# Regular web application client
This section is part of OAuth 2.0 / OpenID Connect (OIDC) integration.\
Currently, the Quick Start guide and technical support for this client type are optimized for the Next.js framework.
### Why am i here?
If this is your first time integrating with Oten Identity, start with:
* **Creating an** [**integration app**](/identity-support/integration/integration-document.md)
* **Creating a regular web application client**
* **Using quick start to integrate authentication into your next.js web application**
#### What is a regular web application?
In the context of Oten Identity, A regular web application is a web app that has a backend server handling authentication. Users log in through the browser, but the login process and session management are managed securely on the server side.
Choose a regular web application if your app:
* Has a backend server (for example: Next.js with server-side logic)
* Handles login, tokens, or sessions on the server
* Needs to keep client secrets secure
This client type is recommended for most production web applications.
Key characteristics include:
* Authentication is handled using **OAuth 2.0 / OpenID Connect**
* Uses **redirect-based authentication**
* Integrates with Oten Identity via the **Authorization Code flow**
* Client configuration is managed through the **Oten Developer Portal**
#### Typical characteristics
A Regular Web Application typically:
* Is a **web application accessed via a browser**
* Runs server-side logic (e.g. API routes, session handling)
* Uses **OAuth 2.0 Authorization Code flow**
* Relies on **Redirect URIs** and **Logout URIs**
* Stores sensitive credentials (Client Secret) **on the server**
* Uses frameworks such as **Next.js**
**Note**: The current Quick Start integration for Regular Web Applications supports Next.js only.
#### Why use a regular web application client?
Use this client type when:
* Your application is a **server-rendered or hybrid web application**
* You need to keep **Client cecrets secure on the server**
* You want to integrate authentication using **standard OAuth 2.0 / OIDC flows**
* You prefer a **guided integration experience** with ready-to-use code samples
* You require a balance between **security, flexibility, and ease of integration**
#### What should i do next?
If you already know that your application is a regular web application, continue by opening the **quick start** tab.
In **quick start**, you will find:
* Example integration code
* Step-by-step guidance for authentication
* A working sample using **next.js**, which is currently supported by Oten
Follow the instructions to integrate login with Oten into your application.
#### Prerequisites
Before you begin, ensure you have:
* An active **Oten Developer account**
* An **Integration App** already created
* A **Regular Web Application client** created in the Oten Developer Portal
* **Node.js 18 LTS or later**
* One of the following package managers:
* npm
* yarn
* pnpm
**Basic understanding of:**
* OAuth 2.0
* OpenID Connect
* Server-side web application concepts
* Next.js fundamentals
### I already understand. How do I process step by step?
#### Step 1: Open create application
1. Sign in to the [**Oten Developer Portal**](https://developer.oten.live/)
2. Navigate to: **App Management** → **Integration app** → **App detail**
3. Select **Create app**
#### Step 2: Select client type
Choose **Regular web application** as the client type.
#### Step 3: Review client characteristics
Review the selected client type and its supported technology, then proceed to the next step.
For a **Regular web application**:
* Designed for **server-side web applications**
* Authentication is handled on the backend
* **Language / Framework support:** **Next.js**
* Suitable for applications that can securely store a client secret
Once confirmed, continue to configure the client settings.
#### Step 4: Configure redirect URIs
Enter the Redirect URI(s) that Oten Identity will use to redirect users back to your application after authentication.
**Requirements:**
* At least one Redirect URI is required
* URIs must be valid and explicitly listed
* Multiple URIs can be added (comma-separated or one per line)
**Example (Next.js):**
`https://your-app.com/callback, http://localhost:3000/callback`
These Redirect URIs must match exactly with the callback route implemented in your application.
#### Step 5: Create the client
Click **Create client** to finalize client creation. You will be redirected to the **Client detail** page.
#### Step 6: Integrate application
After the client is created, the **Client detail** page provides two integration options:
* **Quick start**
* **Configure**
You can choose either approach based on your technical experience and integration requirements.
**6.1 Quick start**
Quick Start provides guided integration steps with ready-to-use code samples **for server-side web applications**.
This option is recommended if you are building a **Regular web application using Next.js** and want to integrate Oten Identity quickly with minimal manual configuration.
**6.1.1 Select your technology**
Select your technology stack to receive customized integration instructions.
Based on the current UI:
* **Application type:** Regular Web Application
* **Framework:** Next.js
Note: Quick Start currently supports Next.js for Regular Web Applications.
**6.1.2 Review prerequisites**
Before continuing, ensure your local environment meets the following requirements:
* **Node.js 18 LTS or newer**
* **npm 9+**, **yarn 1.22+**, or **pnpm 8+**
* An **Oten Identity account** and an existing Integration App
* A client created for a **Regular web application**
**Next.js compatibility:**
* This Quick Start uses **Next.js 14+**
* Uses **App router**
* Authentication integration is based on **NextAuth v4**
**6.1.3 Create a new Next.js project**
Create a new **Next.js** project using the provided command, or use an existing Next.js application.
The Quick Start uses **Next.js (app router)** as the framework.
**6.1.4 Install authentication dependencies**
Install the required authentication dependencies:
* **NextAuth v4** for authentication handling
* OIDC / OAuth 2.0 integration with Oten Identity
These dependencies are used to:
* Handle OAuth 2.0 / OpenID Connect Authorization Code flow
* Manage user sessions securely on the server
* Integrate Oten Identity as an external Identity Provider
**6.1.5 Configure Oten Identity provider**
Configure your Next.js application using environment variables from the **Client detail** page.
