URL that the auth service is redirecting back to does not match the published URL for the app or the standalone app scheme (eg: exp://expo.dev/@your-username/your-app-slug
, or yourscheme://
), then it will show a warning page before asking the user to sign in. This means that in development you will see this warning page when you sign in, a small price to pay for the convenience.AuthSession
, it first visits https://auth.expo.io/@your-username/your-app-slug/start
and passes in the authUrl
and returnUrl
(the URL to redirect back to your application) in the query parameters. The Expo Auth service saves away the returnUrl
(and if it is not a published URL or your registered custom theme, shows a warning page) and then sends the user off to the authUrl
. When the authentication provider redirects back to https://auth.expo.io/@your-username/your-app-slug
on success, the Expo Auth services redirects back to the returnUrl
that was provided on initiating the authentication flow.import * as AuthSession from 'expo-auth-session';
Name | Type | Description |
---|---|---|
config | AuthRequestConfig | A valid AuthRequestConfig that specifies what provider to use. |
discovery | null | DiscoveryDocument | A loaded DiscoveryDocument with endpoints used for authenticating.
Only authorizationEndpoint is required for requesting an authorization code. |
Load an authorization request for a code. When the prompt method completes then the response will be fulfilled.
In order to close the popup window on web, you need to invokeWebBrowser.maybeCompleteAuthSession()
. See the Identity example for more info.
If an Implicit grant flow was used, you can pass the response.params
to TokenResponse.fromQueryParams()
to get a TokenResponse
instance which you can use to easily refresh the token.
const [request, response, promptAsync] = useAuthRequest({ ... }, { ... });
[AuthRequest | null, AuthSessionResult | null, (options: AuthRequestPromptOptions) => Promise<AuthSessionResult>]
Returns a loaded request, a response, and a prompt method in a single array in the following order:
request
- An instance of AuthRequest
that can be used to prompt the user for authorization.
This will be null
until the auth request has finished loading.response
- This is null
until promptAsync
has been invoked. Once fulfilled it will return information about the authorization.promptAsync
- When invoked, a web browser will open up and prompt the user for authentication.
Accepts an AuthRequestPromptOptions
object with options about how the prompt will execute.
You can use this to enable the Expo proxy service auth.expo.io
.Name | Type | Description |
---|---|---|
issuerOrDiscovery | IssuerOrDiscovery | URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. |
Given an OpenID Connect issuer URL, this will fetch and return the DiscoveryDocument
(a collection of URLs) from the resource provider.
const discovery = useAutoDiscovery('https://example.com/auth');
DiscoveryDocument | null
Returns null
until the DiscoveryDocument
has been fetched from the provided issuer URL.
Type: Class extends TokenRequest<AccessTokenRequestConfig>
implements AccessTokenRequestConfig
Access token request. Exchange an authorization code for a user access token.
Name | Type | Description |
---|---|---|
discovery | Pick<DiscoveryDocument, 'tokenEndpoint'> | - |
Type: Class extends ResponseError
Represents an authorization response error: Section 5.2. Often times providers will fail to return the proper error message for a given error code. This error method will add the missing description for more context on what went wrong.
Type: string
Optional • Type: string
Used to assist the client developer in understanding the error that occurred.
Optional • Type: any
Type: string
Type: string
Optional • Type: string
Optional • Type: string
A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
Optional • Type: (err: Error, stackTraces: CallSite[]) => any
Type: number
Name | Type | Description |
---|---|---|
targetObject | object | - |
constructorOpt (optional) | Function | - |
Create .stack property on a target object
void
Type: Class implements Omit<AuthRequestConfig, 'state'>
Used to manage an authorization request according to the OAuth spec: [Section 4.1.1][https://tools.ietf.org/html/rfc6749#section-4.1.1]. You can use this class directly for more info around the authorization.
