Web Types

The bearer access token string.

The refresh token to use to get a new access token.

The time in which the access token expires.

The scope this token is authorized for.

The account ID selected for the user.

The base URL of the authorization server.

The client ID.

Whether or not to send credentials for cross-site XHR requests. Defaults to false.

The default redirect URI used for login redirect flow. Defaults to ${window.location.origin}.

The default scope used for authorization requests. Defaults to USER. If #useRefreshTokens is true, then OFFLINE_ACCESS will automatically be included.

The default redirect URI used for silent authentication flow. This is only used if #isRefreshTokenRotation is false. Defaults to ${window.location.origin}/silent-callback.html.

Optionally provide a custom WebStorage implementation for storing transactions. The default is SessionStorage.

Optionally provide a custom TokenCache implementation for storing access tokens. The default is WebStorageTokenCache.

Whether to use a refresh token rotation instead of standard auth code flow with silent authentication. The default is false.

<a href="https://developer.broadleafcommerce.com/services/authentication-services/authorization#refresh_token_rotation_grant_type_em_since_1_4_0_em"> See Refresh Token (Rotation) Grant Type docs</a>.

Whether to enabled the Proof-Key-for-Code-Exchange enhancement to the OAuth Authorization Code Flow. False by default.

Whether to use silent authentication with iframe as a fallback when #useRefreshTokens is true but there is no cached refresh token. This can occur when the user reloads the browser window since the tokens are stored in-memory. Default is true.

Note that this still has the same drawbacks as auth code flow with silent auth if the browser has enabled Intelligent Tracking Protection and the user may need to be redirected to login after a refreshing the page.

Whether to serialize the in-memory token cache to session storage to allow persistence across page loads.

This is somewhat less secure than leaving the cache in-memory but may be necessary in cross-domain auth contexts, i.e., when the client is served on a different domain from the auth server, because browsers block the cross-domain session cookie. In these cases, the additional risk should be mitigated by also enabling refresh tokens (useRefreshTokens) with refresh token rotation and re-use detection—both supported by Broadleaf out of box when enabled.

See useSessionStorageForTokenCache. Note that session storage is cleared when the browser is closed while local storage is not.

Determines whether a param indicating that the app should automatically redirect the user to login is enabled. This is used in cases where auto-login from the server is not possible due to needing third-party-cookies, which are blocked in most browsers by default. This param is usually not used unless refresh-token-rotation is also used.

If enabled, then user operations will be fetched using the 'resource API' user operations endpoint that accepts a bearer token. Otherwise, user operations will be fetched using the endpoint that relies on session cookie authentication. The access-token approach is useful when in a cross-domain environment that can’t pass session cookies.

The client ID.

The redirect URI.

The scope.

The response type, typically "code".

The state parameter, typically a randomly generated string.

The prompt parameter, either "login" or blank for redirect authentication, or "none" for silent authentication.

The location to redirect to after a successful change password. Defaults to window.location.origin.

The account id for the request.

Optionally provide application data to store until the redirect callback is handled and returns LoginRedirectResult.

Whether to ignore the cache and always execute a request.

The redirect URI that points to the silent callback location. The content at this URI should expect to be loaded into a hidden iframe which will post a message with the request parameters back to the parent window.

The scope for the authorization request.

The amount of time in seconds allowed before a timeout for the authorization request. If not provided, defaults to 10 seconds.

The scope the token was authorized for.

The scope the token was authorized for.

The redirect URI for the authorization request. If not provided, will use the default defined in AuthClientOptions.

The scope for the authorization request. If not provided, will use the default defined in AuthClientOptions.

Optionally provide application data to store until the redirect callback is handled and returns LoginRedirectResult.

The accountId for the authorization request. If not provided, will use the default defined in AuthClientOptions.

Set to PERSONAL to indicate unsetting the account ID.

Additional custom parameters to include in the auth request.

Any application data provided as part of LoginRedirectOptions.

Scope to include if needing to override the default

One-time-password to use in exchange for an access token

The location to redirect to after a successful logout. Defaults to window.location.origin.

The location to redirect to after a successful user registration. Defaults to window.location.origin.

Additional parameters to include in the redirect to the registration page

The type of user being registered. See UserType (Enum). Default is CUSTOMER

Full name of the user: First Last.

Will automatically be set to email unless broadleaf.auth.registration.email-as-username is false.

Must match password if present

True if this registration is in a preview context

Client implementations may choose to utilize this field to accept and pass additional custom information as part of the user registration process. By default, these attributes are passed to interested microservices via UserCreationEvent#attributes.

Account ID for the current user such as in a B2B context. Only used when using embedded login.

The client ID for the auth token request.

Used if PKCE is enabled.

The grant type for the auth token request. Defaults to authorization_code.

The redirect URI for the auth token.

The scope for the auth token request.

The auth code for the auth token request. Not required only when the #grantType is refresh_token, which is only used with refresh token rotation after the initial auth.

The purpose of the code. This is used for retrieving a one-time-password, in which case the purpose would be OTP.

When using refresh token rotation, this is used to get an access token instead #code after the initial auth.

Additional parameter to include when using embedded login along with purpose to ensure the code (OTP) can be exchanged for an access token.

Token provided after requesting to reset a password. This is used to verify the submission of the new password is from a valid user.

The new password.

The ISO8601 timestamp when the user’s session will expire due to inactivity.

The ISO8601 timestamp when the will be required to login.

Stores the given entry in the cache, creating the cache key based based on the values in the entry. By default, the key is based on the TokenCacheEntry.clientId and TokenCacheEntry.scope.

Retrieves an entry from the cache matching the given key. By default, the key is based on the TokenCacheEntry.clientId and TokenCacheEntry.scope.

Note that by default, this will return an entry if it is expired but the TokenCacheEntry.accessToken.access_token will be empty and TokenCacheEntry.expired will be true to allow the caller to know when to use the refresh token to fetch a fresh access token rather than trying to re-authenticate.

Clears the cache of all entries.

The entry for this cache record.

The time at which this entry expires in seconds since Epoch.

The scope of the user operation, e.g., PRODUCT, CATEGORY, etc.

The set of operation types that are allowed for the scope. See PermissionType (Enum)

List of UserOperations for the user.

Id of the permission.

Name of the permission.

Id of the role.

The name for this role. This has no purpose other than labeling, and is not guaranteed to be unique.

The friendly name of this role for display purposes. Required for account roles.

The description of this role for display purposes. Optional, but recommended for account roles.

The permissions that this role has been directly assigned. The role inherits other permissions from its ancestors as described for #parentRoleId.

See UserPermission.

Indicates the user is a customer user

Indicates the user is an admin user.

Stores the given entry in the cache with the given cache key. See WebStorageOptions By default, the key is based on the TokenCacheEntry.clientId and TokenCacheEntry.scope.

Retrieves an entry from the cache matching the given key.

Removes the specified entry.