Authentication
Use this integration to authenticate users with various SSO providers including Google, Apple, Microsoft, and SignaturGruppen MitID.
Introduction
The Auth module provides a unified interface for authenticating users with various Single Sign-On (SSO) providers. It handles the OAuth flow and returns an authorization code and PKCE verifier so your backend can perform the token exchange.
Where to find: startiapp.Auth
Supported Providers
google- Google Sign-Inapple- Sign in with Applemicrosoft- Microsoft Accountsignaturgruppenmitid- Danish MitID via Signaturgruppen Broker
Configuration
Auth providers are configured via Manager under the Authentication section.
Methods
signIn
signIn(providerName: string, options?: SignInOptions): Promise<AuthenticationResult | AuthenticationFailure>
Authenticate a user with the specified provider. Returns a result you can check with isSuccess.
If you use TypeScript and pass a known provider name (e.g. "apple"), the result type narrows automatically to include provider-specific fields.
Parameters:
providerName- The provider to use for authentication (e.g.,"google","apple")options- Optional sign-in configuration (requires app version 3.992.0+)
Example:
// Basic sign in
const result = await startiapp.Auth.signIn("google");
// Sign in with custom scope
const result = await startiapp.Auth.signIn("signaturgruppenmitid", {
scope: "openid mitid ssn ssn.details_name"
});
signOut
signOut(): Promise<boolean>
Signs the user out of the current session. Returns true if sign-out was successful.
Example:
const success = await startiapp.Auth.signOut();
getCurrentSession
getCurrentSession(): Promise<AuthenticationResult | null>
Get the current authentication session if one exists.
Example:
const session = await startiapp.Auth.getCurrentSession();
if (session) {
console.log("Authenticated as:", session.providerName);
}
isAuthenticated
isAuthenticated(): Promise<boolean>
Check if a user is currently authenticated.
Example:
if (await startiapp.Auth.isAuthenticated()) {
console.log("User is logged in");
}
Response
The result of signIn has an isSuccess field you can use to check whether authentication succeeded.
Success
When isSuccess is true, the result contains the authorization code and PKCE verifier for your backend to perform the token exchange.
| Property | Type | Description |
|---|---|---|
isSuccess | true | |
providerName | string | The provider that was used |
additionalClaims | Record<string, string> | Provider-specific claims (see MitID Specific Claims) |
authorizationCode | string | OAuth authorization code |
codeVerifier | string? | PKCE code verifier for the token exchange (not present for Apple) |
redirectUri | string | The redirect URI used during the flow |
Apple sign-in
When the provider is "apple", the success result also includes an identity object:
| Property | Type | Description |
|---|---|---|
identity.userId | string | Apple user ID |
identity.email | string | User’s email address |
identity.name | string | null | User’s name (only present on first sign-in) |
identity.idToken | string | Apple ID token |
Failure
When isSuccess is false, the sign-in was cancelled or something went wrong.
| Property | Type | Description |
|---|---|---|
isSuccess | false | |
providerName | string | The provider that was used |
errorMessage | string | What went wrong |
SignInOptions
| Property | Type | Description |
|---|---|---|
scope | string? | Custom OAuth scope string. Overrides the default scope for the provider. |
Examples
Basic Google Sign-In
const result = await startiapp.Auth.signIn("google");
if (!result.isSuccess) {
console.error("Login failed:", result.errorMessage);
return;
}
// Send the authorization code to your backend for token exchange
await fetch("/api/auth/exchange", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
code: result.authorizationCode,
codeVerifier: result.codeVerifier,
redirectUri: result.redirectUri,
}),
});
Apple Sign-In
const result = await startiapp.Auth.signIn("apple");
if (!result.isSuccess) {
console.error("Login failed:", result.errorMessage);
return;
}
// TypeScript knows result.identity is available here
console.log("User ID:", result.identity.userId);
console.log("Email:", result.identity.email);
console.log("ID token:", result.identity.idToken);
// name is only available on the user's first sign-in
if (result.identity.name) {
console.log("Name:", result.identity.name);
}
Session Management
// Check if user is logged in
const isLoggedIn = await startiapp.Auth.isAuthenticated();
if (isLoggedIn) {
// Get current session
const session = await startiapp.Auth.getCurrentSession();
console.log("Current provider:", session?.providerName);
}
Events
authenticationCompleted
Fired when an authentication flow completes (success or failure).
startiapp.Auth.addEventListener("authenticationCompleted", (event) => {
const result = event.detail;
if (result.isSuccess) {
console.log("User authenticated via:", result.providerName);
}
});
Notes
MitID Test Environment: During development, MitID uses the pre-production environment (pp.netseidbroker.dk). You can create test identities at MitID Test Tool.
SSN Privacy: When using SSN scopes, the user’s CPR number is retrieved from the CPR registry. Ensure you have proper consent and legal basis for processing this data according to GDPR.