Common use-cases:
parseReturnUrlAsync()
.makeAuthUrlAsync()
.getAuthRequestConfigAsync()
.// Create a request. const request = new AuthRequest({ ... }); // Prompt for an auth code const result = await request.promptAsync(discovery, { useProxy: true }); // Get the URL to invoke const url = await request.makeAuthUrlAsync(discovery); // Get the URL to invoke const parsed = await request.parseReturnUrlAsync("<URL From Server>");
Optional • Type: string
Type: null | string
• Default: null
Load and return a valid auth request based on the input config.
Name | Type | Description |
---|---|---|
discovery | AuthDiscoveryDocument | - |
promptOptions (optional) | AuthRequestPromptOptions | - |
Prompt a user to authorize for a code.
Type: Class extends TokenRequest<RefreshTokenRequestConfig>
implements RefreshTokenRequestConfig
Refresh request.
Name | Type | Description |
---|---|---|
discovery | Pick<DiscoveryDocument, 'tokenEndpoint'> | - |
Type: Class extends Request<RevokeTokenRequestConfig, boolean>
implements RevokeTokenRequestConfig
Revocation request for a given token.
Type: Class extends ResponseError
Type: string
Optional • Type: string
Used to assist the client developer in understanding the error that occurred.
Optional • Type: any
Type: string
Type: string
Optional • Type: string
Optional • Type: string
A URI identifying a human-readable web page with information about the error, used to provide the client developer with additional information about the error.
Optional • Type: (err: Error, stackTraces: CallSite[]) => any
Type: number
Name | Type | Description |
---|---|---|
targetObject | object | - |
constructorOpt (optional) | Function | - |
Create .stack property on a target object
void
Type: Class implements TokenResponseConfig
Token Response.
Name | Type | Description |
---|---|---|
params | Record<string, any> | - |
Creates a TokenResponse
from query parameters returned from an AuthRequest
.
Name | Type | Description |
---|---|---|
token | Pick<TokenResponse, 'expiresIn' | 'issuedAt'> | - |
secondsMargin (optional) | number | - |
Determines whether a token refresh request must be made to refresh the tokens
boolean
Name | Type | Description |
---|---|---|
config | Omit<TokenRequestConfig, 'grantType' | 'refreshToken'> | - |
discovery | Pick<DiscoveryDocument, 'tokenEndpoint'> | - |
Cancels an active AuthSession
if there is one. No return value, but if there is an active AuthSession
then the Promise returned by the AuthSession.startAsync()
that initiated it resolves to { type: 'dismiss' }
.
void
Name | Type | Description |
---|---|---|
config | AccessTokenRequestConfig | Configuration used to exchange the code for a token. |
discovery | Pick<DiscoveryDocument, 'tokenEndpoint'> | The tokenEndpoint for a provider. |
Exchange an authorization code for an access token that can be used to get data from the provider.
Returns a discovery document with a valid tokenEndpoint
URL.
Name | Type | Description |
---|---|---|
issuer | string | An Issuer URL to fetch from. |
Fetch a DiscoveryDocument
from a well-known resource provider that supports auto discovery.
Returns a discovery document that can be used for authentication.
Name | Type | Description |
---|---|---|
config | Pick<TokenResponse, 'accessToken'> | The accessToken for a user, returned from a code exchange or auth request. |
discovery | Pick<DiscoveryDocument, 'userInfoEndpoint'> | The userInfoEndpoint for a provider. |
Fetch generic user info from the provider's OpenID Connect userInfoEndpoint
(if supported).
See: UserInfo.
Promise<Record<string, any>>
Name | Type | Description |
---|---|---|
size | number | - |
Digest a random string with hex encoding, useful for creating nonce
s.
Promise<string>
Name | Type | Description |
---|---|---|
urlPath (optional) | string | - |
options (optional) | Omit<CreateURLOptions, 'queryParams'> | - |
string
makeRedirectUri({ path, useProxy })
instead.Name | Type | Description |
---|---|---|
path (optional) | string | - |
Get the URL that your authentication provider needs to redirect to. For example: https://auth.expo.io/@your-username/your-app-slug
. You can pass an additional path component to be appended to the default redirect URL.