You need the following values:
* **Oten authorization domain** (`OTEN_IDP_ISSUER`)
* **Client ID**
* **Client secret**
* **NextAuth secret**
* **NextAuth URL**
**6.1.6 Configure client URLs**
In the **Client configuration**, set the following URLs exactly as shown in the Quick start:
* **Redirect URIs**
`http://localhost:3000/api/auth/callback/oten-idp`
* **Logout URIs**
`http://localhost:3000`
* **Allowed origins (CORS)**
`http://localhost:3000`
All URLs must **exactly match** your application’s runtime URLs.\
Invalid or missing URLs will cause authentication failures.
**6.1.7 Configure auth configuration**
Create the authentication configuration used by NextAuth.
This step defines how your application integrates with Oten Identity using OAuth 2.0 and OpenID Connect.
**Actions**:
* Create the `libs` directory and the `auth.ts` configuration file
* Add the NextAuth v4 configuration for Oten Identity
* Configure authentication using the Authorization Code flow with PKCE
* Specify token signing and security settings as required by Oten Identity
> Note: The configuration uses PKCE (Proof Key for Code Exchange) for enhanced security.\
> Oten Identity uses the EdDSA algorithm for signing tokens.
**6.1.8 Create NextAuth API route**
Create the API route that handles authentication requests.
This route connects your application to the authentication configuration defined in the previous step.
**Actions**:
* Create the API route directory under `app/api/auth/[...nextauth]`
* Define the route handler using NextAuth
* Register both `GET` and `POST` handlers for authentication callbacks
This API route is responsible for processing login, callback, and session-related requests.
**6.1.9 Create authentication components**
Create authentication-related components in your Next.js application, including:
* Login button
* Logout button
* User profile display
* Session provider wrapper
These components use **NextAuth hooks and APIs** and are implemented as **client components** where required.
Use the provided Quick start code samples as the reference implementation.
**6.1.10 Update the root layout**
Update the application root layout to enable authentication context across the app.
This step wraps the entire application with the session provider so authenticated user state is available globally.
**Actions**:
* Replace the contents of `app/layout.tsx`
* Import and apply the `SessionProvider`
* Ensure all application pages are rendered within the authentication context
This configuration is required for session management and authenticated routing to function correctly.
**6.1.11 Add styles**
Add the global styles used by the sample application.
This step applies base styling and font configuration to ensure consistent UI rendering.
**Actions**:
* Replace the contents of `app/globals.css`
* Import required fonts
* Apply global CSS rules for layout and typography
This step is optional for authentication functionality, but recommended for matching the sample application appearance.
**6.1.12 Update the home page**
Replace the contents of `app/page.tsx` with the provided implementation.
This page acts as the main entry point of the application and demonstrates how authentication state is handled on the server.
**Key characteristics:**
* Implemented as a **Server Component**
* Uses `getServerSession` from `next-auth` to retrieve the session securely on the server
* Conditionally renders:
* Login action when the user is not authenticated
* Profile information and logout action when the user is authenticated
This approach avoids client-side session fetching and ensures better security and performance.
**6.1.13 Run your application**
Start the development server by running the following command:
**Once the server is running:**
* Open the application in your browser (default: `http://localhost:3000`)
* Click **Login** to initiate authentication via Oten Identity
* After successful login, verify that:
* User profile information is displayed
* Logout functionality works as expected
At this point, the Regular Web Application integration with Oten Identity is complete and fully functional.
#### Step 7: Completion & next actions
After completing **Quick start**, you will see a confirmation message indicating that the integration is successful:
From here, you can choose one of the following actions:
* **Go to Configure**\
Review or update client configuration settings such as credentials, redirect URLs, and OpenID Connect options.
* **Create another client**\
Create an additional client under the same Integration App (for example, for a different environment).
* **Create another app**\
Start a new Integration App and begin a separate integration journey.
#### Step 8: Additional configuration (optional)
Additional configuration is available in the **Configure** tab on the **Client detail** page.\
This section allows you to manually review and manage client credentials, application URLs, and OpenID Connect–related settings.
**8.1 Client credentials**
The **Client credentials** section provides the information required to configure authentication in your application.
**Client ID**\
A unique identifier for the client, used by your application when interacting with Oten Identity.
**Client secret**\
A confidential credential associated with the client.
**Important**: Client secrets must remain private for confidential client types and must never be exposed publicly or included in frontend code.
***
**8.2 Configure client URIs**
The **Configure client URIs** section defines the URLs used during authentication and API access.
**Redirect URIs**\
A list of allowed callback URLs where users are redirected after successful authentication.\
Entries can be separated by commas or new lines.
Only URLs included in this list are accepted. Any invalid or missing redirect URI will cause authentication to fail.
**Allow origins (CORS)**\
A list of allowed origins permitted to make cross-origin requests to:
* Oten Authentication API
* My Account API
Allowed callback URLs are automatically included in this list.
***
**8.3 OpenID Connect**
The **OpenID Connect** section contains protocol-level configuration options.
**Back-Channel Logout URI**\
A server endpoint that receives logout notifications from Oten Identity to invalidate user sessions when a logout event occurs.
This mechanism operates without browser redirects and enables secure single logout across applications.
Additional OpenID Connect settings are optional and intended for advanced integration scenarios.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://oten.gitbook.io/identity-support/integration/integration-document/idp-integration/regular-web-application-client.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.