Auth Setup
To enable user authentication for your Reflow store, you will need to configure your application's auth domain and one or more sign in methods.
Enable Logins
Enabling user auth is done from the Sign In
settings page (Settings > Sign In
). There you can configure each login service you wish to support.
Auth Domain and Origins
The following settings need to be filled before connecting an auth service. Their values will be shared between all services you enable later.
- Domain - The domain of your sign in page. Users will see this URL in the address bar of the sign in popup window. In Reflow it always follows the pattern
[subdomain].reflowhq.com
. This domain is also used for the Redirect URIs you can find further down in this guide. - Origins - These are the unique origins that are allowed to display your sign in popup. Remember to include the (sub)domain, http/https scheme and port. Examples:
https://example.com
,http://localhost:1234
,http://127.0.0.1:5000
. You can have more than one origin.
After configuring the auth domain and origins, you can proceed with enabling one or more authentication providers. Each service follows a roughly similar set of steps - you create an application in the relevant development portal of each service and copy the CLIENT ID
and CLIENT SECRET
back to Reflow. Read through the sections below for specifics.
Server Keys
As an optional step, if you wish to authenticate server routes, you can generate a Server Key
. This is a public/private key pair using the RSA 2048 algorithm. The private key is stored encrypted on our servers, and the public key is made available for download. With the Reflow library you can obtain a JWT token holding the user info of the connected account, which you can validate on your server using the public key.
We will be releasing examples and expanding this functionality over time.
Reflow stores only the minimal set of data needed to make your logins function. The configuration data such as client ids and secrets are stored encrypted in our database. Additionally, you can review and delete all accounts connected with your store.