📍 Bolt Help / Products / Ignite 🔥 / API Implementation / Endpoints / OpenID Connect Validation APIs
OpenID Connect Validation APIs
Use OpenID Connect (OIDC) to use Bolt Ignite as an identity provider.

Overview

OpenID Connect (OIDC) is an identity standard for third parties to initiate OpenID Authentication requests with their authorization servers.

When merchants leverage Bolt Ignite as an identity provider (i.e. use Bolt to log a shopper into their store account), OIDC sits on top of the OAuth 2.0 protocol. This extra layer of validation should be implemented when using Bolt’s authentication to verify a shopper’s identity.

OAuth 2.0

Below is the sequence of data exchange when integrating with Bolt’s standard OAuth API:

(1) A shopper authenticates via Bolt’s Login Modal.

(2) Bolt returns an Authorization Code to the frontend of a merchant’s site.

(3) Merchant’s pass the Bolt Authorization Code to their backend in order to…

(4) call Bolt’s OAuth API endpoint to receive an OAuth Access Token.

Finally, with the OAuth Access token, merchants may read or write data to a shopper’s Bolt account.

sequenceDiagram participant Shopper participant Merchant Frontend participant Merchant Backend participant Bolt Embed.js participant Bolt Backend Shopper->>Bolt Embed.js: Shopper Enters Email Bolt Embed.js->>Bolt Backend: Bolt Account Exists? note over Bolt Backend: If account exists, Bolt sends one-time pass code via SMS or Email. Bolt Backend->>Bolt Embed.js: Displays Login Modal Shopper->>+Bolt Embed.js: Submits OTP or Passkey Bolt Embed.js->>Bolt Backend: OTP or Passkey Valid? note over Bolt Backend: Validates OTP or Passkey rect rgb(191, 223, 255) note over Merchant Backend: OAuth 2.0 "Handshake" Bolt Backend->>Bolt Embed.js: Returns an Authorization Code and Scope Bolt Embed.js->>Merchant Frontend: Returns an Authorization Code and Scope Merchant Frontend->>Merchant Backend: Auth Code and Scope Merchant Backend->>Bolt Backend: Request is made to Bolt's OAuth API Bolt Backend->>+Merchant Backend: Return Bolt OAuth Access Token end Merchant Backend->>Bolt Backend: Request is made to Bolt's GET Account API Bolt Backend->>+Merchant Backend: Returns shopper account data

OAuth 2.0 + Open ID Connect

Bolt returns an ID token to the third party via the OAuth Token endpoint if the presented authorization grant includes the open_id scope. The ID token can be further decrypted via Bolt’s RSA Public Key.

sequenceDiagram participant Shopper participant Merchant Frontend participant Merchant Backend participant Bolt Embed.js participant Bolt Backend Shopper->>Bolt Embed.js: Shopper Enters Email Bolt Embed.js->>Bolt Backend: Bolt Account Exists? note over Bolt Backend: If account exists, Bolt sends one-time pass code via SMS or Email. Bolt Backend->>Bolt Embed.js: Displays Authentication Modal Shopper->>+Bolt Embed.js: Submits OTP or Passkey Bolt Embed.js->>Bolt Backend: OTP or Passkey Valid? note over Bolt Backend: Validates OTP or Passkey Bolt Backend->>Bolt Embed.js: Returns an Authorization Code and Scope Bolt Embed.js->>Merchant Frontend: Returns an Authorization Code and Scope Merchant Frontend->>Merchant Backend: Auth Code and Scope Merchant Backend->>Bolt Backend: Request is made to Bolt's OAuth API Bolt Backend->>+Merchant Backend: Return Bolt OAuth Access Token rect rgb(191, 223, 255) note over Merchant Backend: Open ID Connect validation Merchant Backend->>Bolt Backend: Get Bolt's OIDC Config Bolt Backend->>+Merchant Backend: Returns OIDC Congfig Merchant Backend->>Bolt Backend: Get JSON Web Key Set (JWKS) Bolt Backend->>+Merchant Backend: Returns JSON Web Key Set (JWKS) Merchant Backend->>Merchant Backend: Validates the Bolt JWT Access Token note over Merchant Backend: Shopper's identity is verified. end

