Tech & integration
OAuth 2.0 / OIDC
Authentication and authorisation standards. OAuth 2.0 handles delegated access; OpenID Connect (OIDC) adds identity on top. The standard plumbing between a publisher's reader account system and a comment system.
OAuth 2.0 is the standard for delegated authorisation. OpenID Connect (OIDC) is the identity layer built on top, together, they are the modern way for a comment system to plug into a publisher’s existing reader account / paywall system.
The flow, in plain terms
- A reader clicks “Comment” in the Logora widget.
- Logora redirects to your IdP (Auth0, Okta, your custom server) with an OAuth
authorizerequest. - The reader authenticates (or is recognised via active session).
- Your IdP returns an authorisation code.
- Logora exchanges the code for an access token + ID token (OIDC).
- Logora validates the ID token signature, extracts the reader identity, attaches the comment to that account.
The whole flow is invisible to the reader if they’re already logged in to your site.
What Logora supports
- OAuth 2.0 Authorization Code flow with PKCE (recommended).
- OpenID Connect for identity claims.
- JWT access tokens with strict algorithm validation (RS256, ES256).
- Backchannel logout (added April 2026), when the reader logs out of your main site, Logora is notified server-side, no stale session in the comment widget.
- Refresh tokens for long-lived sessions.
Common edge cases
- Token expiry mid-debate : configure refresh tokens or set session expiry aligned with reading patterns (15-30 min).
- Multi-outlet groups : multi-tenant OAuth client config, one IdP serving multiple Logora deployments (Ringier, Mediahuis, Funke).
- Custom claims : passing subscription tier, paywall level, gamification points from your IdP into the comment widget for gating premium features.
See SSO for the broader concept and JWT for the token format.