Note This method will throw an exception if you're using the bare workflow on native.
const url = AuthSession.getRedirectUrl('redirect'); // Managed: https://auth.expo.io/@your-username/your-app-slug/redirect // Web: https://localhost:19006/redirect
string
Name | Type | Description |
---|---|---|
config | AuthRequestConfig | A valid AuthRequestConfig that specifies what provider to use. |
issuerOrDiscovery | IssuerOrDiscovery | A loaded DiscoveryDocument or issuer URL.
(Only authorizationEndpoint is required for requesting an authorization code). |
Build an AuthRequest
and load it before returning.
Returns an instance of AuthRequest
that can be used to prompt the user for authorization.
Name | Type | Description |
---|---|---|
options (optional) | AuthSessionRedirectUriOptions | Additional options for configuring the path. Default: {} |
Create a redirect url for the current platform and environment. You need to manually define the redirect that will be used in a bare workflow React Native app, or an Expo standalone app, this is because it cannot be inferred automatically.
window.location
. For production web apps, you should hard code the URL as well.scheme
property of your app.config.js
or app.json
.
auth.expo.io
as the base URL for the path. This only works in Expo Go and standalone environments.native
option for bare workflow React Native apps.const redirectUri = makeRedirectUri({ scheme: 'my-scheme', path: 'redirect' }); // Development Build: my-scheme://redirect // Expo Go: exp://127.0.0.1:19000/--/redirect // Web dev: https://localhost:19006/redirect // Web prod: https://yourwebsite.com/redirect const redirectUri2 = makeRedirectUri({ scheme: 'scheme2', preferLocalhost: true, isTripleSlashed: true, }); // Development Build: scheme2:/// // Expo Go: exp://localhost:19000 // Web dev: https://localhost:19006 // Web prod: https://yourwebsite.com const redirectUri3 = makeRedirectUri({ useProxy: true, }); // Development Build: https://auth.expo.io/@username/slug // Expo Go: https://auth.expo.io/@username/slug // Web dev: https://localhost:19006 // Web prod: https://yourwebsite.com
string
The redirectUri
to use in an authentication request.
Name | Type | Description |
---|---|---|
config | RefreshTokenRequestConfig | Configuration used to refresh the given access token. |
discovery | Pick<DiscoveryDocument, 'tokenEndpoint'> | The tokenEndpoint for a provider. |
Refresh an access token.
refresh_token
then the access token may not be refreshed.expires_in
then it's assumed that the token does not expire.TokenResponse.isTokenFresh()
or shouldRefresh()
on an instance of TokenResponse
.See: Section 6.
Returns a discovery document with a valid tokenEndpoint
URL.
Name | Type | Description |
---|---|---|
issuerOrDiscovery | IssuerOrDiscovery | - |
Utility method for resolving the discovery document from an issuer or object.
Name | Type | Description |
---|---|---|
config | RevokeTokenRequestConfig | Configuration used to revoke a refresh or access token. |
discovery | Pick<DiscoveryDocument, 'revocationEndpoint'> | The revocationEndpoint for a provider. |
Revoke a token with a provider. This makes the token unusable, effectively requiring the user to login again.
Promise<boolean>
Returns a discovery document with a valid revocationEndpoint
URL. Many providers do not support this feature.
Name | Type | Description |
---|---|---|
options | AuthSessionOptions | An object of type AuthSessionOptions . |
Initiate a proxied authentication session with the given options. Only one AuthSession
can be active at any given time in your application.
If you attempt to open a second session while one is still in progress, the second session will return a value to indicate that AuthSession
is locked.
Returns a Promise that resolves to an AuthSessionResult
object.
Extends: TokenRequestConfig
Config used to exchange an authorization code for an access token.
See: Section 4.1.3
Name | Type | Description |
---|---|---|
code | string | The authorization code received from the authorization server. |
redirectUri | string | If the redirectUri parameter was included in the AuthRequest , then it must be supplied here as well.Section 3.1.2 |
Represents an OAuth authorization request as JSON.
