An OIDC simplified client extends the standard OAuth2/OIDC flow to allow password authentication through APIs.

This client type is designed for scenarios where authentication is handled directly by the application instead of using Strivacity-hosted login interfaces.

Using a simplified OIDC client comes with several limitations:

Identity verification policies and multi-factor authentication methods are not applied. Authentication is limited to password validation.
Lifecycle event hooks support is limited to the following events:
- At failed identification
- After customer identification
- After failed authentication
- After self-service login
- Before ID token generation
- Before password validation
No Strivacity-hosted login interface is available.

📘
You can find more information about supported events in Lifecycle event hooks.

You can configure this client in the Admin Console under Applications → Clients.

Simplified clients include the following configuration tabs:

General
OAuth2/OIDC simplified

General

Use the General tab to define basic client properties.

Name: name displayed in the client list in the Admin Console.
Description: optional description visible only in the Admin Console.
Enabled: enables or disables the client. Disabled clients cannot be used for authentication.
Base organization: restricts access to users from a specific organizational hierarchy. Only users belonging to the selected base organization can authenticate through this client. See Base organizations for details.
Danger zone: allows you to delete the client.
❗️
Deleting a client cannot be reversed.

OAuth2/OIDC simplified

The OAuth2/OIDC tab contains the OpenID Connect configuration for the client. These settings define how the application authenticates with Strivacity and how tokens are issued.

For a complete description of OAuth2/OIDC configuration options, see OAuth2/OIDC properties setup.

How authentication works

Simplified clients support two approaches for authenticating customers through the API:

General OIDC approach
Stateless one-time API call

📘
The list of well know URLs, including the discovery URL and authorization endpoint, is available on the OIDC support page.

🚧
Each approach uses a different endpoint.

General OIDC approach

This approach is a custom extension to the standard OIDC flow that handles user credentials. The session is managed by the requesting application (your brand portal) and the configuration includes a valid redirect URL.

📘
Redirection
Your brand portal should handle the redirect response from the /simplelogin/api/v1/authenticate endpoint. The redirect will include a query parameter (code or error).

Handling the redirect response

Success case Error case

Code query parameter is present. Error query parameters are present.

Success case	Error case
Code query parameter is present.	Error query parameters are present.
You can use the received `code` to make a POST request to the token endpoint of the OIDC provider. Include the necessary parameters like `grant_type` (should be `authorization_code`), `code`, `redirect_uri`, and `client credentials`. The OIDC provider will respond with tokens (ID token, access token).	You can handle errors such as invalid credentials. Based on the type of error, you can display a message to the user or log for debugging.

You can use the received code to make a POST request to the token endpoint of the OIDC provider.

Include the necessary parameters like grant_type (should be authorization_code), code, redirect_uri, and client credentials.

The OIDC provider will respond with tokens (ID token, access token).

You can handle errors such as invalid credentials.

Based on the type of error, you can display a message to the user or log for debugging.

Steps

Send a request to your brand portal’s authorization endpoint.

A well-formed authorization request includes the following parameters :

Response_type
Client_id
Redirect_uri
Scope state for CSRF protection.

📘
A successful call will return a session cookie which you can use in step 2 to call the simplelogin/api/v1/authenticate endpoint.

Call the /simplelogin/api/v1/authenticate endpoint

After the user authenticates, they are redirected back to your brand portal with an authorization code. You can capture the authorization code and call the /simplelogin/api/v1/authenticate endpoint.

HTTP POST request example:

POST /simplelogin/api/v1/authenticate HTTP/1.1

Host: your-api-host.com

Content-Type: application/json

Cookie: [Cookies from the first step]

{

  "identifier": "[email protected]",

  "password": "super$Secret4!",

}

Stateless API call

The /simplelogin/api/v1/tokenendpoint works exclusively with a simplified OIDC client. It doesn’t require a cookie in the request since it’s stateless.

Send a POST request with the following request body to the token endpoint:

{
  "scope": "<eg. openid profile offline>",
  "response_type": "<token | id_token | token id_token>",
  "identifier": "[email protected]",
  "password": "p4ssw0rd!",
  "organization": {
    route: "saasii"
  }
}

Responses

Response	Note
200	If user credentials are valid, the server responds with this. Optionally, the response body could include an extra `userinfo` field containing the payload of the ID token.
400	Response error followed by an error description in case of input validation.
401	Invalid client ID and secret.
500	Internal error.