API-Based Implementation

The purpose of this section is to guide developers through the authentication process using the Janrain Registration Server and supporting server-side API (Application Programming Interface) endpoints without using the Janrain Registration Widget or Mobile Libraries.

All code examples in this document will be demonstrated as cURL calls or using generic PHP code. In most cases, cURL calls should be submitted to the API endpoints over SSL using the HTTP POST Method. Additionally, the /oauth example calls will not accept query parameters as everything must be submitted as a url-encoded form parameter.

Traditional Login and Registration

Traditional Login

Complete traditional login via the oauth/auth_native_traditional call with required fields from the sign-in form.

$api_call = '/oauth/auth_native_traditional';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'redirect_uri' => 'https://localhost',
    'response_type' => 'code',

    // the name of your sign-in form as defined in the flow file
    'form' => 'signInForm',

    // required fields from signInForm
    'signInEmailAddress' => $_POST['email'],
    'currentPassword' => $_POST['password']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) New authorization code is returned. Next step: Exchange Authorization Code for an access token and refresh token
User not found / Incorrect username or password (invalid_credentials) Provide paths for Traditional Registration and Forgot Password
Field validation error (invalid_form_fields) Display validation message(s)

Traditional Registration

Complete traditional registration via the oauth/register_native_traditional call with required fields from the registration form.

$api_call = '/oauth/register_native_traditional';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSIONS,
    'locale' => 'en-US',
    'redirect_uri' => 'https://localhost',
    'response_type' => 'code',

    // the name of your registration form as defined in the flow file
    'form' => 'registrationForm',

    // required fields from registrationForm
    'firstName' => $_POST['firstName'],
    'lastName' => $_POST['lastName'],
    'displayName' => $_POST['displayName'],
    'emailAddress' => $_POST['email'],
    'newPassword' => $_POST['password'],
    'newPasswordConfirm' => $_POST['passwordConfirm'],
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) User record is created and new authorization code is returned. Next step: Exchange Authorization Code for an access token and refresh token
Email address is already in use (invalid_form_fields) Display validation message / Prompt user to authenticate again using the login method they previously used, or attempt to use the Forgot Password feature
Other field validation error (invalid_form_fields) Display validation message(s)

Social Login and Registration

IDP Authentication

The first step to complete a social login or registration is to authenticate with the IDP. This can be done in one of two ways:

IDP Authentication (Widget)

Add the social login widget to your login page. See Implementing Social Login for full implementation instructions, including how to get the code to add the widget to your page.

Once the social login widget is properly implemented, the user can simply click one of the rendered buttons in order to authenticate with the IDP.

IDP Authentication (No Widget)

For more flexibility, you can create your own social login buttons that link to your social login application. There should be a different link for each social provider. The following is an example using Google+.

<a href="https://my-app.rpxnow.com/googleplus/start?language_preference=en&token_url=https://my-token-url">Sign in with Google+</a>

Social Login

Once you have the social login token, the next step is to attempt to authenticate the user via the oauth/auth_native call. You’ll pass the social login token into the call in the token parameter.

$api_call = '/oauth/auth_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'redirect_uri' => 'https://localhost',
    'registration_form' => 'socialRegistrationForm',
    'response_type' => 'code',

    // social login token obtained from previous step
    'token' => $_POST['token']
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) New authorization code is returned. Next step: Exchange Authorization Code for an access token and refresh token
User not found (310, record_not_found) Continue with Social Registration
User already exists with that email address (380, email_address_in_use) Continue with Account Merge
Invalid social login token (invalid_argument) Provide a resolution path for this error

Social Registration

If the previous oauth/auth_native call returns a 310 error (record_not_found), initiate social registration using the oauth/register_native endpoint. You’ll pass the social login token into the call in the token parameter.

