OAuth Single Sign On¶
Accelerate uses OAuth2 to facilitate SSO from other platforms. If your organization likes to support SSO to Accelerate, you can register your OAuth implementation by contacting support. We request the following information:
- Endpoint url for authorization
- Endpoint url to retrieve an access token
- Endpoint url to retrieve userinfo, especially the user id, to link the account with
- Client ID
- Client Secret
The OAuth involves the following steps:
- Steps:
- Authorization (endpoint
/authorization) - Token (endpoint
/token) - User info (endpoint
/user_info)
- Authorization (endpoint
Communication is expected to be in HTTP/1.1 with TLS and has json as content type.
Process for the end user¶
When an Accelerate user wants to utilize SSO he can go to his account settings page and navigates to the Single Sign On section.
Accelerate will display all platforms that are currently supported. By clicking on the “link” button the user will be
redirected to the /authorization endpoint and asked to grant Accelerate access to the user basic info. The platform
should then redirect the user back to Accelerate.
Behind the scenes an access token will be requested by Accelerate, after that a call will be made to /user_info to
retrieve the user external identifier. That will be used to link the user’s account with Accelerate. The linking process is
now completed.
Now that the user has set up SSO successfully he can now log out and go back to the login page of Accelerate. A new button should appear
“Login with <platform>”. When clicking that button he’ll be again sent to the /authorization endpoint, but this time
it should redirect him back directly to Accelerate. Accelerate will make a call to /user_info and tries to find a match
with the returned user identifier. If a linked account is found, the user will be logged into Accelerate otherwise the
action is aborted.
Authorization¶
The first step in the OAuth flow is authorization. The user of your platform can grant Accelerate to link both accounts.
The user also gets redirected here for the login with SSO. That’s why it’s desirable to only prompt the user once during
the account linking phase. Accelerate makes a request to your /authorization endpoint with the following GET
parameters.
| Parameter | Description |
|---|---|
| state | unique string |
| response_type | Usually “code” |
| approval_prompt | Whenever to ask for approval, usually “auto” |
| redirect_uri | e.g. https://accelerate.hdconnect.nl/endpoint/sso-callback.php?domain=LICENSE&platform=PLATFORM |
| client_id | client id for Accelerate |
The redirect uri is different for each accelerate license as it needs to contain the license identifier (domain) and
your platform identifier (platform).
The platform identifier is created by us to identify which OAuth implementation needs to be handled.
Token¶
After the user has granted our application to connect to your platform, Accelerate will call a POST request to the
token endpoint. This should give Accelerate access to the /user_info endpoint and possible others, but not relevant
in this use case.
| Field | Description |
|---|---|
| access_token | The access token |
| refresh_token | Used to acquire a new access token when it has expired |
| expire | Unix timestamp when the access token will expire |
User info¶
The final endpoint is /user_info. Accelerate will call this endpoint to find out the account’s identifier.
This endpoint should be protected by the OAuth access token.
| Field | Description |
|---|---|
| id | This field is mandatory, because it’s used to link accounts |
| name | optional |
| optional |