Step 1: Get Bolt’s OpenID Configuration Data

OpenID Config Request

Bolt’s Public RSA Key is publicly available via a GET request to Bolt’s API using the following endpoints

  • Sandbox: https://api-sandbox.bolt.com/.well-known/openid-configuration endpoint.
  • Production: https://api.bolt.com/.well-known/openid-configuration

OpenID Config Response

{
  "issuer": "https://api-sandbox.bolt.com",
  "authorization_endpoint": "https://api-sandbox.bolt.com/v3/oauth/authorize",
  "token_endpoint": "https://api-sandbox.bolt.com/v3/oauth/token",
  "jwks_uri": "https://api-sandbox.bolt.com/v3/oauth/jwks.json",
  "response_types_supported": [
    "id_token",
    "code",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "grant_types_supported": [
    "authorization_code",
    "refresh_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "scopes_supported": [
    "openid",
    "bolt.account.manage",
    "bolt.account.view"
  ]
}

Step 2: JSON Web Key Set (JWKS)

Bolt’s OAuth Access Token is a JSON Web Token (JWT). In order to validate the Bolt OAuth Access Token is legitimate,k you will need Bolt’s JSON Web Key Set (JWKS). Merchants then use these cryptographic keys to validate the integrity of the JWT to ensure that it has not been tampered with.

JWKS Request

In the response payload from Bolt’s Open ID Configuration API, you’ll find the jwks_uri. A GET request should be made to this endpoint for the JWKS data.

JWKS Response

{
   "keys" : [
      {
         "alg" : "RS256",
         "e" : "AQAB",
         "kid" : "e8a7273d-40d4-4be1-a826-f9113e8bf0ab",
         "kty" : "RSA",
         "n" : "umrI98nQ0thJELhOa0AI4fQkEEuh9gHOFEQUjVZzSZO_O5x42mugJyMq3hDGwJBOH2FUgT5WnGt9tHJ9NbTwfZtljOyRkmoTUGFkQIcRZy_b0fD9_IfFXuAXJebflCIVFO_UnFRN4Z9RQqx-vffAE-qNnQV_V_455Qw0-_HW5n06Df0UVYXiZ1-2RXfGIinPcUgMS59r12kJDahELTWWcwa1gJE1UnSUiwTO7dDp1IjgGml6cpbynYcROyuz4wNumIj7w6tH-krmPguTYXPmKVSmZtqFCh1reXonSZBQ9XvuWhQbY3skf7X2AELHB6nkUNaUlVlSbG_DiHjxSAvSr3HSKLHiaYuB3VA_FWgfSWvg9kZVE9d1Qg-JhYL8kIxcWIgH37onIR5gh7lep0u73WlgFy97tjy9uiTmcjrzBBXtxl5PsLGaTJGPkZnAON4BH0Njuq23G_ZHXcJvX8uFs4VlfItq838SjJqzCrWS5eK4mKX669dYEXenjv8mqqkKSD3PNZl4ixwfMkhmVAeYA0qPnq5rt7XA5mVlr5BNkpal29fL_s6CcdfAylzvzS3C1a6z3ZpZSl2yGAfDgceC4-h-iLJmyeZM3Jz1jttE9BTUxwlhQvO_xIDkJXGgU9y8TMy_rNcPS_qOW1k4DDcTM_eCqsISa58WWiCO0WQUW6E",
         "use" : "sign"
      }
   ]
}

Step 3. Validate the Bolt OAuth JWT

Finally, merchants may validate and parse the Bolt JWT using the JSON Web Key Set using any standard JWT validation library for this.

Filter by Section
Filter by Topic