External identiy providers
Overview
Checkout Authentication API (Authentication API) presents a unified interface that seamlessly integrates OAuth 2.0 providers through a redirect chain mechanism. This approach ensures a streamlined and secure authentication flow from your shop, through Authentication API, to various external identity providers (IDP).
By adopting Authentication API, you're not just simplifying authentication; you're embracing an architecture that optimizes security and user experience. This redirect chain method facilitates the authentication process, enhancing your shop's ability to utilize OAuth 2.0 providers without the complexity of individual integrations.
We're committed to supporting you as you navigate the integration of Authentication API into your systems. Our dedicated support team is available to provide guidance, troubleshoot issues, and ensure a seamless implementation experience.
Configuration
How to add external identity providers for your authentication flow:
- SCAYLE configuration.
- Identity provider configuration.
SCAYLE configuration
In order to add an external identity provider (IDP), you will need to collect the following information:
key | an identifier code for this configuration |
---|---|
client_id | the client-id which the Authentication API should use when communicating with the provider |
client_secret | the client-secret which the Authentication API should use when communicating with the provider |
idp_base_url | the provider base url used for redirects andAPI calls, beginning with https:// , no trailing slash |
scopes | a list of scopes, which should be requested when logging in a user (optional) |
reference_key_mapping_key | name of the field which should be used to fetch a referenceKey per user (optional) |
SCAYLE will activate this feature for you with the provided configuration. Please contact your SCAYLE Account Manager for further information.
Identity provider configuration
When setting up the identity provider, you usually will have the option to configure allowed callback endpoints.
Before you start
Add the following URLs to the list of allowed endpoints:
- Login:
https://{{tenant-space}}.auth.scayle.cloud/v1/auth/external/callback
- Logout:
https://{{tenant-space}}.auth.scayle.cloud/v1/auth/logout/callback
The Authentication API requires access to:
- Authorization Code
- Refresh Token
If your provider does not offer configurations for this, you can safely ignore this part.
Providers
Authentication API is designed to seamlessly integrate with numerous identity providers that adhere to the OAuth 2.0 protocol. This means that your shop can effortlessly connect to a wide array of OAuth 2.0-compatible identity providers through Auth Api's unified interface. Whether it's Google, Facebook, Microsoft, or various other OAuth 2.0-compliant services, Authentication API provides a centralized authentication solution that bridges your shop with a diverse range of identity providers, simplifying the integration process while ensuring security and flexibility.
Providers you can integrate
- 37Signals
- Acclaim
- Admitad
- AngelList
- AppNet
- Apple
- ArcGIS
- Asana
- Atlassian
- Auth0
- Authentik
- Autodesk APS
- Aweber
- Battlenet
- Binance
- Bitbucket
- Bitly
- Bitrix24
- Box
- Buffer
- CampaignMonitor
- Cheddar
- ClaveUnica
- Cognito
- Coinbase
- ConstantContact
- Coursera
- Dailymotion
- Dataporten
- Deezer
- Deviantart
- DigitalOcean
- Discogs
- Discord
- Disqus
- Douban
- Dribbble
- Dropbox
- Envato
- Etsy
- Eventbrite
- Eveonline
- EyeEm
- Fablabs
- Fitbit
- Flattr
- Flexkids
- Flickr
- Foursquare
- FranceConnect
- FusionAuth
- GarminConnect
- GettyImages
- GitHub
- GitLab
- Gitea
- Gitee
- Goodreads
- GovBR
- Gumroad
- Harvest
- HeadHunter
- Heroku
- HubSpot
- Human API
- IFSP
- Imgur
- Instagram Basic
- Intercom
- Kakao
- Keycloak
- LaravelPassport
- Lichess
- Life Science Login
- Line
- MailChimp
- Mailru
- MakerLog
- Mattermost
- MediaCube
- Medium
- Meetup
- MercadoLibre
- Microsoft
- Microsoft Azure
- Minecraft
- Mixcloud
- MoiKrug
- Mollie
- Monday
- Monzo
- Naver
- Netlify
- Notion
- OAuthgen
- OSChina
- OVH
- Odnoklassniki
- Okta
- Patreon
- PayPal
- PayPalSandbox
- Paymill
- PeeringDB
- Pipedrive
- Pixnet
- Planning Center
- Podio
- Procore
- ProductHunt
- ProjectV
- Pushbullet
- QuickBooks
- Readability
- Redbooth
- RunKeeper
- SURFconext
- Sage
- SalesForce
- Saml2
- SciStarter
- SharePoint
- Shopify
- Smashcast
- Snapchat
- SoundCloud
- Spotify
- StackExchange
- Starling
- Steam
- Steem
- StockTwits
- Strava
- StreamElements
- Streamlabs
- Stripe
- SuperOffice
- TVShowTime
- Teamleader
- Teamweek
- Telegram
- TikTok
- Todoist
- Trakt
- Trello
- Tumblr
- Twitch
- UCL
- USOS
- Uber
- Unsplash
- Untappd
- VATSIM
- VK
- Venmo
- Vercel
- VersionOne
- Vimeo
- WHMCS
- WeChat Service Account
- WeChat Web
- Webex
- Weixin
- Weixin Web
- Withings
- WordPress
- Worldcoin
- Xero
- Yahoo
- Yammer
- Yandex
- YouTube
- Zalo
- Zendesk
- Zoho
- Zoom
- pr0gramm
IDP Login
See how to build your login flow with external identity providers
The login flow consists of following steps:
- Redirect the user via the Authentication API to the Identity provider.
