Skip to main content
import { useSearchParams } from 'react-router';
import { useStytchB2BClient } from '@stytch/react/b2b';

export const OAuthConsentSubmit = () => {
  const stytch = useStytchB2BClient();
  const [searchParams] = useSearchParams();

  const submitAuthorization = async (consentGranted) => {
    const response = await stytch.idp.oauthAuthorizeSubmit({
      client_id: searchParams.get('client_id'),
      redirect_uri: searchParams.get('redirect_uri'),
      response_type: searchParams.get('response_type'),
      scopes: searchParams.get('scope')?.split(' ') || [],
      consent_granted: consentGranted,
      state: searchParams.get('state'),
      nonce: searchParams.get('nonce'),
      code_challenge: searchParams.get('code_challenge'),
    });

    window.location.href = response.redirect_uri;
  };

  return (
    <div>
      <button onClick={() => submitAuthorization(true)}>Allow</button>
      <button onClick={() => submitAuthorization(false)}>Deny</button>
    </div>
  );
};
idp.oauthAuthorizeSubmit wraps the Submit OAuth Authorization API endpoint. It completes a request for authorization of a Connected App to access a account. Call this endpoint using the query parameters from an OAuth Authorization request, after previously validating those parameters using the idp.oauthAuthorizeStart method. Note that this endpoint takes in a few additional parameters the start method does not- state, nonce, and code_challenge. If the authorization was successful, the redirect_uri will contain a valid authorization_code embedded as a query parameter. If the authorization was unsuccessful, the redirect_uri will contain an OAuth2.1 error_code. In both cases, redirect the Member to the location for the response to be consumed by the Connected App. Exactly one of the following must be provided to identify the Member granting authorization: organization_id + member_id, session_token, or session_jwt. If a session_token or session_jwt is passed, the OAuth Authorization will be linked to the Member’s session for tracking purposes. One of these fields must be used if the Connected App intends to complete the Exchange Access Token flow.

Parameters

client_id
string
required
The ID of the Connected App client.
redirect_uri
string
required
The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow. This field is required when using the authorization_code grant.
response_type
string
required
The OAuth 2.0 response type. For authorization code flows this value is code.
scopes
string[]
required
An array of scopes requested by the client.
consent_granted
boolean
required
Indicates whether the user granted the requested scopes.
state
string
An opaque value used to maintain state between the request and callback.
nonce
string
A string used to associate a client session with an ID token to mitigate replay attacks.
code_challenge
string
A base64url encoded challenge derived from the code verifier for PKCE flows.
prompt
string
Space separated list that specifies how the Authorization Server should prompt the user for reauthentication and consent. Only consent is supported today.

Response

redirect_uri
string
The callback URI used to redirect the user after authentication. This is the same URI provided at the start of the OAuth flow.
authorization_code
string
A one-time use code that can be exchanged for tokens.
request_id
string
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
status_code
number
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.