Single Sign-On

Introduction

SCAYLE's Authentication API offers a unified OAuth 2.0 interface for connecting external Identity Providers (IdPs) using a secure redirect-based flow. This allows tenants to support logins from providers like Google, Facebook, Microsoft, etc., without custom integrations.

Identity Provider can only be configured at a global level. This also applies to customer accounts created across multiple shops. The shop frontend can determine which shops should display Identity Provider buttons for redirect purposes. For more information, please contact your SCAYLE Account Manager.

Indentiy Provider

Our Authentication API offers a single, consistent interface that makes connecting to a wide range of OAuth 2.0-compliant Identity Provider like Google, Facebook, Microsoft, and many others straightforward. Some Identity Provider are available out of the box and only need to be configured. Others are available, but need to be requested through your SCAYLE Account Manager.

Available

These following Identity Provider are available out of the box and are configurable the SCAYLE’s Panel.

Identity Provider	Developer Documentation Link
Google	Google Identity Platform Docs
Facebook	Facebook Login for Developers
Apple	Sign in with Apple Documentation
Auth0	Auth0 Documentation
Keycloak	Keycloak Documentation
Okta	Okta Developer Docs
Klarna	Klarna Identity & Authentication API

Requestable

The following identity providers can be added by SCAYLE upon request. To learn more about extending SCAYLE’s Identity Provider Service, please contact your SCAYLE Account Manager.

Available Identity Providers

37Signals
Acclaim
Admitad
AngelList
AppNet
Apple
ArcGIS
Asana
Atlassian
Auth0
Authentik
Autodesk APS
Aweber
Battlenet
Binance
Bitbucket
Bitly
Bitrix24
Box
Buffer
CampaignMonitor
Cheddar
ClaveUnica
Cognito
Coinbase
ConstantContact
Coursera
Dailymotion
Dataporten
Deezer
Deviantart
DigitalOcean
Discogs
Discord
Disqus
Douban
Dribbble
Dropbox
Envato
Etsy
Eventbrite
Eveonline
EyeEm
Fablabs
Facebook
Fitbit
Flattr
Flexkids
Flickr
Foursquare
FranceConnect
FusionAuth
GarminConnect
GettyImages
GitHub
GitLab
Gitea
Gitee
Goodreads
Google
GovBR
Gumroad
Harvest
HeadHunter
Heroku
HubSpot
Human API
IFSP
Imgur
Instagram
Instagram Basic
Intercom
Kakao
Keycloak
LaravelPassport
Lichess
Life Science Login
Line
LinkedIn
MailChimp
Mailru
MakerLog
Mattermost
MediaCube
Medium
Meetup
MercadoLibre
Microsoft
Microsoft Azure
Minecraft
Mixcloud
MoiKrug
Mollie
Monday
Monzo
Naver
Netlify
Notion
OAuthgen
OSChina
OVH
Odnoklassniki
Okta
Patreon
PayPal
PayPalSandbox
Paymill
PeeringDB
Pinterest
Pipedrive
Pixnet
Planning Center
Podio
Procore
ProductHunt
ProjectV
Pushbullet
QQ
QuickBooks
Readability
Redbooth
Reddit
RunKeeper
SURFconext
Sage
SalesForce
Saml2
SciStarter
SharePoint
Shopify
Smashcast
Snapchat
SoundCloud
Spotify
StackExchange
Starling
Steam
Steem
StockTwits
Strava
StreamElements
Streamlabs
Stripe
SuperOffice
TVShowTime
Teamleader
Teamweek
Telegram
TikTok
Todoist
Trakt
Trello
Tumblr
Twitch
Twitter
UCL
USOS
Uber
Unsplash
Untappd
VATSIM
VK
Venmo
Vercel
VersionOne
Vimeo
WHMCS
WeChat Service Account
WeChat Web
Webex
Weibo
Weixin
Weixin Web
Withings
WordPress
Worldcoin
Xero
Xing
Yahoo
Yammer
Yandex
YouTube
Zalo
Zendesk
Zoho
Zoom
pr0gramm

How it works

User Flow

When a user clicks "Login with SSO" on the Shop site, they are redirected to SCAYLE’s Authentication API, which then forwards them to an external Identity Provider for authentication. Once the user successfully logs in, they are redirected back to the Shop using a predefined callback URL. At this point, the Shop receives an Authorization Code, which it can exchange for access and refresh tokens to authenticate and manage the user session.

Token Management

Token Life Time

Access token TTLs are centrally managed by SCAYLE and automatically synchronized with the expiration of the external Identity Provider's tokens.

Token	Format	Default Life Time	Min Life Time	Max Life Time
Access token	JWT	synchronized	5 min	30 days
Refresh token	None	synchronized	1 day	365 days

Any invalid TTL configuration is rejected with a clear HTTP 401 error. If your application needs to access the external IdP token directly (e.g., for downstream API calls), you can retrieve it securely via SCAYLE’s get-token endpoint.

