docs
  1. Authentication & Accounts
  2. Authentication API
  3. Single Sign-on

Single Sign-On

Introduction

SCAYLE's Authentication API offers a unified OAuth 2.0 interface for connecting external Identity Providers (IdPs) using a secure redirect-based flow. This allows tenants to support logins from providers like Google, Facebook, Microsoft, etc., without custom integrations.

Identity Provider can only be configured at a global level. This also applies to customer accounts created across multiple shops. The shop frontend can determine which shops should display Identity Provider buttons for redirect purposes. For more information, please contact your SCAYLE Account Manager.

Indentiy Provider

Our Authentication API offers a single, consistent interface that makes connecting to a wide range of OAuth 2.0-compliant Identity Provider like Google, Facebook, Microsoft, and many others straightforward. Some Identity Provider are available out of the box and only need to be configured. Others are available, but need to be requested through your SCAYLE Account Manager.

Available

These following Identity Provider are available out of the box and are configurable the SCAYLE’s Panel.

Requestable

The following identity providers can be added by SCAYLE upon request. To learn more about extending SCAYLE’s Identity Provider Service, please contact your SCAYLE Account Manager.

Available Identity Providers
  • 37Signals
  • Acclaim
  • Admitad
  • AngelList
  • AppNet
  • Apple
  • ArcGIS
  • Asana
  • Atlassian
  • Auth0
  • Authentik
  • Autodesk APS
  • Aweber
  • Battlenet
  • Binance
  • Bitbucket
  • Bitly
  • Bitrix24
  • Box
  • Buffer
  • CampaignMonitor
  • Cheddar
  • ClaveUnica
  • Cognito
  • Coinbase
  • ConstantContact
  • Coursera
  • Dailymotion
  • Dataporten
  • Deezer
  • Deviantart
  • DigitalOcean
  • Discogs
  • Discord
  • Disqus
  • Douban
  • Dribbble
  • Dropbox
  • Envato
  • Etsy
  • Eventbrite
  • Eveonline
  • EyeEm
  • Fablabs
  • Facebook
  • Fitbit
  • Flattr
  • Flexkids
  • Flickr
  • Foursquare
  • FranceConnect
  • FusionAuth
  • GarminConnect
  • GettyImages
  • GitHub
  • GitLab
  • Gitea
  • Gitee
  • Goodreads
  • Google
  • GovBR
  • Gumroad
  • Harvest
  • HeadHunter
  • Heroku
  • HubSpot
  • Human API
  • IFSP
  • Imgur
  • Instagram
  • Instagram Basic
  • Intercom
  • Kakao
  • Keycloak
  • LaravelPassport
  • Lichess
  • Life Science Login
  • Line
  • LinkedIn
  • MailChimp
  • Mailru
  • MakerLog
  • Mattermost
  • MediaCube
  • Medium
  • Meetup
  • MercadoLibre
  • Microsoft
  • Microsoft Azure
  • Minecraft
  • Mixcloud
  • MoiKrug
  • Mollie
  • Monday
  • Monzo
  • Naver
  • Netlify
  • Notion
  • OAuthgen
  • OSChina
  • OVH
  • Odnoklassniki
  • Okta
  • Patreon
  • PayPal
  • PayPalSandbox
  • Paymill
  • PeeringDB
  • Pinterest
  • Pipedrive
  • Pixnet
  • Planning Center
  • Podio
  • Procore
  • ProductHunt
  • ProjectV
  • Pushbullet
  • QQ
  • QuickBooks
  • Readability
  • Redbooth
  • Reddit
  • RunKeeper
  • SURFconext
  • Sage
  • SalesForce
  • Saml2
  • SciStarter
  • SharePoint
  • Shopify
  • Smashcast
  • Snapchat
  • SoundCloud
  • Spotify
  • StackExchange
  • Starling
  • Steam
  • Steem
  • StockTwits
  • Strava
  • StreamElements
  • Streamlabs
  • Stripe
  • SuperOffice
  • TVShowTime
  • Teamleader
  • Teamweek
  • Telegram
  • TikTok
  • Todoist
  • Trakt
  • Trello
  • Tumblr
  • Twitch
  • Twitter
  • UCL
  • USOS
  • Uber
  • Unsplash
  • Untappd
  • VATSIM
  • VK
  • Venmo
  • Vercel
  • VersionOne
  • Vimeo
  • WHMCS
  • WeChat Service Account
  • WeChat Web
  • Webex
  • Weibo
  • Weixin
  • Weixin Web
  • Withings
  • WordPress
  • Worldcoin
  • Xero
  • Xing
  • Yahoo
  • Yammer
  • Yandex
  • YouTube
  • Zalo
  • Zendesk
  • Zoho
  • Zoom
  • pr0gramm

How it works

User Flow

When a user clicks "Login with SSO" on the Shop site, they are redirected to SCAYLE’s Authentication API, which then forwards them to an external Identity Provider for authentication. Once the user successfully logs in, they are redirected back to the Shop using a predefined callback URL. At this point, the Shop receives an Authorization Code, which it can exchange for access and refresh tokens to authenticate and manage the user session.

Token Management

Token Life Time

Access token TTLs are centrally managed by SCAYLE and automatically synchronized with the expiration of the external Identity Provider's tokens.

TokenFormatDefault Life TimeMin Life TimeMax Life Time
Access tokenJWTsynchronized5 min30 days
Refresh tokenNonesynchronized1 day365 days

Any invalid TTL configuration is rejected with a clear HTTP 401 error. If your application needs to access the external IdP token directly (e.g., for downstream API calls), you can retrieve it securely via SCAYLE’s get-token endpoint.

