User Sign In (Xumm as identity provider)
The XUMM platform supports the OAuth2 / OpenID Connect flow, where the XUMM platform can act as the OAuth2 provider. Using this flow, it's easy to authenticate and identify end users using their non custodial XRP Ledger account.
Sign in with XUMM using OAuth2 / OpenID Connect
OAuth2 credentials
All credentials created in the Xumm Developer Console (https://apps.xumm.dev) will work with the OAuth2 / OpenID Connect flow.
The XUMM platform supports the OAuth2 / OpenID Connect flow, where the XUMM platform can act as the OAuth2 provider. Using this flow, it's easy to authenticate and identify end users using their non custodial XRP Ledger account.
Build client side webapps (OAuth2 code / Implicit flow)
The Xumm OAuth2 / OpenID Connect provider supports the authorization code flow and the implicit flow. An implicit flow example (frontend only) can be found here
The PKCE flow (which is the new industry standard and replaces the Implicit flow) is also available & ships with an easy to use SDK. Demo - Source and SDK:
Easily build fully client side XRPL integrated Apps using thexumm-oauth2-pkcepackage:
- Package: https://www.npmjs.com/package/xumm-oauth2-pkce
- Sample (try it): https://oauth2-pkce-demo.xumm.dev/
- Sample (code): https://github.com/XRPL-Labs/XummPkce/blob/main/sample/index.html
To use the XUMM Platform as OAuth2 / OpenID Connect provider, one or more valid OAuth2 redirect URI's must be whitelisted in the XUMM Developer Console, on an application level. While not mandatory, the XUMM OAuth2 / OpenID Connect flow supports PKCE.
The same API Key and API Secret the XUMM Developer Console offers to be used calling our API's and using our SDK's can be used as OAuth2 client id and secret.
// Using the OAuth2 Sign In JWT with the Xumm SDK in JS:
const { XummSdkJwt } = require('xumm-sdk')
const myJwt = 'xxxx.yyyy.zzzz'
const main = async () => {
const Sdk = new XummSdkJwt(myJwt)
const payload = await Sdk.payload.create({
TransactionType: 'Payment',
// More here
})
console.log(payload)
}
main()
The JWT obtained through the Xumm Sign In OAuth2 flow can be used with the JWT endpoints (from a user locked context). The way to interact with the JWT endpoints is similar to the JWT flow for xApps, except the JWT is obtained through the OAuth2 flow instead of inside the xApp.
The following endpoints exist at https://oauth2.xumm.app:
| Endpoint | Path (link: URL) |
|---|---|
| Authorization Endpoint | /auth |
| Token Endpoint | /token |
| Userinfo Endpoint | /userinfo |
| JWKS Endpoint | /certs |
| OpenID Connect Metadata endpoint | /.well-known/openid-configuration |
| All other JWT compatible Xumm API endpoints | See: reference/oauth2-jwt |
User identification
As per OAuth2 standards, the JWT & /userinfo endpoint return the sub field, containing the r-address of the user that signed in. This value can be used to identify the unique user.
Some (most?) OAuth2 clients offer manual account registration & sign in as well, and often rely on end user email addresses for user identification. For compatibility reasons, the OAuth2 JWT & /userinfo endpoint will return a unique email property as well. This field will also be unique & consistent if the same user logs in at the same application.
As some platforms require email address verification by sending a one time code for the user to confirm, after a successful sign in the email address returned by the Xumm OAuth2 platform will allow emails to be received for 10 minutes after the successful login. An email delivered to the unique email address for the specific Xumm App + user (r-address) will be stripped, and served plain text to the end user. The end user will receive a push notification & Event in Xumm serving the email. (Links, images, attachments, etc. will be stripped out)
Nice OAuth2/OpenID Connect test-tools are available at:
Updated 9 months ago