Name | Type | Description |
---|---|---|
clientId | string | A unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and shouldn't be used alone for client authentication.The client identifier is unique to the authorization server. Section 2.2 |
clientSecret (optional) | string | Client secret supplied by an auth provider. There is no secure way to store this on the client.Section 2.3.1 |
codeChallenge (optional) | string | Derived from the code verifier by using the CodeChallengeMethod .Section 4.2 |
codeChallengeMethod (optional) | CodeChallengeMethod | Method used to generate the code challenge. You should never use Plain as it's not good enough for secure verification.Default: CodeChallengeMethod.S256
|
extraParams (optional) | Record<string, string> | Extra query params that'll be added to the query string. |
prompt (optional) | Prompt | Informs the server if the user should be prompted to login or consent again. This can be used to present a dialog for switching accounts after the user has already been logged in.Section 3.1.2.1 |
redirectUri | string | After completing an interaction with a resource owner the server will redirect to this URI. Learn more about linking in Expo.Section 3.1.2 |
responseType (optional) | string | Specifies what is returned from the authorization server.Section 3.1.1 Default: ResponseType.Code
|
scopes (optional) | string[] | List of strings to request access to.Section 3.3 |
state (optional) | string | Used for protection against Cross-Site Request Forgery. |
usePKCE (optional) | boolean | Should use Proof Key for Code Exchange. Default: true
|
Name | Type | Description |
---|---|---|
authorizationEndpoint (optional) | string | Used to interact with the resource owner and obtain an authorization grant.Section 3.1 |
discoveryDocument (optional) | ProviderMetadata | All metadata about the provider. |
endSessionEndpoint (optional) | string | URL at the OP to which an RP can perform a redirect to request that the End-User be logged out at the OP.OPMetadata |
registrationEndpoint (optional) | string | URL of the OP's Dynamic Client Registration Endpoint. |
revocationEndpoint (optional) | string | Used to revoke a token (generally for signing out). The spec requires a revocation endpoint, but some providers (like Spotify) do not support one.Section 2.1 |
tokenEndpoint (optional) | string | Used by the client to obtain an access token by presenting its authorization grant or refresh token. The token endpoint is used with every authorization grant except for the implicit grant type (since an access token is issued directly).Section 3.2 |
userInfoEndpoint (optional) | string | URL of the OP's UserInfo Endpoint used to return info about the authenticated user.UserInfo |
Extends: ProviderAuthRequestConfig
Name | Type | Description |
---|---|---|
androidClientId (optional) | string | - |
expoClientId (optional) | string | - |
iosClientId (optional) | string | - |
webClientId (optional) | string | - |
Extends: ProviderAuthRequestConfig
Name | Type | Description |
---|---|---|
androidClientId (optional) | string | Android native client ID for use in standalone, and bare workflow.This Google Client ID must be setup as follows:
|
expoClientId (optional) | string | Proxy client ID for use in the Expo client on iOS and Android.This Google Client ID must be setup as follows:
|
iosClientId (optional) | string | iOS native client ID for use in standalone, bare workflow, and custom clients.This Google Client ID must be setup as follows:
|
language (optional) | string | Language code ISO 3166-1 alpha-2 region code, such as 'it' or 'pt-PT'. |
loginHint (optional) | string | If the user's email address is known ahead of time, it can be supplied to be the default option. If the user has approved access for this app in the past then auth may return without any further interaction. |
selectAccount (optional) | boolean | When true , the service will allow the user to switch between accounts (if possible).Default: false.
|
shouldAutoExchangeCode (optional) | boolean | Should the hook automatically exchange the response code for an authentication token.Defaults to true on installed apps (iOS, Android) when ResponseType.Code is used (default). |
webClientId (optional) | string | Expo web client ID for use in the browser.This Google Client ID must be setup as follows:
|
Extends: TokenRequestConfig
Config used to request a token refresh, or code exchange.
See: Section 6
Name | Type | Description |
---|---|---|
refreshToken (optional) | string | The refresh token issued to the client. |
Extends: Partial<TokenRequestConfig>
Config used to revoke a token.
See: Section 2.1
Name | Type | Description |
---|---|---|
token | string | The token that the client wants to get revoked.Section 3.1 |
tokenTypeHint (optional) | TokenTypeHint | A hint about the type of the token submitted for revocation.Section 3.2 |
Object returned from the server after a token response.