$api_call = '/oauth/register_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'response_type' => 'code',
    'redirect_uri' => 'https://localhost',
    'form' => 'socialRegistrationForm',

    // required fields from socialRegistrationForm
    'firstName' => $_POST['firstName'],
    'lastName' => $_POST['lastName'],
    'displayName' => $_POST['displayName'],
    'emailAddress' => $_POST['email'],

    // social login token obtained from previous steps
    'token' => $_POST['token']
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) User record is created and new authorization code is returned. Next step: Exchange Authorization Code for an access token and refresh token
Email address is already being used Provide a resolution path for this error
Note: This error can occur when the user has an existing record and attempts to login with a different social provider that does NOT return a verified email address
Invalid social login token (invalid_argument) Provide a resolution path for this error

Thin Social Registration

Thin registration is a configuration option that determines the behavior of the oauth/auth_native call when a new user authenticates. If the parameter is set to true, a new record will be created immediately (the registration form can be bypassed). If set to false or omitted from the call, you will need to complete social registration using the oauth/register_native call demonstrated above.

$api_call = '/oauth/auth_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'redirect_uri' => 'https://localhost',
    'response_type' => 'code',

    // enable thin social registration
    'thin_registration' => 'true',

    // social login token obtained from previous step
    'token' => $_POST['token']
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) User record is created and new authorization code is returned. Next step: Exchange Authorization Code for an access token and refresh token
User already exists with that email address (380, email_address_in_use) Continue with Account Merge
Invalid social login token (invalid_argument) Provide a resolution path for this error

Account Merge

When an oauth/auth_native call fails with a 380 error (email_address_in_use), the next step is to initiate the merge process. You can prompt the user to confirm that they’d like to merge this social account with their existing user record.

When merging accounts, there are two scenarios to consider:

  • Merge social account with existing social record
  • Merge social account with existing traditional record

Each of these two scenarios is handled differently.

Merge Account with Existing Social Record

  1. If the existing_provider value returned in the 380 error response is a social provider (e.g. "facebook"), the user must authenticate with that provider to prove ownership of the existing account. (See IDP Authentication above.) You’ll use the returned social login token in the next step.

  2. To merge accounts, make an oauth/auth_native call that passes in a token and a “merge” token.

    • The social login token for the existing social provider is passed into the token parameter.
    • The social login token for the new social provider is passed into the merge_token parameter.
$api_call = '/oauth/auth_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'redirect_uri' => 'https://localhost',
    'response_type' => 'code',

    // social login token for existing social account 
    'token' => $_POST['token']

    // social login token for new social account
    // (must be the same token from the previous failed oauth/auth_native call)
    'merge_token' => $_GET['merge_token'],
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) Account is merged and new authorization code is returned. Next step: Exchange Authorization Code for an access token and refresh token

Merge Account with Existing Traditional Record

If the existing_provider value returned in the 380 error response is "capture", make an oauth/auth_native_traditional call that passes in a “merge” token.

  • The user must provide the login credentials for their existing traditional account.
  • The social login token for the new social provider will be passed into the merge_token parameter.
$api_call = '/oauth/auth_native_traditional';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'redirect_uri' => 'https://localhost',
    'response_type' => 'code',

    // the name of your sign-in form as defined in the flow file
    'form' => 'signInForm',

    // required fields from signInForm
    'signInEmailAddress' => $_POST['email'],
    'currentPassword' => $_POST['password'],

    // social login token for new social account
    // (must be the same token from the previous failed oauth/auth_native call)
    'merge_token' => $_POST['merge_token']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) Account is merged and new authorization code is returned. Next step: Exchange Authorization Code for an access token and refresh token

Account Link/Unlink

Account linking/unlinking requires a valid Janrain access token (from a previous Authentication or Registration). It is not possible to link one existing user record to another, so the only scenario that needs to be addressed is linking to a Social account.

For linking and unlinking, it will be necessary to first make an API call to the entity endpoint to retrieve and/or verify the current list of the user’s linked accounts.

$api_call = '/entity';
$params = array(
    'access_token' => $_SESSION['access_token'],

    // attributes containing user's linked accounts
    'attributes' => '["profiles.domain", "profiles.identifier"]'
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
  1. Authenticate with the social provider to retrieve the social login token. (See IDP Authentication above.)

