# Login with a username and password This is the most traditional form of authentication and only requires an API call to the `login` mutation with the username and password of the user. The API will return an access token and a refresh token that should be used to refresh the access token before it expires should the user be active. ## Steps 1. Call the `login` mutation: ```graphql mutation { login(input: { username: "user@example.com" password: "password" }) { accessToken refreshToken } } ``` # Login with an identity provider This allows the user to login via a third party identity provider like Facebook, Steam or a BankID provider. The API will return an access token and a refresh token that should be used to refresh the access token before it expires should the user be active. ## Steps 1. Call the `authorizeProvider` mutation to get a URI to redirect the user to so that he can authorize the application in the identity provider: ```graphql mutation { authorizeProvider(input: { provider: FACEBOOK redirectUri: "https://casino.io/login" }) { redirectUri } } ``` 2. Redirect the user to the given `redirectUri` from the `authorizeProvider` response 3. After the user gives authorization on the identity provider site, he will be redirected back to our application with an `idp_token` query parameter: `https://casino.io/login?idp_token=random-128-bits-token` 4. The application then calls the `loginWithToken` mutation to finalize the login: ```graphql mutation { loginWithToken(input: { token: "random-128-bits-token" }) { accessToken refreshToken } } ``` # Refresh an active session Due to access tokens being short lived for security reasons, there is the need to refresh them every so often, and to do this we just need to call the `refreshToken` mutation. This API will return another access and refresh token pair that should be used to keep doing API calls and doing the next refresh. ## Steps 1. Call the `refreshToken` mutation: ```graphql mutation { refreshToken(input: { refreshToken: "most-recent-refresh-token" }) { accessToken refreshToken } } ``` # Logout / revoke a session Often the user wants to logout and to do this we just need to call the `logout` mutation. This will make the current session invalid. This API call will return the access token used to revoke the session if it's successful. ## Steps 1. Call the `logout` mutation: ```graphql mutation { logout { accessToken } } ```
Last changed by  
João Dias
45
Published on HackMD