Skip to main content

Custom Authentication with PnP Web No Modal SDK

Custom Authentication is a way to authenticate users with your custom authentication service. For example, while authenticating with Google, you can use your own Google Client ID and Dashboard to authenticate users directly or use aggregator services like Auth0, Firebase, AWS Cognito etc. Additionally, you can make your own JWT token authentication system and pass the ID Token to Web3Auth to generate a private key for them.

To enable this, you need to Create a Verifier from the Custom Authentication tab of your project from the Web3Auth Developer Dashboard with your desired configuration.

note

This is a paid feature and the minimum pricing plan to use this SDK in a production environment is the Growth Plan. You can use this feature in Web3Auth Sapphire Devnet network for free.

Installing Auth Adapter

Social logins in Web3Auth are enabled by the auth-adapter. Natively, it is already present and preconfigured within the Plug and Play SDK, but for custom configurations, you need to install the adapter package.

npm install --save @web3auth/auth-adapter

Configuring Auth Adapter

While instantiating the Auth Adapter, you can pass some configuration objects to the constructor. One of these configurations is the adapterSettings configuration which enables you to make changes in the adapter, enabling you to do things like Whitelabeling and Custom Authentication among other things.

tip

Checkout the auth-adapter SDK Reference for more details on different configurations you can pass for customizations.

loginConfig

The loginConfig parameter of adapterSettings in auth-adapter contains the following properties:

loginConfig: { "identifier of social login": { params } }

params

ParameterDescription
verifier
typeOfLoginThe type of login. Refer to enum LOGIN_TYPE
nameDisplay Name. If not provided, we use the default for auth app
descriptionDescription for button. If provided, it renders as a full length button. else, icon button
clientIdCustom client_id. If not provided, we use the default for auth app
verifierSubIdentifierThe field in JWT token which maps to verifier id. Please make sure you selected correct JWT verifier id in the developer dashboard. It accepts string as a value.
logoHoverLogo to be shown on mouse hover. If not provided, we use the default for auth app
logoLightLogo to be shown on dark background (dark theme). If not provided, we use the default for auth app
logoDarkLogo to be shown on light background (light theme). If not provided, we use the default for auth app
mainOptionShow login button on the main list
showOnModalWhether to show the login button on modal or not
showOnDesktopWhether to show the login button on desktop
showOnMobileWhether to show the login button on mobile
showOnSocialBackupFactorIf we are using social logins as a backup factor, then this option will be used to show the type of social login on the social backup login screen.
jwtParametersCustom jwt parameters to configure the login. Useful for Auth0 configuration

Logging In

While using the Web3Auth Plug and Play No Modal SDK, you have the option to use the connectTo function, which enables you to customize the login process according to the parameters you have for your custom authentication service.

connectTo()

To log a user in the Web3Auth Plug and Play No Modal SDK, you need to call the connectTo() function. This function helps you customize the login process according to your own needs, by taking the following parameters:

VariableDescription
walletNameWallet Adapter you want to use for logging in your user. It accepts WALLET_ADAPTER_TYPE.
loginParams?Login parameters specific to your wallet adapter. Although this is defined as a generic type T, you can use AuthLoginParams as a reference for typical parameters.
tip

Know more about the connectTo function in the Usage SDK Reference

important

It is mandatory to pass the idToken parameter in the extraLoginOptions object when logging in through your Custom JWT Token.

Further, to enable Custom Authentication, the loginParams parameter takes in another object called extraLoginOptions which contains the following properties:

ExtraLoginOptions
ParameterDescription
domainYour Auth0 account domain such as 'example.auth0.com', 'example.eu.auth0.com' or , 'example.mycompany.com' (when using custom domains)
client_idThe Client ID found on your Application settings page
redirect_uriThe default URL where Auth0 will redirect your browser to with the authentication result. It must be whitelisted in the "Allowed Callback URLs" field in your Auth0 Application's settings. If not provided here, it should be provided in the other methods that provide authentication.
leewayThe value in seconds used to account for clock skew in JWT expirations. Typically, this value is no more than a minute or two at maximum. Defaults to 60s.
verifierIdFieldThe field in jwt token which maps to verifier id
isVerifierIdCaseSensitiveWhether the verifier id field is case sensitive
additionalParamsIf you need to send custom parameters to the Authorization Server, make sure to use the original parameter name.
display- 'page': displays the UI with a full page view - 'popup': displays the UI with a popup window - 'touch': displays the UI in a way that leverages a touch interface - 'wap': displays the UI with a "feature phone" type interface
prompt- 'none': do not prompt user for login or consent on re-authentication - 'login': prompt user for re-authentication - 'consent': prompt user for consent before processing request - 'select_account': prompt user to select an account
max_ageMaximum allowable elapsed time (in seconds) since authentication. If the last time the user authenticated is greater than this value, the user must be re-authenticated.
ui_localesThe space-separated list of language tags, ordered by preference. For example: 'fr-CA fr en'.
id_token_hintPreviously issued ID Token.
login_hintThe user's email address or other identifier. When your app knows which user is trying to authenticate, you can provide this parameter to pre-fill the email box or select the right session for sign-in. This currently only affects the classic Lock experience.
acr_values
scopeThe default scope to be used on authentication requests. The defaultScope defined in the Auth0Client is included along with this scope
audienceThe default audience to be used for requesting API access.
connectionThe name of the connection configured for your application. If null, it will redirect to the Auth0 Login Page and show the Login Widget.

Example

Since we're using the @web3auth/no-modal, ie. the Plug and Play No Modal SDK, the loginConfig can include custom JWT-based authentication as well. This way, we can use any of our preferred login providers and further setup their configs while logging the user in and passing over the extraLoginOptions in the connectTo function.

Single Verifier

import { AuthAdapter } from "@web3auth/auth-adapter";

const authAdapter = new AuthAdapter({
  adapterSettings: {
    loginConfig: {
      jwt: {
        verifier: "YOUR-VERIFIER-NAME-ON-WEB3AUTH-DASHBOARD",
        typeOfLogin: "jwt",
        clientId: "YOUR-CLIENTID-FROM-LOGIN-PROVIDER",
      },
    },
  },
  privateKeyProvider,
});

web3auth.configureAdapter(authAdapter);
import { WALLET_ADAPTERS } from "@web3auth/base";
// inside your async function with on click handler
const web3authProvider = await web3auth.connectTo(WALLET_ADAPTERS.AUTH, {
  loginProvider: "google",
});

Aggregate Verifier

import { AuthAdapter } from "@web3auth/auth-adapter";

const authAdapter = new AuthAdapter({
  adapterSettings: {
    loginConfig: {
      // Google login
      google: {
        verifier: "YOUR_AGGREGATE_VERIFIER_NAME", // Please create an aggregate verifier on the developer dashboard and pass the name here
        verifierSubIdentifier: "YOUR_SUB_VERIFIER_NAME", // Pass in the sub verifier name here
        typeOfLogin: "google", // Pass on the login provider of the verifier you've created
        clientId: "YOUR_GOOGLE_CLIENT_ID", // based on sub verifier, pass in the clientId of the login provider here - Please note this differs from the Web3Auth ClientID.
      },
      github: {
        verifier: "YOUR_AGGREGATE_VERIFIER_NAME", // Please create an aggregate verifier on the developer dashboard and pass the name here
        verifierSubIdentifier: "YOUR_SUB_VERIFIER_NAME", // Pass in the sub verifier name here
        typeOfLogin: "github", // Pass on the login provider of the verifier you've created
        clientId: "YOUR_GITHUB_CLIENT_ID", // based on sub verifier, pass in the clientId of the login provider here - Please note this differs from the Web3Auth ClientID.
      },
    },
  },
  privateKeyProvider,
});
web3auth.configureAdapter(authAdapter);
// When user clicks Google button, use this to Login with Google
const web3authProvider = await web3auth.connectTo("auth", {
  loginProvider: "google",
});

// When user clicks GitHub button, use this to Login with GitHub via Auth0
const web3authProvider = await web3auth.connectTo("auth", {
  loginProvider: "github",
  extraLoginOptions: {
    domain: "YOUR_AUTH0_DOMAIN", // Pass the Auth0 Domain here, eg. https://web3auth.au.auth0.com
    // This corresponds to the field inside jwt which must be used to uniquely identify the user.
    verifierIdField: "YOUR_AUTH0_VERIFIER_ID_FIELD", // This is mapped b/w google and github logins.
    isVerifierIdCaseSensitive: true, // only if the verifier id is case sensitive, else remove this line
  },
});