Name | Type | Description |
---|---|---|
access_token | string | - |
expires_in (optional) | number | - |
id_token (optional) | string | - |
issued_at (optional) | number | - |
refresh_token (optional) | string | - |
scope (optional) | string | - |
token_type (optional) | TokenType | - |
Config used to request a token refresh, revocation, or code exchange.
Name | Type | Description |
---|---|---|
clientId | string | A unique string representing the registration information provided by the client. The client identifier is not a secret; it is exposed to the resource owner and shouldn't be used alone for client authentication.The client identifier is unique to the authorization server. Section 2.2 |
clientSecret (optional) | string | Client secret supplied by an auth provider. There is no secure way to store this on the client.Section 2.3.1 |
extraParams (optional) | Record<string, string> | Extra query params that'll be added to the query string. |
scopes (optional) | string[] | List of strings to request access to.Section 3.3 |
Name | Type | Description |
---|---|---|
accessToken | string | The access token issued by the authorization server.Section 4.2.2 |
expiresIn (optional) | number | The lifetime in seconds of the access token.For example, the value 3600 denotes that the access token will
expire in one hour from the time the response was generated.
If omitted, the authorization server should provide the
expiration time via other means or document the default value.
Section 4.2.2 |
idToken (optional) | string | ID Token value associated with the authenticated session.TokenResponse |
issuedAt (optional) | number | Time in seconds when the token was received by the client. |
refreshToken (optional) | string | The refresh token, which can be used to obtain new access tokens using the same authorization grant.Section 5.1 |
scope (optional) | string | The scope of the access token. Only required if it's different to the scope that was requested by the client.Section 3.3 |
state (optional) | string | Required if the "state" parameter was present in the client authorization request. The exact value received from the client.Section 4.2.2 |
tokenType (optional) | TokenType | The type of the token issued. Value is case insensitive.Section 7.1 |
Options passed to the promptAsync()
method of AuthRequest
s.
This can be used to configure how the web browser should look and behave.
Omit<WebBrowserOpenOptions, 'windowFeatures'>
extended by:
Name | Type | Description |
---|---|---|
projectNameForProxy (optional) | string | Project name to use for the `auth.expo.io` proxy when useProxy is true. |
proxyOptions (optional) | Omit<CreateURLOptions, 'queryParams'> & {
path: string
} | URL options to be used when creating the redirect URL for the auth proxy. |
url (optional) | string | URL to open when prompting the user. This usually should be defined internally and left undefined in most cases. |
useProxy (optional) | boolean | Should the authentication request use the Expo proxy service auth.expo.io .Default: false
|
windowFeatures (optional) | WebBrowserWindowFeatures | Only for: Web
Features to use with window.open() . |
Name | Type | Description |
---|---|---|
authUrl | string | The URL that points to the sign in page that you would like to open the user to. |
projectNameForProxy (optional) | string | Project name to use for the `auth.expo.io` proxy. |
returnUrl (optional) | string | The URL to return to the application. In managed apps, it's optional and defaults to output of Linking.createURL('expo-auth-session', params)
call with scheme and queryParams params. However, in the bare app, it's required - AuthSession needs to know where to wait for the response.
Hence, this method will throw an exception, if you don't provide returnUrl . |
showInRecents (optional) | boolean | Only for: Android
A boolean determining whether browsed website should be shown as separate entry in Android recents/multitasking view. Default: false |
Options passed to makeRedirectUriAsync
.
Name | Type | Description |
---|---|---|
isTripleSlashed (optional) | boolean | Should the URI be triple slashed scheme:///path or double slashed scheme://path .
Defaults to false .
Passed to Linking.createURL() when useProxy is false . |
native (optional) | string | Manual scheme to use in Bare and Standalone native app contexts. Takes precedence over all other properties.
You must define the URI scheme that will be used in a custom built native application or standalone Expo application.
The value should conform to your native app's URI schemes.
