WealthBlock currently supports two different flows to enable single sign-on.
Amazon Cognito (https://aws.amazon.com/pm/cognito)
Amazon Cognito is an AWS hosted identity management solution. This solution provides an independent user data store that both the WealthBlock platform and your application can access to share user authentication.
To hook into our AWS Cognito implementation, you can follow the steps below:
Create a Cognito Pool
There are two options available for pool creation:
- You can use a Cognito pool you have created in your own AWS environment
- Using your own pool gives you complete control over the management
- This allows you to use it for other purposes
- For example, you can provide SSO to other online resources you may be using
- You can use a Cognito pool that we create for you in our AWS environment
NOTE: Amazon allows you to style the login form, and we have a CSS guide here. If you decide to use our Cognito account, you will not have access yourself. Our standard included service is to style the Amazon form to look as close as possible to our platform login form.
Create a Cognito App Client
If you are using your own Cognito pool, please create an App Client for your WealthBlock platform (in addition to a separate App Client for your website):
- Set your callback URLs to be your platform URL
- To maximize security, our implementation makes use of AWS Cognito's OAuth 2.0 protocol
- Please use the settings displayed in the screenshot below when creating the App Client for your WealthBlock platform
- Send us the App Client ID and Secret
If you are using our Cognito pool, we will create an App Client for you in our environment and send you the ID and Secret.
Implement Accessing the Pool from your Environment
WealthBlock has already implemented their own Cognito pool access modules that are fully integrated with your platform at no additional cost.
You will need to implement access to the pool from your own website.
After a user has successfully logged into the Cognito shared login form, they will be redirected back to your website with an OAuth code in the URL. You then only need to perform two functions:
- Pass the OAuth code you receive from the login redirect to the Cognito /oauth2/token endpoint
- Pass the access token received from the above call to the getUser function of the Cognito SDK library you are using
That will return you details about the user (e.g. email address) you can then use to log them in.
Please reference AWS's SDK documentation here. For additional implementation details, please submit a ticket through the Support Portal.
JSON Web Token (JWT)
JSON web token (JWT) is an open standard (RFC 7519) that defines a self-contained way for securely transmitting information between parties as a JSON object. WealthBlock supports receiving a JWT from your application, secured by a shared encryption key.
To log a user in using a JWT token:
- Securely exchange a shared secret with WealthBlock
- Create a JWT using the HMAC algorithm. Visit https://jwt.io/ to learn more or find a library for your preferred coding language.
Header:
{
"alg": "HS256",
"typ": "JWT"
}
The JWT payload should look as follows.
Payload:
{
user: {
username: "john.doe@gmail.com",
profile: { firstName: "John", lastName: "Doe" }
}
}
To secure the payload data. WealthBlock requires that you encrypt the entire payload using the Advanced Encryption Standard in CTR Mode (AES-256-CTR), using the same secret exchanged with WealthBlock above.
3. To single sign-on the user, pass the entire JWT to the query string parameter ssoauth when redirecting to any URL on your WealthBlock platform. e.g. https://invest.your-platform-domain.com/account?ssoauth=123xndf32nxek23nde
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article