# OneID SSO Integration (PKCE) ## Step 1 - Determined the platform OneID SSO support many type of platform including: 1. Native/Mobile App (Mobile or Desktop app that support web browser web-view) 2. Single-Page App (JavaScript web app that runs in the browser) 3. Regular Web App (Traditional web app that runs on the server) 4. Backend/API (An API or service protected) ## Step 2 - Pick the SDK Select the SDK that match with your project programing language | Language & framework | OIDC Client | | -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Vue | ![](https://github.githubassets.com/favicon.ico) | | React Native | ![](https://github.githubassets.com/favicon.ico) | | Angular | ![](https://github.githubassets.com/favicon.ico) | | Javascript | ![](https://github.githubassets.com/favicon.ico) | | Android | ![](https://github.githubassets.com/favicon.ico) | | IOS & MacOS | ![](https://github.githubassets.com/favicon.ico) | | Golang |

| | PHP | | | Java | ![](https://github.githubassets.com/favicon.ico) | | .NET | | | NodeJS |

| | RUBY | ![](https://github.githubassets.com/favicon.ico) | | Python | | ## Step 3 - Create Client *Contact us to create/register Client: * Tenant & Client is the identity of the 3rd party service which use OneID SSO*.* Required information for registering including: 1. `client_id` - ID of the 3rd party app 2. `client_secret` - optional 3. `redirect_uris` - the redirect url after the process complete 4. `owner` - owner of the 3rd party app 5. `contacts` - email of the owner 6. `client_name` - name of the 3rd party app. *This information is required for white label* 7. `logo_uri` - logo of the 3rd party app. This information is required for white label 8. `client_uri` - home page URL of 3rd party app. This information is required for white label 9. `policy_uri` - policy page. This information is required for white label 10. `tos_uri` - term & condition page. *This information is required for white label* 11. *`post_logout_redirect_uri` - Hyperlink when click on 3rd party app logo image* 12. `frontchannel_logout_uri` - Logout URL for frontent 13. `backchannel_logout_uri` - Logout URL for backend 14. `metadata` - json format data which contain additional data such as: 1. background image 2. hotline - phone number 3. support email ## Step 4 - Working Flow ![Sequence diagram](https://3090189385-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lstmh2nVxPq6CPXxDwM%2F-MGgA98miNydkRTjabpE%2F-MGgBUD0ZH0ZEK-pdglV%2Fiam_sequence.png?alt=media\&token=ff91f7b8-bc4b-4803-a362-28a0d9dd09f0) ### Make the login button. Assuming step 2 & 3 is completed. 1. User click the login button on 3rd app 2. SDK it will generate `code_verifier` and `code_challenge` (from `code_verifier`). 3. SDK send `authorization_code` and `code_challenge` to **/auth** endpoint\ `GET` [`https://oauth-qc.vinid.dev/oauth2/auth?client_id={client_id}&redirect_uri={callback_url}&response_type=code&scope={scope}&state={state}&code_challenge={code_challenge}&code_challenge_method=S256`](https://oauth-qc.vinid.dev/oauth2/auth?client_id={client_id}\&redirect_uri={callback_url}\&response_type=code\&scope={scope}\&state={state}\&code_challenge={code_challenge}\&code_challenge_method=S256) 4. OneID redirect to OneID login form 5. User login and consent scope 6. OneID callback `authorization_code` to 3rd app 7. SDK call /token endpoint with `authorization_code` and code\_verifier 8. OneID validate `code_verifier` 9. OneID return `access_token`, `id_token` & `access_token` ### Get resource with authorization code 10\. 3rd party app uses access\_token to access resource server (ex: /**userinfo** endpoint).\ 11\. Resource server return data.