Comparaison des versions

Version Ancienne version 2 Nouvelle version Actuel
Modifications effectuées par

bassam.elkhoury

Rafik Djedjig

Sauvegardée le

Légende

  • Ces lignes ont été ajoutées. Ce mot a été ajouté.
  • Ces lignes ont été supprimées. Ce mot a été supprimé.
  • La mise en forme a été modifiée.
Info

Pré-requis

  • Be familiar with the concepts of Single Sign-On (SSO) and, more specifically, OAuth2

  • Know the basics of HTTP protocols (query parameters, GET / POST, headers)

  • Know how to use an HTTP client such as cURL or an equivalent browser plugin

Sommaire

Procedure

This document proposes a procedure for integrating SSO (Single Sign-On) for a third-party application using the OAuth 2.0 protocol

1 - Choose an OAuth2 authentication flow

The Édifice platform offers an OAuth2 server that supports the following flows (aka grant types):

Info

The Authorization Code flow is the most commonly used.

2 - Register the client application on the Édifice platform

Remarque

If you are a publisher or operator of an application, request that Support Édifice registers your application.

From the administration console of the Édifice platform, create an OAuth2 connector.

Fields to configure:

  • "Identifier" (clientId oAuth2)

  •  "URL" (Service URL)

  • "Transmit session" (automatically configures the userinfo scope)

  • "Scope" (permissions for accessing user data in the external application)

  • "Authentication Mode" (use "code" for a web application and "password" for a mobile application)

  • “Code secret" (OAuth2 secret).

Information to provide to the client application publisher :

Information to retrieve from the client application publisher

  • Service URL (to enter in the "URL" field)

3 - To retrieve an OAuth2 access token for your client application

To retrieve a token, follow the procedure corresponding to the chosen grant type:

Authorization Code

1 : Retrieve the code to generate the

...

token 

In a browser, enter the address: 

Bloc de code
https://domaine.ent/auth/oauth2/auth?response_type=code&state=blip&scope=userinfo&client_id=duck&redirect_uri=http://duckduckgo.com

...

Bloc de code
https://www.duckduckgo.com/?code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&state=blip

2 - Retrieve the token

Bloc de code
 curl -i -X POST -H "Authorization:Basic ZmFxMnNjaWVuY2VzOmZhcTJzY2llbmNlcy1zZWNyZXQ=" -H "Content-Type:application/x-www-form-urlencoded" -H "Accept:application/json; charset=UTF-8" -d "grant_type=authorization_code&code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&redirect_uri=http%3A%2F%2Fduckduckgo.com" https://domaine.ent/auth/oauth2/token
Remarque

To authenticate the OAuth2 client using Basic authentication, you need to pass an authentication header that follows the following convention: "Authorization:Basic encode_base64(client_id:client_secret)".

read : https://datatracker.ietf.org/doc/html/rfc7617

Upon successful authentication, the OAuth2 server of the organization (ENT) will transmit the access token

Bloc de code
HTTP/1.1 200 OK
      Content-Type: application/json

      {"token_type":"Bearer","access_token":"1413b31c-b240-453a-bc1e-3773cd31adc9","refresh_token":"9e746d64-3fa8-4ff8-88b3-2d8314f56179","expires_in":3600,"scope":"userinfo"}

Resource Owner Passwword

1 - Retrieve the token

Bloc de code
curl --location --globoff 'https://domaine.ent/auth/oauth2/token' \
    --data-urlencode 'grant_type=password' \
    --data-urlencode 'username={USERNAME}' \
    --data-urlencode 'password={PASSWORD}' \
    --data-urlencode 'scope={SCOPE}' \
    --data-urlencode 'client_id={CLIENT_ID}' \
    --data-urlencode 'client_secret={CLIENT_SECRET}'

Upon success, the OAuth2 server of the ENT (Établissement Numérique de Travail) transmits the token.

Bloc de code
HTTP/1.1 200 OK
      Content-Type: application/json

      {"token_type":"Bearer","access_token":"1413b31c-b240-453a-bc1e-3773cd31adc9","refresh_token":"9e746d64-3fa8-4ff8-88b3-2d8314f56179","expires_in":3600,"scope":"userinfo"}