Pré-requis

Be familiar with the concepts of Single Sign-On (SSO) and, more specifically, OAuth2
Know the basics of HTTP protocols (query parameters, GET / POST, headers)
Know how to use an HTTP client such as cURL or an equivalent browser plugin

1 Procedure
2 1 - Choose an OAuth2 authentication flow
3 2 - Register the client application on the Édifice platform
4 3 - To retrieve an OAuth2 access token for your client application
- 4.1 Authorization Code
  - 4.1.1 1 : Retrieve the code to generate the token
  - 4.1.2 2 - Retrieve the token
- 4.2 Resource Owner Passwword
  - 4.2.1 1 - Retrieve the token

Procedure

This document proposes a procedure for integrating SSO (Single Sign-On) for a third-party application using the OAuth 2.0 protocol

1 - Choose an OAuth2 authentication flow

The Édifice platform offers an OAuth2 server that supports the following flows (aka grant types):

Authorization Code : https://oauth.net/2/grant-types/authorization-code/
Resource Owner Password : https://oauth.net/2/grant-types/password/

The Authorization Code flow is the most commonly used.

2 - Register the client application on the Édifice platform

If you are a publisher or operator of an application, request that Support Édifice registers your application.

From the administration console of the Édifice platform, create an OAuth2 connector.

Fields to configure:

"Identifier" (clientId oAuth2)
"URL" (Service URL)
"Transmit session" (automatically configures the userinfo scope)
"Scope" (permissions for accessing user data in the external application)
"Authentication Mode" (use "code" for a web application and "password" for a mobile application)
“Code secret" (OAuth2 secret).

Information to provide to the client application publisher :

The URL for retrieving the temporary code : https://domaine.ent/auth/oauth2/code
The URL for retrieving the token : https://domaine.ent/auth/oauth2/token
The URL for retrieving user information : https://domaine.ent/auth/oauth2/userinfo
The clientId (field "Identifiant")
The secret (field "Code Secret")
The scope (field "Scope")

Information to retrieve from the client application publisher

Service URL (to enter in the "URL" field)

3 - To retrieve an OAuth2 access token for your client application

To retrieve a token, follow the procedure corresponding to the chosen grant type:

Authorization Code : https://oauth.net/2/grant-types/authorization-code/
Resource Owner Passwword : https://oauth.net/2/grant-types/password/

Authorization Code

1 : Retrieve the code to generate the token

In a browser, enter the address:

https://domaine.ent/auth/oauth2/auth?response_type=code&state=blip&scope=userinfo&client_id=duck&redirect_uri=http://duckduckgo.com

If the user is not logged in, the Édifice platform redirects the browser to the login screen.
If the user is logged in, the Édifice platform redirects them to the service URL with the code as a parameter :

https://www.duckduckgo.com/?code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&state=blip

2 - Retrieve the token

 curl -i -X POST -H "Authorization:Basic ZmFxMnNjaWVuY2VzOmZhcTJzY2llbmNlcy1zZWNyZXQ=" -H "Content-Type:application/x-www-form-urlencoded" -H "Accept:application/json; charset=UTF-8" -d "grant_type=authorization_code&code=9ddf3256-7e5d-4708-a121-dfbe5f6dba75&redirect_uri=http%3A%2F%2Fduckduckgo.com" https://domaine.ent/auth/oauth2/token

Upon successful authentication, the OAuth2 server of the organization (ENT) will transmit the access token

Resource Owner Passwword

1 - Retrieve the token

Upon success, the OAuth2 server of the ENT (Établissement Numérique de Travail) transmits the token.

Framework

Connector - OAuth 2.0 - SSO and API

Analytics