How to integrate the Next Identity Hosted Journeys profile workflow

Next Identity Hosted Journeys supports self-service account management with the profile screen.

In this journey, a user with an active session can visit the profile screen. On this screen an end user can update any allowed field. They can perform actions such as reset their password or choose the answers to security questions, if the configuration allows.

When the user calls Next Identity Journeys via the /personal-details endpoint, if the user already has an active session in the browser, the hosted service will display the personal details page. If the end user does not have an existing browser-based session, the login screen will be displayed to them before the personal details page is shown.

Configuration Options

The profile screen's menu can be customized according to your application's requirements. The following is capable of being displayed as menu options:

Menu ItemDescription
Change PasswordAllows the customer to change their password.
Passwordless AuthenticationAllows the customer to enable or disable passwordless authentication features such as biometric authentication.
Change Security Question & AnswerAllows the customer to manage their selected security questions and answers
Two-Step VerificationAllows the customer to enable or disable (if allowed) two-step verification for logins.
Communication PreferencesAllows the customer to manage their communication preferences.
Sign OutAllows the customer to end the session on their active device.
Sign Out of All DevicesAllows the customer to end the sessions across all devices with active sessions.\


The profile request consists of the base domain + the endpoint (/personal-details) + parameters. Available parameters are listed below the example.

Required Parameters

The following parameters must be included on every request.

redirect_uriConfigures the URL the user is redirected after a successful authentication.

Important note: this URL must be added to the allowed list of URLs for your integration. Please reach out to your Next Reason integration consultant to help with getting URLs added to this list.
client_idThe ID used to authenticate the API call.
response_typeValue that determines the authorization processing flow to be used, including what parameters are returned from the endpoints. The only acceptable parameter is: code.
scopeOpenID Connect requests must contain the OpenID scope value. If the OpenID scope value is not present, the behavior is entirely unspecified. Other scope values may be present. Scope values used that are not understood by an implementation should be ignored. The "openid" default value will be used if no specific scope value is known.

Optional Parameters

The following parameters are optional.

promptSpace delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

The Authorization Server must not display any authentication or consent user interface pages. An error is returned if a user is not already authenticated or the client does not have pre-configured consent for the requested claims or does not fulfill other conditions for processing the request. This can be used as a method to check for existing authentication and/or consent.

The Authorization Server should prompt the user for reauthentication. If it cannot reauthenticate the user, it must return an error, typically login_required.

stateThis state parameter is constructed by your application and included in the call to the hosted Next Identity service. It will remain unchanged and will be passed back to your application when the screen is redirected back. It is intended for use by your application to track user state. It should be an opaque value used to maintain state between the request and the callback.

Typically for applications, Cross-Site Request Forgery (CSRF, XSRF) mitigation is done by cryptographically binding the value of this parameter with a browser cookie. This value is required on every call, but the hosted service does not use this value in any way, it is solely for use by the application.

Doing so, the application can check and evaluate the value of the state parameter if it is correct or meets a specified criteria then perform expected actions or user journeys on the application-side.
nonceString value used to associate a client session with an ID token and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy must be present in the nonce values used to prevent attackers from guessing values.