|
9 | 9 | - [Handling errors](#handling-errors) |
10 | 10 | - [Organizations](#organizations) |
11 | 11 | - [Standalone Components and a more functional approach](#standalone-components-and-a-more-functional-approach) |
12 | | -- [Connect Accounts](#connect-accounts) |
| 12 | +- [Connect Accounts for using Token Vault](#connect-accounts-for-using-token-vault) |
13 | 13 |
|
14 | 14 | ## Add login to your application |
15 | 15 |
|
@@ -410,58 +410,72 @@ bootstrapApplication(AppComponent, { |
410 | 410 |
|
411 | 411 | Note that `provideAuth0` should **never** be provided to components, but only at the root level of your application. |
412 | 412 |
|
413 | | -## Connect Accounts |
| 413 | +## Connect Accounts for using Token Vault |
414 | 414 |
|
415 | | -Link multiple identity providers to a single Auth0 user profile, allowing users to authenticate with any of their connected accounts. |
| 415 | +The Connect Accounts feature uses the Auth0 My Account API to allow users to link multiple third party accounts to a single Auth0 user profile. |
416 | 416 |
|
417 | | -**Note:** User must be logged in first. |
| 417 | +When using Connected Accounts, Auth0 acquires tokens from upstream Identity Providers (like Google) and stores them in a secure [Token Vault](https://auth0.com/docs/secure/tokens/token-vault). These tokens can then be used to access third-party APIs (like Google Calendar) on behalf of the user. |
418 | 418 |
|
419 | | -### Configuration |
| 419 | +The tokens in the Token Vault are then accessible to [Resource Servers](https://auth0.com/docs/get-started/apis) (APIs) configured in Auth0. The SPA application can then issue requests to the API, which can retrieve the tokens from the Token Vault and use them to access the third-party APIs. |
420 | 420 |
|
421 | | -Enable `useRefreshTokens` and `useMrrt` in your Auth0 configuration: |
| 421 | +This is particularly useful for applications that require access to different resources on behalf of a user, like AI Agents. |
| 422 | +
|
| 423 | +### Configure the SDK |
| 424 | +
|
| 425 | +The SDK must be configured with an audience (an API Identifier) - this will be the resource server that uses the tokens from the Token Vault. |
| 426 | +
|
| 427 | +The SDK must also be configured to use refresh tokens and MRRT ([Multiple Resource Refresh Tokens](https://auth0.com/docs/secure/tokens/refresh-tokens/multi-resource-refresh-token)) since we will use the refresh token grant to get Access Tokens for the My Account API in addition to the API we are calling. |
| 428 | +
|
| 429 | +The My Account API requires DPoP tokens, so we also need to enable DPoP. |
422 | 430 |
|
423 | 431 | ```ts |
424 | 432 | AuthModule.forRoot({ |
425 | | - domain: 'YOUR_AUTH0_DOMAIN', |
426 | | - clientId: 'YOUR_AUTH0_CLIENT_ID', |
| 433 | + domain: '<AUTH0_DOMAIN>', |
| 434 | + clientId: '<AUTH0_CLIENT_ID>', |
427 | 435 | useRefreshTokens: true, |
428 | 436 | useMrrt: true, |
| 437 | + useDpop: true, |
| 438 | + authorizationParams: { |
| 439 | + redirect_uri: '<MY_CALLBACK_URL>', |
| 440 | + }, |
429 | 441 | }); |
430 | 442 | ``` |
431 | 443 |
|
432 | | -### Usage |
| 444 | +### Login to the application |
433 | 445 |
|
434 | | -Use `connectAccountWithRedirect` to link an additional account: |
| 446 | +Use the login methods to authenticate to the application and get a refresh and access token for the API. |
435 | 447 |
|
436 | 448 | ```ts |
437 | | -import { Component } from '@angular/core'; |
438 | | -import { AuthService } from '@auth0/auth0-angular'; |
439 | | - |
440 | | -@Component({ |
441 | | - selector: 'app-connect-account', |
442 | | - template: `<button (click)="connectAccount()">Connect Google</button>`, |
443 | | -}) |
444 | | -export class ConnectAccountComponent { |
445 | | - constructor(private auth: AuthService) {} |
446 | | - |
447 | | - connectAccount(): void { |
448 | | - this.auth |
449 | | - .connectAccountWithRedirect({ |
450 | | - connection: 'google-oauth2', |
451 | | - scopes: ['openid', 'profile', 'email'], |
452 | | - appState: { returnTo: '/profile' }, |
453 | | - }) |
454 | | - .subscribe(); |
455 | | - } |
456 | | -} |
| 449 | +// Login specifying any scopes for the Auth0 API |
| 450 | +this.auth |
| 451 | + .loginWithRedirect({ |
| 452 | + authorizationParams: { |
| 453 | + audience: '<AUTH0_API_IDENTIFIER>', |
| 454 | + scope: 'openid profile email read:calendar', |
| 455 | + }, |
| 456 | + }) |
| 457 | + .subscribe(); |
457 | 458 | ``` |
458 | 459 |
|
459 | | -After redirect, you can access connection details via the `appState$` observable: |
| 460 | +### Connect to a third party account |
| 461 | +
|
| 462 | +Use the `connectAccountWithRedirect` method to redirect the user to the third party Identity Provider to connect their account. |
460 | 463 |
|
461 | 464 | ```ts |
462 | | -this.auth.appState$.subscribe((appState) => { |
463 | | - if (appState?.connectedAccount) { |
464 | | - console.log(`Connected to ${appState.connectedAccount.connection}`); |
465 | | - } |
466 | | -}); |
| 465 | +// Start the connect flow by redirecting to the third party API's login, defined as an Auth0 connection |
| 466 | +this.auth |
| 467 | + .connectAccountWithRedirect({ |
| 468 | + connection: '<CONNECTION eg, google-apps-connection>', |
| 469 | + scopes: ['<SCOPE eg https://www.googleapis.com/auth/calendar.acls.readonly>'], |
| 470 | + authorizationParams: { |
| 471 | + // additional authorization params to forward to the authorization server |
| 472 | + }, |
| 473 | + }) |
| 474 | + .subscribe(); |
467 | 475 | ``` |
| 476 | +
|
| 477 | +You can now call the API with your access token and the API can use [Access Token Exchange with Token Vault](https://auth0.com/docs/secure/tokens/token-vault/access-token-exchange-with-token-vault) to get tokens from the Token Vault to access third party APIs on behalf of the user. |
| 478 | +
|
| 479 | +> **Important** |
| 480 | +> |
| 481 | +> You must enable Offline Access from the Connection Permissions settings to be able to use the connection with Connected Accounts. |
0 commit comments