You can see conformance with npx uri-scheme list . |
path (optional) | string | Optional path to append to a URI. This will not be added to native . |
preferLocalhost (optional) | boolean | Attempt to convert the Expo server IP address to localhost.
This is useful for testing when your IP changes often, this will only work for iOS simulator. Default: false
|
projectNameForProxy (optional) | string | Project name to use for the `auth.expo.io` proxy when useProxy is true. |
queryParams (optional) | Record<string, string | undefined> | Optional native scheme to use when proxy is disabled.
URI protocol <scheme>:// that must be built into your native app.
Passed to Linking.createURL() when useProxy is false . |
scheme (optional) | string | URI protocol <scheme>:// that must be built into your native app.
Passed to Linking.createURL() when useProxy is false . |
useProxy (optional) | boolean | Should use the `auth.expo.io` proxy.
This is useful for testing managed native apps that require a custom URI scheme. Default: false
|
Object returned after an auth request has completed.
{ type: 'cancel' }
.AuthSession.dismiss()
, the result is { type: 'dismiss' }
.{ type: 'success', params: Object, event: Object }
.{ type: 'error', params: Object, error: string, event: Object }
.AuthSession.startAsync()
more than once before the first call has returned, the result is { type: 'locked' }
,
because only one AuthSession
can be in progress at any time.Name | Type | Description |
---|---|---|
type | 'cancel' | 'dismiss' | 'opened' | 'locked' | How the auth completed. |
Name | Type | Description |
---|---|---|
authentication | TokenResponse | null | Returned when the auth finishes with an access_token property. |
error (optional) | AuthError | null | Possible error if the auth failed with type error . |
errorCode | string | null | Deprecated. Legacy error code query param, use error instead. |
params | Record<string, string> | Query params from the url as an object. |
type | 'error' | 'success' | How the auth completed. |
url | string | Auth URL that was opened |
URL using the https
scheme with no query or fragment component that the OP asserts as its Issuer Identifier.
Type: string
Acceptable values are: Issuer
, DiscoveryDocument
.
OpenID Providers have metadata describing their configuration. ProviderMetadata
Record<string, string | boolean | string[]>
ProviderMetadataEndpoints
extended by:
Name | Type | Description |
---|---|---|
backchannel_logout_session_supported (optional) | boolean | - |
backchannel_logout_supported (optional) | boolean | - |
check_session_iframe (optional) | string | - |
claim_types_supported (optional) | string[] | a list of the Claim Types that the OpenID Provider supports. |
claims_locales_supported (optional) | string[] | Languages and scripts supported for values in Claims being returned. |
claims_parameter_supported (optional) | boolean | Boolean value specifying whether the OP supports use of the claims parameter, with true indicating support.Default: false
|
claims_supported (optional) | string[] | a list of the Claim Names of the Claims that the OpenID Provider may be able to supply values for. Note that for privacy or other reasons, this might not be an exhaustive list. |
code_challenge_methods_supported (optional) | CodeChallengeMethod[] | - |
display_values_supported (optional) | string[] | a list of the display parameter values that the OpenID Provider supports. |
frontchannel_logout_session_supported (optional) | boolean | - |
frontchannel_logout_supported (optional) | boolean | - |
grant_types_supported (optional) | string[] | JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports. Dynamic OpenID Providers MUST support the authorization_code and implicit Grant Type values and MAY support other Grant Types. If omitted, the default value is ["authorization_code", "implicit"]. |
id_token_signing_alg_values_supported (optional) | string[] | JSON array containing a list of the JWS signing algorithms (alg values) supported by the OP for the ID Token to encode the Claims in a JWT. The algorithm RS256 MUST be included. |
jwks_uri (optional) | string | URL of the OP's JSON Web Key Set JWK document. |
op_policy_uri (optional) | string | URL that the OpenID Provider provides to the person registering the Client to read about the OP's requirements on how the Relying Party can use the data provided by the OP. The registration process SHOULD display this URL to the person registering the Client if it is given. |
op_tos_uri (optional) | string | URL that the OpenID Provider provides to the person registering the Client to read about OpenID Provider's terms of service. The registration process should display this URL to the person registering the Client if it is given. |
request_parameter_supported (optional) | boolean | Boolean value specifying whether the OP supports use of the request parameter, with true indicating support.Default: false
|
request_uri_parameter_supported (optional) | boolean | Whether the OP supports use of the request_uri parameter, with true indicating support.Default: true
|
require_request_uri_registration (optional) | boolean | Whether the OP requires any request_uri values used to be pre-registered using the request_uris registration parameter.
