OneID SSO Integration (PKCE)

OneID's Identity and Access Management (IAM) solution uses PKCE (Proof Key for Code Exchange) method from open standards such as Oauth2 & OpenID Connect to provide authentication and authorization.

Step 1 - Determined the platform

OneID SSO support many type of platform including:

  1. Native/Mobile App (Mobile or Desktop app that support web browser web-view)

  2. Single-Page App (JavaScript web app that runs in the browser)

  3. Regular Web App (Traditional web app that runs on the server)

  4. Backend/API (An API or service protected)

Step 2 - Pick the SDK

Select the SDK that match with your project programing language

Language & framework

OIDC Client

Vue

https://github.com/IdentityModel/oidc-client-js

React Native

https://github.com/FormidableLabs/react-native-app-auth

Angular

https://github.com/manfredsteyer/angular-oauth2-oidc

Javascript

https://github.com/openid/AppAuth-JS

Android

https://github.com/openid/AppAuth-Android

IOS & MacOS

https://github.com/openid/AppAuth-iOS

Golang

https://godoc.org/golang.org/x/oauth2 https://github.com/coreos/go-oidc

PHP

https://oauth.net/code/php/

Java

https://github.com/scribejava/scribejava

.NET

https://oauth.net/code/dotnet/

NodeJS

https://github.com/jaredhanson/passport https://github.com/simov/grant https://github.com/lelylan/simple-oauth2

RUBY

https://github.com/oauth-xx/oauth2

Python

https://oauth.net/code/python/

Step 3 - Create Client

Contact us to create/register Client: [email protected]

Tenant & Client is the identity of the 3rd party service which use OneID SSO. Required information for registering including:

  1. client_id - ID of the 3rd party app

  2. client_secret - optional

  3. redirect_uris - the redirect url after the process complete

  4. owner - owner of the 3rd party app

  5. contacts - email of the owner

  6. client_name - name of the 3rd party app. This information is required for white label

  7. logo_uri - logo of the 3rd party app. This information is required for white label

  8. client_uri - home page URL of 3rd party app. This information is required for white label

  9. policy_uri - policy page. This information is required for white label

  10. tos_uri - term & condition page. This information is required for white label

  11. post_logout_redirect_uri - Hyperlink when click on 3rd party app logo image

  12. frontchannel_logout_uri - Logout URL for frontent

  13. backchannel_logout_uri - Logout URL for backend

  14. metadata - json format data which contain additional data such as:

    1. background image

    2. hotline - phone number

    3. support email

Step 4 - Working Flow

Sequence diagram

Make the login button.

Assuming step 2 & 3 is completed.

  1. User click the login button on 3rd app

  2. SDK it will generate code_verifier and code_challenge (from code_verifier).

  3. SDK send authorization_code and code_challenge to /auth endpoint GET https://oauth-qc.vinid.dev/oauth2/auth?client_id={client_id}&redirect_uri={callback_url}&response_type=code&scope={scope}&state={state}&code_challenge={code_challenge}&code_challenge_method=S256

  4. OneID redirect to OneID login form

  5. User login and consent scope

  6. OneID callback authorization_code to 3rd app

  7. SDK call /token endpoint with authorization_code and code_verifier

  8. OneID validate code_verifier

  9. OneID return access_token, id_token & access_token

Get resource with authorization code

10. 3rd party app uses access_token to access resource server (ex: /userinfo endpoint). 11. Resource server return data.

PreviousExtra DataNextAuth endpoint

Last updated

Was this helpful?