Refresh Token

When a new access_token is required, the application can send a POST request to the token endpoint /oauth/token using the refresh_token grant type. The system will then provide a new pair of access token and refresh token.

Refer to the Token handling chapter for more information on how to use the Refresh token in a performant and secure way

Revoke Token

SCAYLE provides flexible options for invalidating access tokens issued by Identity Providers (IdPs), supporting both internal and external revocation flows. The behavior is configurable per IDP through flags exposed in the SCAYLE Panel.

For Identity Providers without redirect functionality, SCAYLE enables automatic token revocation on logout.

AreaDescription
Use CaseSuitable for headless or API-only integrations.
Endpoint/logout
Flagis_revoking_token
DescriptionWhen enabled in the SCAYLE Panel, the System will automatically revoke tokens at the Identity Provider level upon logout, with no user redirection

For Identity Providers with redirect functionality, SCAYLE supports manual token revocation via redirection to a predefined URL.

AreaDescription
Use CaseRequired by certain IdPs (e.g., OAuth2/OIDC-compliant services) to ensure proper session termination.
Endpoint/logout/redirect
Flagis_logout_redirect_enabled
DescriptionWhen enabled, the user is redirected to a logout URL managed by the IdP, where the token revocation is handled. This enables scenarios where the user must interact with the IdP's logout page.

Custom Parameter in Redirect URL

When using OIDC login via external identity providers (e.g., Auth0), SCAYLE supports passing custom parameters to control aspects such as token audience and login page localization.

authUrlParameters need to be whitelisted in the SCAYLE Panel before fully functional.

This is achieved by adding key-value pairs to the JWT field authUrlParameters. These parameters are automatically appended as query strings to the final redirect URL sent to the IDP.


Scope of authUrlParameters

  • ✅ Optional: can be omitted entirely
  • ✅ Flexible: supports multiple key-value pairs
  • ✅ Resilient: can be null or undefined without errors
  • ✅ only attach the query parameter when some data are available

Example: JWT Payload

Resulting Redirect URL

Error handling

Error handling in the authentication flow depends on whether the Identity Provider (IDP) follows the OAuth 2.0 / OpenID Connect (OIDC) standard for error propagation

Standard-Compliant IDPs
  • Okta
  • Auth0
  • Google
  • Salesforce
  • On error (e.g., missing parameters, user denial, configuration issues), the user is redirected to /external/callback.
  • Error details are included as query parameters:
    • error (required)
    • error_description (optional)
  • /external/callback reads these parameters.
  • It redirects the user to the original shop URL, extracted from the initial JWT.
  • The error information is passed to the Shop frontend.
  • The Shop frontend displays an appropriate error message to the user.
Non-Compliant IDPs

Apple

Facebook

Klarna

  • If an error occurs during the authorization process, the user may stay on the Identity Provider (IDP)'s page with the error shown directly in the UI.
  • No redirection to the /external/callback endpoint occurs.
  • As a result, the system cannot centrally capture or handle the error.
  • This leads to an inconsistent user experience.
  • It also limits the application's ability to manage and display error messages uniformly.

Limitations

IDPError ScenarioRedirects to Callback?Example Behavior
FacebookLogin cancelled✅ YesRedirects with error=access_denied
Wrong client URL❌ NoStays on FB, no callback triggered
Invalid/missing permissions⚠️ SometimesInconsistent handling
AppleWrong client, scope, or redirect URL❌ NoDisplays error in Apple UI
KlarnaWrong scope✅ YesRedirects with error=invalid_scope
Wrong client or redirect URL❌ NoNo callback triggere

PKCE

Overview

PKCE (Proof Key for Code Exchange) adds an optional but strong security layer to the OAuth 2.1 Authorization Code flow by requiring a dynamically generated secret (code_verifier) from the client when exchanging the authorization code for a token.

At SCAYLE, PKCE validation is triggered automatically if code_challenge and code_challenge_method are provided as part of the JWT in the initial redirect request. No additional configuration or OAuth client changes are required to utilize PKCE.

The implementation follows the specifications of RFC 7636.

PKCE Flow

1
Generate PKCE Paramters
  • code_verifier — Random string (43–128 characters)
  • code_challenge — Base64URL-encoded SHA256 hash of the code_verifier (S256)
  • code_challenge_methodS256
  • 2
    Embed into JWT
    Add code_challenge and code_challenge_method to the JWT before calling the IDP /redirect
    3
    System Embeds KCE Data
    PKCE parameters are stored inside the encrypted authorization code returned after IDP login.
    4
    Token Exchange
    Send the original code_verifier when exchanging the authorization code for tokens via the /token endpoint.
    5
    System Validation
    If PKCE data was present in /redirect, the request will fail without a valid code_verifier.

    Validation & Errors

    Validation

    RFC 7636 defines two methods to derive a code_challenge from a code_verifier:

    MethodDescriptionSecurity
    S256Hashes the ASCII-encoded code_verifier using SHA-256, then Base64URL-encodes the result.Strong protection against interception; recommended and mandatory for servers.
    plainUses the code_verifier as-is.Weak; exposes the verifier if intercepted and cannot be used.

    Best Practice: Always use S256.

    Errors

    Status codeDescription
    402
    • Pre-validation error (wrong format, unsupported method)
    422
    • Custom validation error (invalid/missing PKCE fields)