Aller directement à la fin des métadonnées
Aller au début des métadonnées

You are viewing an old version of this content. View the current version.

afficher les différences View Version History

Vous regardez la version actuelle de cette page. (v. 1) afficher la version suivante »

Pré-requis

  • Be familiar with the concepts of Single Sign-On (SSO) and, more specifically, OAuth2

  • Know the basics of HTTP protocols (query parameters, GET / POST, headers)

  • Know how to use an HTTP client such as cURL or an equivalent browser plugin

Procedure

This document proposes a procedure for integrating SSO (Single Sign-On) for a third-party application using the OAuth 2.0 protocol

1 - Choose an OAuth2 authentication flow

The Édifice platform offers an OAuth2 server that supports the following flows (aka grant types):

The Authorization Code flow is the most commonly used.

2 - Register the client application on the Édifice platform

If you are a publisher or operator of an application, request that Support Édifice registers your application.

From the administration console of the Édifice platform, create an OAuth2 connector.

Fields to configure:

  • "Identifier" (clientId oAuth2)

  •  "URL" (URL de service cible)

  • "Transmit session" (automatically configures the userinfo scope)

  • "Scope" (permissions for accessing user data in the external application)

  • "Authentication Mode" (use "code" for a web application and "password" for a mobile application)

  • “Code secret" (OAuth2 secret).

Information to provide to the client application publisher :

Information to retrieve from the client application publisher

  • Service URL (to enter in the "URL" field)

3 - To retrieve an OAuth2 access token for your client application

To retrieve a token, follow the procedure corresponding to the chosen grant type:

Authorization Code

1 : Retrieve the code to generate the token 

In a browser, enter the address: 

https://domaine.ent/auth/oauth2/auth?response_type=code&state=blip&scope=userinfo&client_id=duck&redirect_uri=http://duckduckgo.com

  • If the user is not logged in, the Édifice platform redirects the browser to the login screen.

  • If the user is logged in, the Édifice platform redirects them to the service URL with the code as a parameter : 

https://www.duckduckgo.com/?code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&state=blip

2 - Retrieve the token

 curl -i -X POST -H "Authorization:Basic ZmFxMnNjaWVuY2VzOmZhcTJzY2llbmNlcy1zZWNyZXQ=" -H "Content-Type:application/x-www-form-urlencoded" -H "Accept:application/json; charset=UTF-8" -d "grant_type=authorization_code&code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&redirect_uri=http%3A%2F%2Fduckduckgo.com" https://domaine.ent/auth/oauth2/token

To authenticate the OAuth2 client using Basic authentication, you need to pass an authentication header that follows the following convention: "Authorization:Basic encode_base64(client_id:client_secret)".

read : https://datatracker.ietf.org/doc/html/rfc7617

Upon successful authentication, the OAuth2 server of the organization (ENT) will transmit the access token

HTTP/1.1 200 OK
      Content-Type: application/json

      {"token_type":"Bearer","access_token":"1413b31c-b240-453a-bc1e-3773cd31adc9","refresh_token":"9e746d64-3fa8-4ff8-88b3-2d8314f56179","expires_in":3600,"scope":"userinfo"}

Resource Owner Passwword

1 - Retrieve the token 

curl --location --globoff 'https://domaine.ent/auth/oauth2/token' \
    --data-urlencode 'grant_type=password' \
    --data-urlencode 'username={USERNAME}' \
    --data-urlencode 'password={PASSWORD}' \
    --data-urlencode 'scope={SCOPE}' \
    --data-urlencode 'client_id={CLIENT_ID}' \
    --data-urlencode 'client_secret={CLIENT_SECRET}'

Upon success, the OAuth2 server of the ENT (Établissement Numérique de Travail) transmits the token.

HTTP/1.1 200 OK
      Content-Type: application/json

      {"token_type":"Bearer","access_token":"1413b31c-b240-453a-bc1e-3773cd31adc9","refresh_token":"9e746d64-3fa8-4ff8-88b3-2d8314f56179","expires_in":3600,"scope":"userinfo"}
  • Aucune étiquette