# easyroam Useragent

# Registering a new easyroam useragent

Go to https://auth.easyroam.de/console/applications (make sure that you are logged-in) and click on the
Create new appplication button.
Make sure the useragent application type is selected and the Activate client switch is toggled on.
Enter a name for your API client

This name is visible to all users when authenticating for your useragent

Enter a client uri that resolve to the client making the API calls

When you log out the user we will check if the host component of the redirect uri and the client uri match. We currently do not check if API requests are really coming from that uri, however this is subject to change.

Enter a redirect uri for your API client

The authentication server will redirect back to this page after authentication succeeded. Some authentication errors will also redirect back to this page with the error and error_description parameters.

Select all scopes your API client is going to use.
(Optional) Toggle on the Use client secret switch.

Note

To enhance security you may choose to use a client secret even for a user agent. However this is optional since it is impossible for some usecases to store the client secret securely.

# Client details

After clicking on the Create application button you will receive your client_id and, if you have decided to use one, your client_secret.

Your client_id will be displayed every time you visit the application site in the authentication console and will look something like this: 123456.easyroam.auth
Your client_secret will only be displayed ONCE! Make sure you save it somewhere safe.

Security Warning

If you decide to use a client_secret, NEVER share it with anyone under any cirumstances.
DFN staff will NEVER ask you to share your client_secret with them!

# Authenticating

Once you have your client_id your useragent can authenticate users that decide to use it.

Minimal authentication is achived by redirecting the user to the authentication url:

GET https://auth.easyroam.de/oauth/authorize?response_type=code&client_id=<your_client_id>&redirect_uri=<your_redirect_uri>&scope=<your_scopes>

Scopes are seperated by spaces

Note

For additional security we recommend using pkce and the state parameter.

After the user has authenticated himself and has approved the scopes your API client is requesting he will be redirected to your redirect uri with the code and, if you have sent one, the state parameter. You can then exchange your authorization code for an access_token, refresh_token and id_token by submitting an HTTP form:

POST https://auth.easyroam.de/oauth/token

grant_type=authorization_code
client_id=<your_client_id>
code=<your_authorization_code>
redirect_uri=<your_redirect_uri>

If you've used pkce while making the initial request you obviously need to add the code_verifier to your request.

Upon successful authentication you will receive a Json object containing 5 properties like so:

{
    "access_token": "...",
    "id_token": "...",
    "refresh_token": "...",
    "token_type": "Bearer",
    "code": "..."
}

import requests 

params = {
    "grant_type": "authorization_code",
    "client_id": "<your_client_id>",
    "code": "<your_authorization_code>",
    "redirect_uri": "<your_redirect_uri>"
}
r = requests.post(
    "https://auth.easyroam.de/oauth/token",
    data=params
)
r_json = r.json()
access_token = r_json["access_token"]
id_token = r_json["id_token"]
refresh_token = r_json["refresh_token"]

print(access_token)
print(id_token)
print(refresh_token)

const axios = require('axios');

const creds = {
    "grant_type": "authorization_code",
    "client_id": "<your_client_id>",
    "code": "<your_authorization_code>",
    "redirect_uri": "<your_redirect_uri>"
};

const resp = await axios({
    method: 'POST',
    url: `https://auth.easyroam.de/oauth/token`,
    data: creds
});

const { access_token, refresh_token, id_token } = resp.data;
console.log(access_token);
console.log(id_token);
console.log(refresh_token);

For a more complex example check out our example easyroam useragent.

# Refreshing an access token

Access tokens are valid for 30 minutes. After that you need to refresh them using the refresh_token you received during authentication:

POST https://auth.easyroam.de/oauth/token

grant_type=refresh_token
client_id=<your_client_id>
refresh_token=<your_refresh_token>

Upon successful refresh you will receive a Json object containing 3 properties like so:

{
    "access_token": "...",
    "id_token": "...",
    "token_type": "Bearer"
}

import requests 

params = {
    "grant_type": "refresh_token",
    "client_id": "<your_client_id>",
    "refresh_token": "<your_refresh_token>"
}
r = requests.post(
    "https://auth.easyroam.de/oauth/token",
    data=params
)
r_json = r.json()
access_token = r_json["access_token"]
id_token = r_json["id_token"]

print(access_token)
print(id_token)

const axios = require('axios');

const creds = {
    "grant_type": "refresh_token",
    "client_id": "<your_client_id>",
    "refresh_token": "<your_refresh_token>"
};

const resp = await axios({
    method: 'POST',
    url: `https://auth.easyroam.de/oauth/token`,
    data: creds
});

const { access_token, id_token } = resp.data;
console.log(access_token);
console.log(id_token);

# Logout

Note

While calling this endpoint is not required it is highly recommended to do so. Not doing so may result in sessions piling up for the user on the authentication server, which may lead to a bad user experience.

To log out a user you can simply redirect him to the logout url with the id_token parameter set to the id_token you received during authentication, your client_id and your logout_uri:

GET https://auth.easyroam.de/oauth/logout?id_token=<your_id_token>&client_id=<your_client_id>&logout_uri=<your_logout_uri>

This will automatically delete the active session associated with the id_token and redirect the user to your logout_uri.

The logout_uri must match the host component of the client_uri you specified during the creation of the application.