User tokens
A plugin can utilize user tokens to authenticate the currently logged in user against a third-party API.
To begin the authentication process, developers need to register their application with Future Ordering. Below are the steps to authenticate the current user against a third-party API:
- Retrieve a user token using the desired scope. In production scenarios, the custom application scope which is provided when registering your backend API with Future Ordering should be used. For authentication purposes and in development, using the
openidscope is a good way to get started. - Include the token in the
AuthorizationHTTP header (using the Bearer scheme) when sending requests to the custom API - Validate the token for authentication and authorization in the custom API - see Validating Access Tokens
note
Avoid depending on the source of the HTTP request being the device itself. In the future, requests with Authorization headers containing Future Ordering access tokens might be intercepted and proxied, changing the source of the request.
Example plugin utilizing user tokens
The following example plugin gets a list of messages for the currently logged in user.
export default async context => {
const myApiBaseUrl = 'https://...';
const token = await tokenService.getUserImpersonationToken('openid');
const res = await fetch(`${myApiBaseUrl}/messages/new`, {
method: 'GET',
headers: {
Authorization: `Bearer ${token}`,
},
});
if (!res.ok) throw new Error(`Error fetching messages`);
const messages = await res.json();
// display messages
// ...
};
Example token data
sub- user IDtenant- tenant ID
{
"nbf": 1710509368,
"exp": 1710511168,
"iss": "https://order.futureburger.com",
"client_id": "foweb",
"sub": "81183934-5aa8-434d-be60-31374d21c853",
"auth_time": 1710509368,
"idp": "local",
"tenant": "futureburger",
"jti": "AAF951A7B8327681F5A8C6B6525ECC4C",
"iat": 1710509368,
"scope": [
"openid"
],
"amr": [
"urn:ietf:params:oauth:grant-type:token-exchange"
]
}