OpenID as a service

Why become an OpenID provider for your partners?

Becoming an OpenID provider enables you to safely leverage your existing user base and allows your users to easily sign-in on your partners' sites by using their existing accounts.
You will be able to quickly deploy your own authentication connector just like the most widely used identity providers (Facebook, Google, Apple …​). It also allows you to securely share authorized users' information with your partners.
Here’s a quick demo down below:

demo oaas

Prerequisites

These features must be active in the ReachFive Console.
Liaise with your ReachFive contact to enable them for your account.

  • Open ID Connect as a Service

  • Hosted pages — where users authenticate and grant authorization requests.

  • SSO — to use existing session info and improve the user experience.

Configure first and third-party clients

First-party client settings

Allow the consent callback URL on the first party client you use for the Hosted pages.

Allowed Callback URLs:

  • YOUR_DOMAIN/consent

Third-party client settings

  1. In Settings  Clients, select + New Client.

  2. Enter the client name.

    The name of the ReachFive client and account appear on the consents hosted page.
  3. Under Client type, select Third-party Identity.

  4. Click Save.

  5. Upload a logo to be displayed on the consent page.

  6. Under Website URL, define the logo link Website URL.

    The logo and Website URL parameters are mandatory.
  7. Add the scopes based on grants to collect.

    All scopes which are requested appear on the consent page and must be authorized by the user, except openid and offline_access.

    The display name is the scope name: to display View your Immatriculation, the scope name must be Immatriculation.

  8. Under Token Endpoint Authentication Method, select the method you will use for your authentication process.

Whitelist URLs

Allowed Origins (CORS):

  • YOUR_DOMAIN

Allowed Callback URLs:

  • REDIRECT_URI

Implement the flow

Consider an identity provider We Retail (first-party site) and the partner We Airline (third-party site).

diagram
  1. To start an OaaS flow, call /oauth/authorize from your website with a third-party client:

    https://YOUR_DOMAIN/oauth/authorize?
      client_id=YOUR_CLIENT_ID&
      scope=openid%20email%20phone%20profile&
      redirect_uri=REDIRECT_URI&
      response_type=id_token

    Users are automatically redirected to the Authentication Hosted Page to log in.

    oaas auth
    Users with an active session will be automatically redirected to the consent page.
  2. After logging in, users are redirected to the consent page where they can grant authorization to the third-party site for the requested scopes.

    oaas consent

    The name of the ReachFive client and account configured on the third-party client appear on the consents hosted page. The background and the primary colour are inherited from the login hosted page configuration.
  3. Users are then logged in and redirected to the initial REDIRECT_URI from /oauth/authorize.

    https://{REDIRECT_URI}/#id_token=eyJ0...xCcA

Grants management API

Your users can view and manage their authorizations to third-party sites using the grant API:

Get authorized user information

You can use the /identity/v1/userinfo endpoint to get authorized user’s information.

It’s also possible to decode the id_token obtained after a successful login.
You will only get the authorized attributes in the token.

For more information, read Decode tokens.