- Store the IDP access tokens safely together with the Authentication API access tokens.
- Create an Authentication API access token, linked to the IDP access token.
- Redirect the user to a given
callbackUrl
on the shop. - Create access token.
1) Redirect the user via the Authentication API to the Identity provider
Generate a link to the redirect endpoint, including the shopId
and a JWT containing the callbackUrl
and idpKey
. The Authentication API will validate the JWT signature using the shopSecret
. Upon successful validation, Authentication API redirects the user to the specified IDP with a 302 Redirect status code.
You can either generate a link, pointing to the Authentication API directly, or you can also provide your own 302 redirect flow upfront, if necessary.
Example:
<a href="https://{{tenant-space}}.auth.scayle.cloud/v1/auth/external/redirect?shopId=...&jwt=...">
IDP Login
</a>
The JWT payload needs to contain the callbackUrl
, the idpKey
and the oAuth clientId
. See examples below.
Generate the JWT
const jwt = require('jsonwebtoken');
const payload = {
callbackUrl: 'https://localhost:8080/account-area',
idpKey: yourCustomIdpIdentifierCode,
clientId: clientId,
iat: Math.floor(Date.now() / 1000), // Current timestamp in seconds
exp: Math.floor(Date.now() / 1000) + (15 * 60) // Expiry: Current time + 15 minutes in seconds
};
const secret = 'yourShopSecretKey';
const token = jwt.sign(payload, secret, { algorithm: 'HS256' });
yourCustomIdpIdentifierCode
needs to be replaced with the key
which was used for the identity provider configuration.
clientId
needs to be replaced with the client-id you have from the initial api client setup.
Refer to the API Specification for further details on Get identity provider callback endpoint.
2) Redirect to the IDP
According to the configuration of the used IDP, the user will be redirected to the IDP Login-Site.
3) Callback to the Authentication API
Once the user authentication was successfully done, the idp redirects the user back to the Authentication API, which will then store the IDP access- and refresh- tokens and create a AuthCode for the shop in order to link them later to a usual Authentication API accessToken
.
4) Redirect the user to a given callbackUrl
on the shop
The user will be redirect back to your callbackUrl
, which you initially defined in the JWT.
The callbackUrl
will be extended with additional parameters:
code
- an oauth2 authorization code which you will need to fetch the access- and refresh- tokens of the ongoing authentication flow.state
- contains the original JWT payload (encoded, see below how to decode).
Decode the callbackUrl parameters
When the redirect to your callbackUrl
happens, you will need to fetch the authCode
from the request parameters and use it in the next step.
const queryString = require('querystring');
const authCode = req.query.code || '';
const state = req.query.state ? JSON.parse(Buffer.from(req.query.state, 'base64').toString()) : {};
5) Access token creation
Now that you have the authCode
, you need to trigger a call to the Authentication API from your backend:
curl -X POST --location 'https://{{tenant-space}}.auth.scayle.cloud/v1/oauth/token' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {base64Encode({client_id}:{client_secret})}' \
--data-raw '{
"grant_type": "authorization_code",
"code": "..."
}'
This generates internal Authentication API access and refresh tokens, functioning identically to those used in the standard email and password authentication flow.
The Authentication API will link the IDP access- and refresh- tokens and validate them during the token validation later on.
Logout
See how to build your logout flow with external identity providers
The logout flow consists of:
- Revoking the Authentication API tokens
- Revoking the IDP tokens
- Redirecting the user to a given
callbackUrl
Redirect the user to the Authentication API
Generate a link to the logout-redirect endpoint, including the shopId
and a JWT containing the callbackUrl
and idpKey
. The Authentication API will validate the JWT signature using the shopSecret
.
You can either generate a link, pointing to the Authentication API directly, or you can also provide your own 302 redirect flow upfront, if necessary.
Example:
<a href="https://{{tenant-space}}.auth.scayle.cloud/v1/auth/logout/redirect?shopId=...&jwt=...">
Logout
</a>
The JWT payload needs to contain the callbackUrl
, and a tokenId
.
The Access Token ID is not the same as the Access Token itself. If you want to revoke a token you received from the login or register endpoints, you can get the Access Token ID by decoding the Access Token's JWT payload and extract the jti
property, which is the ID.
The user will then be redirected back to your callbackUrl
.
IDP access token
Get access to the idp
access token.
If you need to get the IDP access token, in order to interact with the IDP yourself, you can use the get-token endpoint. The response will then contain a external_token.idp_access_token
property which contains the currently valid access token.
If the IDP access tokens expired, the Authentication API will try to refresh it on the fly.