Simplified client
The Simplified OAuth2/OIDC client allows you to extend the standard OIDC flow to handle password authentication via APIs.
Using a simplified OIDC client comes with limitations:
- Identity verification policies and multi-factor authentication methods are not applied to simplified clients since login is limited to password authentication.
- You can still hook in the authentication flow of the simplified client, but only a handful of Lifecycle Event Hooks can be assigned:
- At failed identification
- After customer identification
- After failed authentication
- After self-service login
- Before ID token generation
- Before password validation
You can find out more about the supported events at the link.
- No UI will be available where users can log in.
Authorization request
The list of well know URLs, such as the discovery URL and authorization endpoint are included at the link on the OIDC support page.
Authorization can go down in two ways using a simplified client:
- General OIDC approach
- Stateless one-time API call
Please take note that each scenario requires a different endpoint to call.
General OIDC approach
This approach is a custom extension to the standard OIDC flow that handles user credentials. The session is managed by the requesting application (your brand portal) and the configuration includes a valid redirect URL.
Redirection
Your brand portal should handle the redirect response from the
/simplelogin/api/v1/authenticate
endpoint. The redirect will include a query parameter (code
orerror
).
Handling the redirect response
Success case | Error case |
---|---|
code query parameter is present | error query parameters are present |
* You can use the received code to make a POST request to the token endpoint of the OIDC provider.* Include the necessary parameters like grant_type (should be authorization_code ), code , redirect_uri , and client credentials .* The OIDC provider will respond with tokens (ID token, access token). | * You can handle errors such as invalid credentials. * Based on the type of error, you can display a message to the user or log for debugging. |
Steps
- Send a request to your brand portal’s authorization endpoint.
A well-formed authorization request includes the following parameters :
Response_type
Client_id
Redirect_uri
Scope state for CSRF protection.
A successful call will return a session cookie which you can use in step #2 to call the
simplelogin/api/v1/authenticate
endpoint.
- Call the
/simplelogin/api/v1/authenticate
endpoint
After the user authenticates, they are redirected back to your brand portal with an authorization code. You can capture the authorization code and call the /simplelogin/api/v1/authenticate
endpoint.
HTTP POST request example:
POST /simplelogin/api/v1/authenticate HTTP/1.1
Host: your-api-host.com
Content-Type: application/json
Cookie: [Cookies from the first step]
{
"identifier": "[email protected]",
"password": "super$Secret4!",
}
Stateless API call
The /simplelogin/api/v1/token
endpoint works exclusively with a simplified OIDC client. It doesn’t require a cookie in the request since it’s stateless.
- Send a POST request with the following request body to the token endpoint:
{
"scope": "<eg. openid profile offline>",
"response_type": "<token | id_token | token id_token>",
"identifier": "[email protected]",
"password": "p4ssw0rd!",
"organization": {
route: "saasii"
}
}
Responses
Response | Note |
---|---|
200 | If user credentials are valid, the server responds with this. Optionally the response body could include an extra userinfo field containing the payload of the ID token. |
400 | Response error followed by an error description in case of input validation |
401 | Invalid client ID and secret |
500 | Internal error |
Creating a simplified client
You can create a new client for an application by clicking ‘+ Create a client’. To create a simplified client, you can select the ‘OAuth2/OIDC Simplified’ from the list of available client types.
Simplified client settings
Name
The name of the simplified client goes here. It will appear by this name in the listing.
Description
You can add a brief description that appears in the Admin Console only.
Enable
You can disable or enable the simplified client with the switch.
Base organization
You can set the base organization for the simplified client. Base organizations only allow users to sign in through the client from a specific organizational hierarchy.
Client ID
The Client ID is automatically generated when you save the simplified client after the initial setup. This is the primary identifier used to trust Strivacity when it performs any service (such as authentication). This is public.
Client Secret
The Client Secret is automatically generated when the simplified client is after initial setup. This is a secret used to trust Strivacity when it performs any service (such as authentication). This should be kept private.
Token endpoint authentication method
This setting allows you to specify how to authenticate with Strivacity when making a request to Strivacity’s token endpoint. As a brand, you can select the appropriate authentication method based on your security requirements:
- None The brand application does not authenticate when making requests to the token endpoint. There are no credentials provided by the API to prove its identity.
- Basic The client ID and secret are included in the Authorization header in the HTTP request, encoded using Base64. The method is suitable for confidential clients that can securely store and transmit client credentials.
- Post The client ID and secret are sent in the body of the HTTP request when making a request to the token endpoint.
JWT signing method
Strivacity uses RS256 as the default algorithm for signing the JSON Web Tokens (JWTs). RS256 generates and uses an asymmetric signature.
Allowed callback URLs
Here is where you configure the allowed callback URLs for the OIDC transaction. This typically corresponds to _redirect\uri that an OIDC client would pass to Strivacity when a user wants to authenticate.
Dialects
Here is where you can specify the claim dialect that is used by this Application. By default, the 'OpenID Connect' default claim dialect is used.
Enable interactive login and registration
Simple password login via API is considered to be interactive. Interactive login and registration needs to be enabled to ensure authentication will work.
Enable refresh tokens
This is a customer convenience setting where you can enable or disable the use of refresh tokens, which means that OIDC tokens can automatically refresh without authentication renewal.
The lifetime of refresh tokens is set to 30 days by default.
Updated 21 days ago