Pre-registration is required when the value is true .Default: false
|
response_modes_supported (optional) | string[] | JSON array containing a list of the OAuth 2.0 response_mode values that this OP supports,
as specified in OAuth 2.0 Multiple Response Type Encoding Practices.
If omitted, the default for Dynamic OpenID Providers is ["query", "fragment"] . |
response_types_supported (optional) | string[] | JSON array containing a list of the OAuth 2.0 response_type values that this OP supports.
Dynamic OpenID Providers must support the code , id_token , and the token id_token Response Type values |
scopes_supported (optional) | string[] | JSON array containing a list of the OAuth 2.0 RFC6749 scope values that this server supports. |
service_documentation (optional) | string | URL of a page containing human-readable information that developers might want or need to know when using the OpenID Provider. In particular, if the OpenID Provider does not support Dynamic Client Registration, then information on how to register Clients needs to be provided in this documentation. |
subject_types_supported (optional) | string[] | JSON array containing a list of the Subject Identifier types that this OP supports.
Valid types include pairwise and public . |
token_endpoint_auth_methods_supported (optional) | ('client_secret_post' | 'client_secret_basic' | 'client_secret_jwt' | 'private_key_jwt' | string)[] | A list of Client authentication methods supported by this Token Endpoint.
If omitted, the default is ['client_secret_basic'] |
ui_locales_supported (optional) | string[] | Languages and scripts supported for the user interface, represented as a JSON array of BCP47 language tag values. |
CodeChallengeMethod.Plain = "plain"
This should not be used. When used, the code verifier will be sent to the server as-is.
CodeChallengeMethod.S256 = "S256"
The default and recommended method for transforming the code verifier.
Grant type values used in dynamic client registration and auth requests.
See: Appendix A.10
GrantType.AuthorizationCode = "authorization_code"
Used for exchanging an authorization code for one or more tokens.
GrantType.ClientCredentials = "client_credentials"
Used for client credentials flow.
GrantType.RefreshToken = "refresh_token"
Used when exchanging a refresh token for a new token.
Informs the server if the user should be prompted to login or consent again. This can be used to present a dialog for switching accounts after the user has already been logged in. You should use this in favor of clearing cookies (which is mostly not possible on iOS).
See: Section 3.1.2.1.
Prompt.Consent = "consent"
Server should prompt the user for consent before returning information to the client.
If it cannot obtain consent, it must return an error, typically consent_required
.
Prompt.Login = "login"
The server should prompt the user to reauthenticate.
If it cannot reauthenticate the End-User, it must return an error, typically login_required
.
Prompt.None = "none"
Server must not display any auth or consent UI. Can be used to check for existing auth or consent.
An error is returned if a user isn't already authenticated or the client doesn't have pre-configured consent for the requested claims, or does not fulfill other conditions for processing the request.
The error code will typically be login_required
, interaction_required
, or another code defined in Section 3.1.2.6.
Prompt.SelectAccount = "select_account"
Server should prompt the user to select an account. Can be used to switch accounts.
If it can't obtain an account selection choice made by the user, it must return an error, typically account_selection_required
.
The client informs the authorization server of the desired grant type by using the response type.
See: Section 3.1.1.
ResponseType.IdToken = "id_token"
A custom registered type for getting an id_token
from Google OAuth.
ResponseType.Token = "token"
For requesting an access token (implicit grant) as described by Section 4.2.1.
A hint about the type of the token submitted for revocation. If not included then the server should attempt to deduce the token type.