Refresh Token

When a new access_token is required, the application can send a POST request to the token endpoint /oauth/token using the refresh_token grant type. The system will then provide a new pair of access token and refresh token.

Refer to the Token handling chapter for more information on how to use the Refresh token in a performant and secure way

Revoke Token

SCAYLE provides flexible options for invalidating access tokens issued by Identity Providers (IdPs), supporting both internal and external revocation flows. The behavior is configurable per IDP through flags exposed in the SCAYLE Panel.

For Identity Providers without redirect functionality, SCAYLE enables automatic token revocation on logout.

Area	Description
Use Case	Suitable for headless or API-only integrations.
Endpoint	`/logout`
Flag	`is_revoking_token`
Description	When enabled in the SCAYLE Panel, the System will automatically revoke tokens at the Identity Provider level upon logout, with no user redirection

For Identity Providers with redirect functionality, SCAYLE supports manual token revocation via redirection to a predefined URL.

Area	Description
Use Case	Required by certain IdPs (e.g., OAuth2/OIDC-compliant services) to ensure proper session termination.
Endpoint	`/logout/redirect`
Flag	`is_logout_redirect_enabled`
Description	When enabled, the user is redirected to a logout URL managed by the IdP, where the token revocation is handled. This enables scenarios where the user must interact with the IdP's logout page.

Custom Parameter in Redirect URL

When using OIDC login via external identity providers (e.g., Auth0), SCAYLE supports passing custom parameters to control aspects such as token audience and login page localization.

authUrlParameters need to be whitelisted in the SCAYLE Panel before fully functional.

This is achieved by adding key-value pairs to the JWT field authUrlParameters. These parameters are automatically appended as query strings to the final redirect URL sent to the IDP.

Scope of authUrlParameters

✅ Optional: can be omitted entirely
✅ Flexible: supports multiple key-value pairs
✅ Resilient: can be null or undefined without errors
✅ only attach the query parameter when some data are available

Example: JWT Payload

{
  "callbackUrl": "https://www.scayle.com/login",
  "idpKey": "Auth0",
  "clientId": "1",
  "authUrlParameters": {
    "audience": "customer.ciam-qa.scayle.com",
    "ui_locales": "de-CH"
  },
  "iat": 1730217060,
  "exp": 1730217960
}

Resulting Redirect URL

https://dev-dn6p4t6xld5vdz4k.us.auth0.com/u/login?
  state={{state_content}}&
  audience=customer.ciam-qa.scayle.com&
  ui_locales=de-CH

Error handling

Error handling in the authentication flow depends on whether the Identity Provider (IDP) follows the OAuth 2.0 / OpenID Connect (OIDC) standard for error propagation


Standard-Compliant IDPs	Okta Auth0 Google Salesforce	On error (e.g., missing parameters, user denial, configuration issues), the user is redirected to /external/callback. Error details are included as query parameters: error (required) error_description (optional) /external/callback reads these parameters. It redirects the user to the original shop URL, extracted from the initial JWT. The error information is passed to the Shop frontend. The Shop frontend displays an appropriate error message to the user.
Non-Compliant IDPs	Apple Facebook Klarna	If an error occurs during the authorization process, the user may stay on the Identity Provider (IDP)'s page with the error shown directly in the UI. No redirection to the /external/callback endpoint occurs. As a result, the system cannot centrally capture or handle the error. This leads to an inconsistent user experience. It also limits the application's ability to manage and display error messages uniformly.

Standard-Compliant IDPs

Okta
Auth0
Google
Salesforce

On error (e.g., missing parameters, user denial, configuration issues), the user is redirected to /external/callback.
Error details are included as query parameters:
- error (required)
- error_description (optional)
/external/callback reads these parameters.
It redirects the user to the original shop URL, extracted from the initial JWT.
The error information is passed to the Shop frontend.
The Shop frontend displays an appropriate error message to the user.

Non-Compliant IDPs

Apple

Facebook

Klarna

If an error occurs during the authorization process, the user may stay on the Identity Provider (IDP)'s page with the error shown directly in the UI.
No redirection to the /external/callback endpoint occurs.
As a result, the system cannot centrally capture or handle the error.
This leads to an inconsistent user experience.
It also limits the application's ability to manage and display error messages uniformly.

Limitations

IDP	Error Scenario	Redirects to Callback?	Example Behavior
Facebook	Login cancelled	✅ Yes	Redirects with error=access_denied
Wrong client URL	❌ No	Stays on FB, no callback triggered
Invalid/missing permissions	⚠️ Sometimes	Inconsistent handling
Apple	Wrong client, scope, or redirect URL	❌ No	Displays error in Apple UI
Klarna	Wrong scope	✅ Yes	Redirects with error=invalid_scope
Wrong client or redirect URL	❌ No	No callback triggere