Configuring redirection with OIDC

Developers or administrators of a web application typically only need to know a few pieces of information to redirect to Strivacity for login and self-service related activities.

1) The Domain Name of the Strivacity instance. In OIDC terms, this is generally referred to as the authority. This is available in the Tenant Configuration --> General section of the Admin Console.

2) The Client ID associated with the Application Configuration. This corresponds to the client_id parameter that an OIDC client would pass to Strivacity when a user wants to authenticate. This tells Strivacity what application configuration to associate the login or self service transaction with.

3) The Redirection URI. This corresponds to redirect_uri parameter that an OIDC client would pass to Strivacity when a user wants to authenticate. This tells Strivacity where to send the OIDC response containing the authorization code or id_token.

4) The Response Type. This corresponds to the response_type parameter that an OIDC client would pass to Strivacity when a user wants to authenticate. This tells Strivacity what type of OIDC flow is desired by the brand.

To start an OIDC flow with Strivacity, a brand must construct an appropriate URL that the browser is sent to when a user clicks on to log in to the brand's web application.

For Login via Implicit Flow

To initiate a login via Implicit Flow, use the following URL template.

https://BRAND_DOMAIN.strivacity.com/oauth2/auth?
client_id=CLIENT_ID&
redirect_uri=REDIRECTION_URI&
response_type=id_token&
scope=openid&
state=<random string>&
nonce=<random string>

The user will be asked to login, respecting the configured Adaptive MFA workflow. Upon successful completion of the login, the browser will be redirected to the redirect_uri specified. This will come in the form of a GET request containing the id_token and state parameters as URL fragments.

๐Ÿ“˜

URL fragments are stripped by the browser prior to being sent to your HTTP server. This is a security feature of OIDC to prevent leaking sensitive items. This means that these parameters must be processed at the browser level, typically via javascript.

For Login via Authorization Code Flow

To initiate a login via Authorization Code Flow, use the following URL template.

https://BRAND_DOMAIN.strivacity.com/oauth2/auth?
client_id=CLIENT_ID&
redirect_uri=REDIRECTION_URI&
response_type=code&
scope=openid&
state=<random string>&
nonce=<random string>

The user will be asked to login, respecting the configured Adaptive MFA workflow. Upon successful completion of the login, the browser will be redirected to the redirect_uri specified. This will come in the form of a GET request containing the code and state parameters as URL fragments.

๐Ÿ“˜

URL fragments are stripped by the browser prior to being sent to your HTTP server. This is a security feature of OIDC to prevent leaking sensitive items. This means that these parameters must be processed at the browser level, typically via javascript.

For Login via Hybrid Flow

To initiate a login via Hybrid Flow, use the following URL template.

https://BRAND_DOMAIN.strivacity.com/oauth2/auth?
client_id=CLIENT_ID&
redirect_uri=REDIRECTION_URI&
response_type=id_token%20code&
scope=openid&
state=<random string>&
nonce=<random string>

The user will be asked to login, respecting the configured Adaptive MFA workflow. Upon successful completion of the login, the browser will be redirected to the redirect_uri specified. This will come in the form of a GET request containing the id_token, code and state parameters as URL fragments.

๐Ÿ“˜

URL fragments are stripped by the browser prior to being sent to your HTTP server. This is a security feature of OIDC to prevent leaking sensitive items. This means that these parameters must be processed at the browser level, typically via javascript.

Authorization Code Exchange

In flows involving authorization codes, the code may be exchanged for an id_token at the following endpoint:

https://BRAND_DOMAIN.strivacity.com/oauth2/token

ID Tokens

The id_token is represented as a JSON Web Token (JWT). Once retrieved and decoded, the id_token has the following format.

{
    "aud": [
        "<string>"
    ],
    "auth_time": <timestamp>,
    "c_hash": "<string>",
    "client_id": "<string>",
    "exp": <timestamp>,
    "iat": <timestamp>,
    "iss": "https://BRAND_DOMAIN.strivacity.com/",
    "jti": "<string>",
    "nonce": "<string>",
    "rat": <timestamp>,
    "sid": "<string>",
    "sub": "<string>",
    "user_id": "<string>",
    "username": "<string>"
}

See the OpenID specification for an in depth discussion of these fields. The id_token MAY contain other claims such as the username.

Token Introspection

Access and refresh tokens may be introspected at the following endpoint:

https://BRAND_DOMAIN.strivacity.com/oauth2/introspect

This endpoint must be accessed via the client credentials flow, with a scope of read:token_introspection, and Token Introspection::Read must be enabled in the REST API Access Policy. See Using the REST APIs and REST API access policies for more details.