OAuth2 API Endpoints
Warning
This is still work in progress while the Cognito Service is being implemented and integrated with the Front End Application.
The Authentication/Authorization Service needs to be configured with a set of Application Endpoints to redirect the user during the authentication flows. They are defined by:
Application Endpoint Parameters¶
All parameters, unless otherwise noted, are relative to the ardaAppHostBaseUrl which also needs to be configured in the Authentication Service.
| Parameter | Description |
|---|---|
| defaultRedirectPath | The default path to redirect users after authentication if no specific redirect URL is provided. It should be relative to the ardaAppHostBaseUrl. This path is also included in the callback URLs for the OAuth2 service. |
| loginPath | The Path to initiate the login flow relative to the ardaAppHostBaseUrl. Unauthenticated Users will be redirected to this path when trying to access a protected resource. |
| footpath | The Path to initiate the logout flow relative to the ardaAppHostBaseUrl. Authenticated Users will be redirected to this path when trying to log out. |
| resetPasswordPath | The path to send users when they request a password reset/change flow relative to the ardaAppHostBaseUrl. |
| defaultLoginRedirectPath | The path to send users after authentication if there is no specific redirect URL. This should correspond to the user’s Dashboard or Home page. In the future, this may be configured by tenant or user and this value will act as the default if the user has not configured it. |
| allowedCallbackPaths | A list of additional URL paths that are allowed to be used as callback paths from the OAuth2 service. The preferred configuration is a single path (e.g., /redirect) that is used with a query parameter to further redirect the user to the appropriate page. |
| logoutRedirectUrl | The URL where users will be redirected after a successful logout. It must be an https URL. |
Handling Redirects.¶
Cognito requires that all potential redirect URLs are registered in the User Pool via allowedCallbackPaths. This requirement, while needed for security, introduces a strong coupling between the design of the UI Application, and Cognito Configuration which needs to be mitigated.
To handle this case, the Front End application (in the BFF component) will use a single redirect path (/redirect) that takes a single query parameter forwardTo that represents the target URL to redirect the user.
The forwardTo parameter must follow standard URL encoding for query strings. To reduce tampering, use a reversible encoding to obfuscate the value. Encryption is not required, but the encoding should allow the original URL to be restored.
The Route in the Front End Application needs to validate the url and ensure it is a valid URL for the system, then redirect the user to that URL.
Copyright: © Arda Systems 2025, All rights reserved