Simplified client

The Simplified OAuth2/OIDC client allows you extend the standard OIDC flow to handle password authentication via APIs.

Using a simplified OIDC client comes with limitations:

  • Identity verification policies and multi-factor authentication methods are not applied to simplified clients since login is limited to password authentication.
  • You can still hook in the authentication flow of the simplified client, but only a handful of Lifecycle Event Hooks can be assigned:
    • At failed identification
    • After customer identification
    • After failed authentication
    • After self-service login
    • Before ID toke generation
    • Before password validation


You can find out more about the supported events at the link.

  • No UI will be available where users can log in.

Authorization request


The list of well know URLs, such as the discovery URL and authorization endpoint are included at the link on the OIDC support page.

Authorization can go down in two ways using a simplified client:

  1. General OIDC approach
  2. Stateless one-time API call


Please take note that each scenario requires a different endpoint to call.

General OIDC approach

This approach is a custom extension to the standard OIDC flow that handles user credentials. The session is managed by the requesting application (your brand portal) and the configuration includes a valid redirect URL.



Your brand portal should handle the redirect response from the /simplelogin/api/v1/authenticate endpoint. The redirect will include a query parameter (code or error).

Handling the redirect response

Success caseError case
code query parameter is presenterror query parameters are present
* You can use the received code to make a POST request to the token endpoint of the OIDC provider.

* Include the necessary parameters like grant_type (should be authorization_code), code, redirect_uri, and client credentials.

* The OIDC provider will respond with tokens (ID token, access token).
* You can handle errors such as invalid credentials.

* Based on the type of error, you can display a message to the user or log for debugging.


  1. Send a request to your brand portal’s authorization endpoint.

A well-formed authorization request includes the following parameters :

Scope state for CSRF protection.


A successful call will return a session cookie which you can use in step #2 to call the simplelogin/api/v1/authenticate endpoint.

  1. Call the /simplelogin/api/v1/authenticate endpoint

After the user authenticates, they are redirected back to your brand portal with an authorization code. You can capture the authorization code and call the /simplelogin/api/v1/authenticate endpoint.

HTTP POST request example:

POST /simplelogin/api/v1/authenticate HTTP/1.1


Content-Type: application/json

Cookie: [Cookies from the first step]


  "identifier": "[email protected]",

  "password": "super$Secret4!",


Stateless API call

The /simplelogin/api/v1/tokenendpoint works exclusively with a simplified OIDC client. It doesn’t require a cookie in the request since it’s stateless.

  1. Send a POST request with the following request body to the token endpoint:
  "scope": "<eg. openid profile offline>",
  "response_type": "<token | id_token | token id_token>",
  "identifier": "[email protected]",
  "password": "p4ssw0rd!",
  "organization": {
    route: "saasii"


200If user credentials are valid, the server responds with this. Optionally the response body could include an extra userinfo field containing the payload of the ID token.
400Response error followed by an error description in case of input validation
401Invalid client ID and secret
500Internal error

Creating a simplified client

You can create a new client for an application by clicking ‘+ Create a client’. To create a simplified client, you can select the ‘OAuth2/OIDC Simplified’ from the list of available client types.

Simplified client settings


The name of the simplified client goes here. It will appear by this name in the listing.


You can add a brief description that appears in the Admin Console only.


You can disable or enable the simplified client with the switch.

Base organization

You can set the base organization for the simplified client. Base organizations only allow users to sign in through the client from a specific organizational hierarchy.

Client ID

The Client ID is automatically generated when you save the simplified client after initial setup. This is the primary identifier used to trust Strivacity when it performs any service (such as authentication). This is public.

Client Secret

The Client Secret is automatically generated when the simplified client after initial setup. This is a secret used to trust Strivacity when it performs any service (such as authentication). This should be kept private.

Token endpoint authentication method

This setting allows you to specify how to authenticate with Strivacity when making a request to Strivacity’s token endpoint. As a brand you can select the appropriate authentication method based on your security requirements:

  • None The brand application does not authenticate when making requests to the token endpoint. There are no credentials provided by the API to prove its identity.
  • Basic The client ID and secret are included in the Authorization header in the HTTP request, encoded using Base64. The method is suitable confidential clients that can securely store and transmit client credentials.
  • Post The client ID and secret are sent in the body of the HTTP request when making a request to the token endpoint.

JWT signing method

Strivacity uses RS256 as the default algorithm for signing the JSON Web Tokens (JWTs). RS256 generates and uses an asymmetric signature.

Allowed callback URLs

Here is where you configure the allowed callback URLs for the OIDC transaction. This typically corresponds to _redirect\uri that an OIDC client would pass to Strivacity when a user wants to authenticate.


Here is where you can specify the claim dialect that is used by this Application. By default, the 'OpenID Connect' default claim dialect is used.

Enable interactive login and registration

Simple password login via API is considered to be interactive. Interactive login and registration needs to enabled to ensure authentication will work.

Enable refresh tokens

This is a customer convenience setting where you can enable or disable the use of refresh tokens, which means that OIDC tokens can automatically refresh without authentication renewal.


The lifetime of refresh tokens is set to 30 days by default.