OpenID as a service

Becoming an OpenID provider enables you to safely leverage your existing user base and allows your users to easily sign-in on your partners' sites by using their existing accounts.

You will be able to quickly deploy your own authentication connector just like the most widely used identity providers (Facebook, Google, Apple …​). It also allows you to securely share authorized user information with your partners.

Check out the demo below

demo oaas

Configure your authentication flow

There are two different approaches when setting up your authentication flow depending on your requirements.

Approach Instructions

You use ReachFive as your identity provider.

Recommended

Configure the following from your ReachFive Console:

Your have your own identity provider.

Configure the Third-party identity client from the ReachFive Console.

Please contact ReachFive team if you want to implement this option. The identity provider must be compliant with the OpenID standard.

Set up a client

Setting up a client follows generally the same process whether it’s for a first-party, third-party, or management client. This is done via your ReachFive Console. The instructions here cover each type of client setup.

Prerequisites

  • You must have access to your ReachFive Console.

  • You must have a Developer, Manager, or Administrator role.

  • You must have the OAuth and Open ID Connect as a Service feature enabled.

  • You must have the Hosted Pages feature enabled. Hosted Pages authenticate and grant authorization requests.

  • You must have the SSO feature enabled. SSO uses existing session information and improves user experience.

Instructions

Get to clients
  1. Go to Settings  Clients.

  2. Select New client.

  3. Give the client a name and select the Client type from the dropdown menu. Don’t forget to Save your input.

Jump to your client
Configure the first-identity client
  1. Set your desired scopes by selecting them from the dropdown menu.

    Both default and custom scopes are available from the menu.
  2. Choose the Token Endpoint Authentication Method.

    The options are Post, Basic, or None. Post is the default and recommended choice.
  3. Specify the Allowed Origins (CORS). These are the origin URLs allowed to access and use the ReachFive SDK.

  4. Specify the Allowed Callback URLs. These are the URLs where the user is taken after authentication.

  5. Specify the Token lifetime (in seconds).

  6. If desired, set the configuration for PKCE and refresh tokens.

    More information can be found at Refresh tokens.
  7. Choose the JWT Algorithm. HS256 is the default option.

  8. Specify the Login URL. Users whose authentication failed are sent to this URL.

Configure the third-party identity client
  1. Select the logo that will be displayed in the consent page.

  2. Set the Website URL. This is where users will go if they click the logo.

  3. Set your desired scopes by selecting them from the dropdown menu.

    Both default and custom scopes are available here. All scopes are mandatory to complete the flow.
  4. Choose the Token Endpoint Authentication Method.

    The options are Post, Basic, or None. Post is the default and recommended choice.
  5. Specify the Allowed Origins (CORS). These are the origin URLs allowed to access and use the ReachFive SDK.

  6. Specify the Allowed Callback URLs. These are the URLs where the user is taken after authentication.

  7. Specify the Token lifetime (in seconds).

  8. If desired, set the configuration for PKCE and refresh tokens.

    More information can be found at Refresh tokens.
  9. Choose the JWT Algorithm. HS256 is the default option.

Hosted pages configuration

You can choose the Hosted pages to handle the authentication in the OaaS flow. We support both the Authentication and Passwordless Hosted page as part of the OaaS flow. The enabled Hosted page in the ReachFive account configuration will be used in the OaaS flow. If both Hosted pages are activated, the Authentication Hosted page takes precedence and is displayed.

See Hosted Pages for more details.

Implement OaaS /auth flow

Consider an identity provider We Retail (first-party site) and the partner We Airline (third-party site).

diagram
  1. To start an OaaS flow, call /oauth/authorize from your website with a third-party client:

    https://YOUR_DOMAIN/oauth/authorize?
      client_id=YOUR_CLIENT_ID&
      scope=openid%20email%20phone%20profile&
      redirect_uri=REDIRECT_URI&
      response_type=id_token

    Users are automatically redirected to the enabled Hosted Page in the ReachFive account to log in or your own login page.

    oaas auth
    Users with an active session will be automatically redirected to the consent page.
  2. After logging in, users are redirected to the consent page where they can grant authorization to the third-party site for the requested scopes.

    oaas consent

    The name of the ReachFive client and account configured on the third-party client appear on the consents hosted page. The background and the primary colour are inherited from the login hosted page configuration.
  3. Users are then logged in and redirected to the initial REDIRECT_URI from /oauth/authorize.

    https://{REDIRECT_URI}/#id_token=eyJ0...xCcA

Grants management API

Your users can view and manage their authorizations to third-party sites using:

Get authorized user information

You can use the /identity/v1/userinfo endpoint to get authorized user’s information.

It is also possible to decode the id_token obtained after a successful login. In this case, you will only get the authorized attributes in the token.

For more information, see Decode tokens.
Feedback