SSO
We use OpenID Connect to provide SSO functionality to our partners.
Prerequisites
To be able to use it, you will receive the following data from us:
- client id
- client secret
- public key to validate ID tokens
- an API endpoint
You will need to provide the following information to us:
redirect_uri- where we should redirect the user after a successful authentication
Scopes
openid- this scope is required and must always be requestedemail- requesting this scope will add the user’s email address to the IDToken claimsname- requesting this scope will add the user’s full name to the IDToken claims (field: name)
IDToken
After the token is requested with the authorization code, we'll return an object with:
access_token- we purposefully return an already expired token.id_token- this token contains the requested information about the user and some required technical fields.
During debugging, IDToken can be decoded using https://oauth.tools/.
The token should be validated using the provided public key.
Example
Request authorization code
curl https://{HOSTNAME}/oauth2/authorize?client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&response_type=code&scope=openid%20email%20name
After user logs in, they will be redirected to the address you provided, containing code in the query parameters.
Example: http://{HOSTNAME}/response?code=def50200ae90526362be...e0d13955af59e3b594
Request access token
Use HTTP Basic authorization with the provided credentials.
The credentials must be concatenated with a colon and base64 encoded (base64_encode('{client_id}:{client_secret}')).
Post the code you received in the previous redirect.
curl -X POST http://{HOSTNAME}/oauth2/token \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Authorization: Basic {CREDENTIALS}' \
-d 'grant_type=authorization_code&code={CODE}&redirect_uri={REDIRECT_URI}'
The returned response will contain a JSON object with id_token, which you can decode to receive user's name and email.