See: Section 2.1
language
.import * as Google from 'expo-auth-session/providers/google';
loginHint
parameter. If the user's email address is known ahead of time, it can be supplied to be the default option.['openid', 'https://www.googleapis.com/auth/userinfo.profile', 'https://www.googleapis.com/auth/userinfo.email']
for optimal usage with services like Firebase and Auth0.code
will be automatically exchanged for an access token. This can be overridden with shouldAutoExchangeCode
.redirectUriOptions.useProxy
.{ width: 515, height: 680 }
).GoogleAuthRequestConfig
) - A GoogleAuthRequestConfig
object with client IDs for each platform that should be supported.AuthSessionRedirectUriOptions
) - Optional properties used to construct the redirect URI (passed to makeRedirectUriAsync()
).GoogleAuthRequest | null
) - An instance of GoogleAuthRequest
that can be used to prompt the user for authorization. This will be null
until the auth request has finished loading.AuthSessionResult | null
) - This is null
until promptAsync
has been invoked. Once fulfilled it will return information about the authorization.function
) - When invoked, a web browser will open up and prompt the user for authentication. Accepts an AuthRequestPromptOptions
object with options about how the prompt will execute. This should not be used to enable the Expo proxy service auth.expo.io
, as the proxy will be automatically enabled based on the platform.DiscoveryDocument
object containing the discovery URLs used for Google auth.import * as Facebook from 'expo-auth-session/providers/facebook';
ResponseType.Token
) by default.['public_profile', 'email']
for optimal usage with services like Firebase and Auth0.display=popup
for better UI results.facebookScheme: 'fb<YOUR FBID>'
.{ width: 700, height: 600 }
FacebookAuthRequestConfig
) - A FacebookAuthRequestConfig
object with client IDs for each platform that should be supported.AuthSessionRedirectUriOptions
) - Optional properties used to construct the redirect URI (passed to makeRedirectUriAsync()
).FacebookAuthRequest | null
) - An instance of FacebookAuthRequest
that can be used to prompt the user for authorization. This will be null
until the auth request has finished loading.AuthSessionResult | null
) - This is null
until promptAsync
has been invoked. Once fulfilled it will return information about the authorization.function
) - When invoked, a web browser will open up and prompt the user for authentication. Accepts an AuthRequestPromptOptions
object with options about how the prompt will execute.DiscoveryDocument
object containing the discovery URLs used for Facebook auth.AuthSession
uses Expo servers to create a proxy between your application and the auth provider. If you'd like, you can also create your own proxy service.const http = require('http'); const url = require('url'); const PORT = PORT; const DEEP_LINK = DEEP_LINK_TO_YOUR_APPLICATION; const redirect = (response, url) => { response.writeHead(302, { Location: url, }); response.end(); } http .createServer((request, response) => { // get parameters from request const parameters = url.parse(request.url, true).query; // if parameters contain authServiceUrl, this request comes from the application if (parameters.authServiceUrl) { // redirect user to the authUrl redirect(response, decodeURIComponent(parameters.authServiceUrl)); return; } // redirect response from the auth service to your application redirect(response, DEEP_LINK); }) .listen(PORT);
const authServiceUrl = encodeURIComponent(YOUR_AUTH_URL); // we encode this, because it will be send as a query parameter const authServiceUrlParameter = `authServiceUrl=${authServiceUrl}`; const authUrl = `YOUR_PROXY_SERVICE_URL?${authServiceUrlParameter}`; const result = await AuthSession.startAsync({ authUrl, returnUrl: YOUR_DEEP_LINK, });
AuthSession
handles these particular links for you. In your own Linking.addEventListener
handlers, you can filter out deep links that are handled by AuthSession
by checking if the URL includes the +expo-auth-session
string -- if it does, you can ignore it. This works because AuthSession
adds +expo-auth-session
to the default returnUrl
; however, if you provide your own returnUrl
, you may want to consider adding a similar identifier to enable you to filter out AuthSession
events from other handlers.Linking.addEventListener
will not be sufficient, because deep linking is handled differently. Instead, to filter these events you can add a custom getStateFromPath
function to your linking configuration, and then filter by URL in the same way as described above.