  2. Link the social account via the oauth/link_account_native call.

$api_call = '/oauth/link_account_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'redirect_uri' => 'https://localhost',

    // valid access token
    'access_token' => $_SESSION['access_token'],

    // social login token obtained from previous step
    'token' => $_POST['token']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) Account is linked
Social account already exists (unique_violation) Provide a resolution path for this error

Unlink a social account via the oauth/unlink_account_native call.

$api_call = '/oauth/unlink_account_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',

    // valid access token
    'access_token' => $_SESSION['access_token'],

    // identifier value from profiles.[profile].identifier schema attribute
    'identifier_to_remove' => $_POST['identifier']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) Account is unlinked

Email Verification

The oauth/verify_email_native endpoint will trigger the Registration system to send an email based on the configuration defined for the form used in the API call.

Email verification can also be initiated when a user registers (via oauth/register_native_traditional).

1. Send verification email

$api_call = '/oauth/verify_email_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',

    // page where the user is sent
    'redirect_uri' => EMAIL_VERIFICATION_URL,

    // the name of your resend-verification form as defined in the flow file
    'form' => 'resendVerificationForm',

    // required field from resendVerificationForm
    'signInEmailAddress' => $_POST['email']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) Email verification email is sent to user
No account found for provided email address (invalid_credentials) Provide a resolution path for this error
Email address already verified (triggered_error) Provide a resolution path for this error

2. Retrieve the verification code

A successful oauth/verify_email_native call will send the email to the user which contains the verify_email_url appended with a verification code. The landing page for this link must parse the verification code and consume it via the access/useVerificationCode API call.

3. Consume the verification code

curl -X POST

// verification code parsed from verify_email_url
--data-urlencode `verification_code=12345678912345678912345678912345` \

'https://my-app.janraincapture.com/access/useVerificationCode'
Response Outcome / Next Step
Success (ok) Janrain Registration server automatically sets the TimeStamp on the user’s emailVerified attribute
Verification code not recognized (invalid_argument) Provide a resolution path for this error

Forgot Password

The oauth/forgot_password_native endpoint will trigger the Registration system to send an email based on the configuration defined for the form used in the API call.

A unique constraint of this API call is that the code that is generated must be used with a widget or oauth/token API call that is configured with the same API Client ID that was used to initiate the API call.

1. Send reset password email

$api_call = '/oauth/forgot_password_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',

    // page where the user is sent
    'redirect_uri' => PASSWORD_RECOVER_URL,

    // the name of your forgot-password form as defined in the flow file
    'form' => 'forgotPasswordForm',

    // required field from forgotPasswordForm
    'signInEmailAddress' => $_POST['email']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) Password recover email is sent to user
No account found with that email address (no_such_account) Provide a resolution path for this error
Account is social only (If applicable; depends on your flow configuration) Provide a resolution path for this error

2. Retrieve the authorization code

Parse the authorization code from the password_recover_url.

3. Exchange the authorization code for an access token

Via the oauth/token call. This should be done server-side.

$api_call = '/oauth/token';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,

    // client secret which pairs with the client id above
    'client_secret' => JANRAIN_LOGIN_CLIENT_SECRET,

    // page where the user is sent
    'redirect_uri' => PASSWORD_RECOVER_URL,

    'grant_type' => 'authorization_code',

    // authorization code parsed from password_recover_url
    'code' => $_GET['code']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);

// Store the access token in a variable so that it can be added to the
// change password form as a hidden form element.

if ($api_response->stat == "ok") {
    $access_token = $api_response->access_token;
}
Response Outcome / Next Step
Success (ok) Access token is returned, continue to next step

4. Reset the password

Use the oauth/update_profile_native call to submit a new password using the changePasswordFormNoAuth form (Note: this is the default form name in the standard configuration).

$api_call = '/oauth/update_profile_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'access_token' => $_SESSION['access_token'],
    'locale' => 'en-US',
    'form' => 'changePasswordFormNoAuth',

    // required fields from changePasswordFormNoAuth form
    'newPassword' => $_POST['new_password'],
    'newPasswordConfirm' => $_POST['confirm_password']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);

Profile Update

First, an entity call can be made to retrieve the user’s information to display to the user in the Edit Profile form.

