Search
K

OneID SSO Integration (PKCE)

OneID's Identity and Access Management (IAM) solution uses PKCE (Proof Key for Code Exchange) method from open standards such as Oauth2 & OpenID Connect to provide authentication and authorization.

Step 1 - Determined the platform

OneID SSO support many type of platform including:
  1. 1.
    Native/Mobile App (Mobile or Desktop app that support web browser web-view)
  2. 2.
    Single-Page App (JavaScript web app that runs in the browser)
  3. 3.
    Regular Web App (Traditional web app that runs on the server)
  4. 4.
    Backend/API (An API or service protected)

Step 2 - Pick the SDK

Select the SDK that match with your project programing language
Language & framework
OIDC Client
Vue
https://github.com/IdentityModel/oidc-client-js
React Native
https://github.com/FormidableLabs/react-native-app-auth
Angular
https://github.com/manfredsteyer/angular-oauth2-oidc
Javascript
https://github.com/openid/AppAuth-JS
Android
https://github.com/openid/AppAuth-Android
IOS & MacOS
https://github.com/openid/AppAuth-iOS
Golang
https://godoc.org/golang.org/x/oauth2
https://github.com/coreos/go-oidc
PHP
https://oauth.net/code/php/
Java
https://github.com/scribejava/scribejava
.NET
https://oauth.net/code/dotnet/
NodeJS
https://github.com/jaredhanson/passport
https://github.com/simov/grant
https://github.com/lelylan/simple-oauth2
RUBY
https://github.com/oauth-xx/oauth2
Python
https://oauth.net/code/python/

Step 3 - Create Client

Contact us to create/register Client: [email protected]
Tenant & Client is the identity of the 3rd party service which use OneID SSO. Required information for registering including:
  1. 1.
    client_id - ID of the 3rd party app
  2. 2.
    client_secret - optional
  3. 3.
    redirect_uris - the redirect url after the process complete
  4. 4.
    owner - owner of the 3rd party app
  5. 5.
    contacts - email of the owner
  6. 6.
    client_name - name of the 3rd party app. This information is required for white label
  7. 7.
    logo_uri - logo of the 3rd party app. This information is required for white label
  8. 8.
    client_uri - home page URL of 3rd party app. This information is required for white label
  9. 9.
    policy_uri - policy page. This information is required for white label
  10. 10.
    tos_uri - term & condition page. This information is required for white label
  11. 11.
    post_logout_redirect_uri - Hyperlink when click on 3rd party app logo image
  12. 12.
    frontchannel_logout_uri - Logout URL for frontent
  13. 13.
    backchannel_logout_uri - Logout URL for backend
  14. 14.
    metadata - json format data which contain additional data such as:
    1. 1.
      background image
    2. 2.
      hotline - phone number
    3. 3.
      support email

Step 4 - Working Flow

Sequence diagram

Make the login button.

Assuming step 2 & 3 is completed.
  1. 1.
    User click the login button on 3rd app
  2. 2.
    SDK it will generate code_verifier and code_challenge (from code_verifier).
  3. 3.
    SDK send authorization_code and code_challenge to /auth endpoint GET https://oauth-qc.vinid.dev/oauth2/auth?client_id={client_id}&redirect_uri={callback_url}&response_type=code&scope={scope}&state={state}&code_challenge={code_challenge}&code_challenge_method=S256
  4. 4.
    OneID redirect to OneID login form
  5. 5.
    User login and consent scope
  6. 6.
    OneID callback authorization_code to 3rd app
  7. 7.
    SDK call /token endpoint with authorization_code and code_verifier
  8. 8.
    OneID validate code_verifier
  9. 9.
    OneID return access_token, id_token & access_token

Get resource with authorization code

10. 3rd party app uses access_token to access resource server (ex: /userinfo endpoint). 11. Resource server return data.
Previous
Extra Data
Next
Auth endpoint
Last modified 2yr ago