OpenID as a service
Becoming an OpenID provider enables you to safely leverage your existing user base and allows your users to easily sign-in on your partners' sites by using their existing accounts.
You will be able to quickly deploy your own authentication connector just like the most widely used identity providers (Facebook, Google, Apple …). It also allows you to securely share authorized user information with your partners.
- Check out the demo below
-
Configure your authentication flow
There are two different approaches when setting up your authentication flow depending on your requirements.
| Approach | Instructions | ||
|---|---|---|---|
You use ReachFive as your identity provider. Recommended |
Configure the following from your ReachFive Console: |
||
Your have your own identity provider. |
Configure the Third-party identity client from the ReachFive Console.
|
Set up a client
Setting up a client follows generally the same process whether it’s for a first-party, third-party, or management client. This is done via your ReachFive Console. The instructions here cover each type of client setup.
Prerequisites
-
You must have access to your ReachFive Console.
-
You must have a Developer, Manager, or Administrator role.
-
You must have the OAuth and Open ID Connect as a Service feature enabled.
-
You must have the Hosted Pages feature enabled. Hosted Pages authenticate and grant authorization requests.
-
You must have the SSO feature enabled. SSO uses existing session information and improves user experience.
Instructions
- Get to clients
-
-
Go to .
-
Select New client.
-
Give the client a name and select the Client type from the dropdown menu. Don’t forget to Save your input.
-
- Jump to your client
- Configure the first-identity client
-
-
Set your desired scopes by selecting them from the dropdown menu.
-
Choose the Token Endpoint Authentication Method.
The options are Post, Basic, or None. Post is the default and recommended choice. -
Specify the Allowed Origins (CORS). These are the origin URLs allowed to access and use the ReachFive SDK.
-
Specify the Allowed Callback URLs. These are the URLs where the user is taken after authentication.
-
Specify the Token lifetime (in seconds).
-
If desired, set the configuration for the implicit flow, PKCE, ROPC flow, and refresh tokens.
-
You can disable the ROPC flow directly from the ReachFive Console so that the
grant_typeofpasswordis unable to be used on First-party Identity clients.-
Simply click the checkbox next to Disable ROPC Flow.
We offer this ability to disable the flow, because we do not recommend this flow especially for public clients.
-
-
For more on refresh tokens, see here.
-
-
Choose the JWT Algorithm. HS256 is the default option.
-
Specify the Login URL. Users whose authentication failed are sent to this URL.
-
Enable the Attach orchestration token option. This token is detected by the web SDKs and is automatically included in authentication flows.
For more, see the dedicated orchestration token page. -
-
If needed, check the box for Include SSO cookie in token endpoint response.
-
For new clients, ensure that you check the Enforce scope box.
-
- Configure the third-party identity client
-
-
Select the logo that will be displayed in the consent page.
-
Set the Website URL. This is where users will go if they click the logo.
-
Set your desired scopes by selecting them from the dropdown menu.
-
Choose the Token Endpoint Authentication Method.
The options are Post, Basic, or None. Post is the default and recommended choice. -
Specify the Allowed Origins (CORS). These are the origin URLs allowed to access and use the ReachFive SDK.
-
Specify the Allowed Callback URLs. These are the URLs where the user is taken after authentication.
-
Specify the Token lifetime (in seconds).
-
If desired, set the configuration for PKCE and refresh tokens.
More information can be found at Refresh tokens. -
Choose the JWT Algorithm. HS256 is the default option.
-
Hosted pages configuration
You can choose the Hosted pages to handle the authentication in the OaaS flow. We support both the Authentication and Passwordless Hosted page as part of the OaaS flow. The enabled Hosted page in the ReachFive account configuration will be used in the OaaS flow. If both Hosted pages are activated, the Authentication Hosted page takes precedence and is displayed.
| See Hosted Pages for more details. |
Implement OaaS /auth flow
Consider an identity provider We Retail (first-party site) and the partner We Airline (third-party site).
-
To start an OaaS flow, call /oauth/authorize from your website with a third-party client:
https://YOUR_DOMAIN/oauth/authorize? client_id=YOUR_CLIENT_ID& scope=openid%20email%20phone%20profile& redirect_uri=REDIRECT_URI& response_type=id_token
Users are automatically redirected to the enabled Hosted Page in the ReachFive account to log in or your own login page.
Users with an active session will be automatically redirected to the consent page. -
After logging in, users are redirected to the consent page where they can grant authorization to the third-party site for the requested scopes.
The name of the ReachFive client and account configured on the third-party client appear on the consents hosted page. The background and the primary colour are inherited from the login hosted page configuration. -
Users are then logged in and redirected to the initial
REDIRECT_URIfrom /oauth/authorize.https://{REDIRECT_URI}/#id_token=eyJ0...xCcA
Grants management API
Your users can view and manage their authorizations to third-party sites using:
- The management Grants API
- The identity Grants API if the user is connected and has a first-part access token
Get authorized user information
You can use the /identity/v1/userinfo endpoint to get authorized user’s information.
It is also possible to decode the id_token obtained after a successful login. In this case, you will only get the authorized attributes in the token.
| For more information, see Decode tokens. |