SSO flow for web server applications

This section describes the OpenID Connect single sign-on (SSO) flow for traditional server applications integrated with an AppDirect-powered marketplace. For native applications, such as mobile applications, see SSO flow for native applications.

A description of each step follows the image.

  1. The user initiates SSO by clicking on the MyApps tile

  2. The user is redirected to the previously registered Initiate Login URL to initiate SSO at the Developer. Following is an example:

    https://www.isv.com/oidc/login?iss=https://marketplace.exampletelco.com

  3. The Developer initiates SSO by sending a request to the authorization endpoint. Following is an example of how it appears.

    https://marketplace.exampletelco.com/oauth2/authorize?response_type=code&scope=openid profile email&client_id=s6BhdRkqt3&state=af0ifjsldkj&redirect_uri=https://www.isv.com/callback
  4. The user is authenticated with the marketplace.

  5. An authorization code is returned to the redirect_uri passed in step 3.  Note: this URI must also match the value entered in the Redirect URL configuration field on the  Edit Authentication page. Following is an example:

    https://www.isv.com/callback?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj

  6. The Developer sends a POST request to the token endpoint to exchange the authorization code for the ID and access tokens. This request must be authenticated (basic authentication) using the client ID and secret.  

    curl -X POST -u appdirect-49:9vY0s4yb2pbnP7Vz "https://marketplace.exampletelco.com/oauth2/token?grant_type=authorization_code&code=AYo3IQ&redirect_uri=https%3A%2F%2Fwww.isv.com%2Fcallback"
  7. The ID, access and the refresh tokens are returned in the response (see Example E—Token response) in the OpenID Connect authentication event examples.
  8. The ID token is validated by the Developer, including the signature. See Signature verification and key rotation to learn more and see the OpenID Connect specifications for details on token validation.  

  9. The Developer retrieves additional user data (first/last name, email, etc.) from the User Info endpoint.  This is a regular API call that requires the access token returned in step 7 to be included as a bearer token. 

    curl -H 'Authorization: Bearer <access_token>' https://marketplace.exampletelco.com/oauth2/userinfo
  10. The user data is returned.
  11. The user is logged in to the Developer application.