$api_call = '/entity';
$params = array(
    'access_token' => $_SESSION['access_token'],

    // attributes from the user record to retrieve values for
    'attributes' => '["givenName", "familyName", "displayName", "email"]'
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);

Update Profile Data

The user information is then updated via the oauth/update_profile_native endpoint.

$api_call = '/oauth/update_profile_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'access_token' => $_SESSION['access_token'],

    // required form = editProfileForm
    'form' => 'editProfileForm',

    // profile field(s) to update
    'firstName' => $_POST['firstName'],
    'lastName' => $_POST['lastName'],
    'displayName' => $_POST['displayName'],
    'emailAddress' => $_POST['email']
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) User’s record is updated
Birthdate is not a valid date (invalid_form_fields) The birthdate field is a special field that must be sent as three (3) different field parameters: birthdate[dateselect_year], birthdate[dateselect_month], birthdate[dateselect_day]
Other field validation error (invalid_form_fields) The pertinent error message(s) defined in the Registration configuration will be returned. Provide validation message(s) to user so that they may correct these values and try again.

Note! User information that is stored as a plural cannot be updated via the oauth/update_profile_native endpoint. Instead, an entity.update call must be made.


IMPORTANT: Do not use the entity.update call unless absolutely necessary. Why? Because this call skips over the data validation layer, which can result in data that does not conform to your validation rules.


The example below updates a plural called children. In this case, the user has one existing child in their profile, and is adding a second child’s information.

$api_call = '/entity.update';
$params = array(
    'access_token' => $_SESSION['access_token'],

    // user's entire plural, including updates
    'attributes' => '{"children": [{"age": "3", "gender": "F", "id": 1234, "name": "June"},{"age": "1", "gender": "M", "name": "Rex"}]}'
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);

Notice that you must pass the user’s entire plural in the attributes parameter.

In the sample code above, the first child (June) has an id value. This value was auto-generated in the database when that child was created. The second child (Rex) is new, so there is no id yet. Once this call is made, the second child will be created and their id will auto-generate.

Change Password

A logged-in user can change their password directly via the oauth/update_profile_native endpoint and the changePasswordForm. Note that this form and workflow is different than the Forgot Password implementation.

$api_call = '/oauth/update_profile_native';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'flow' => JANRAIN_FLOW_NAME,
    'flow_version' => JANRAIN_FLOW_VERSION,
    'locale' => 'en-US',
    'access_token' => $_SESSION['access_token'],

    // required form = changePasswordForm
    'form' => 'changePasswordForm',

    // profile field(s) to update
    'currentPassword' => $_POST['current_password'],
    'newPassword' => $_POST['new_password'],
    'newPasswordConfirm' => $_POST['confirm_password'],
);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) User’s record is updated with new password

Exchange Authorization Code

An access_token is valid for one hour. You can use the oauth/token endpoint to request a new one in order to keep a user authenticated through Janrain for the length of your site or application’s session.

If you pass the value code in the response_type parameter, an authorization code will be returned upon successful login or registration. The authorization code must then be passed to a server and exchanged for an access token and refresh token.

$api_call = '/oauth/token';
$params = array(
    'client_id' => JANRAIN_LOGIN_CLIENT_ID,
    'client_secret' => JANRAIN_LOGIN_CLIENT_SECRET,
    'redirect_uri' => 'https://localhost'
    'grant_type' => 'authorization_code',

    // authorization code from user login/registration
    'code' => $_POST['authorization_code']
);

$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, JANRAIN_CAPTURE_URL.$api_call);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($params));
$api_response = json_decode(curl_exec($curl));
curl_close($curl);
Response Outcome / Next Step
Success (ok) Access token and refresh token are returned

These tokens must be stored in the server session and refreshed as needed using the oauth/token endpoint.

When a user interacting with the site or app attempts an action that requires a Janrain access token (e.g. save profile), a server-side script can be called to generate a new valid access token and pass it back to re-attempt the action.

Scroll ↓