The following documentation is applicable to Free, Developer, and Developer Pro plans. For documentation related to the enterprise plan, please click here.

Outbound SSO OAuth

OAuth 2.0 is a protocol that facilitates token-based authentication and authorization; thus, allowing the consumers to grant limited access to their resources on one application, to another application, without having to expose their credentials.

LoginRadius Identity Platform supports standard OAuth 2.0 specs to integrate your OAuth client with LoginRadius. Thus, you can allow your application’s consumers to log in to an OAuth-enabled application without creating an account. This document goes over the full process of getting the SSO feature implemented with OAuth 2.0.

OAuth 2.0 configuration using Loginradius API

To understand OAuth 2.0 and the flows involved in this guide, check out this reference.

This section covers the configuration that one needs to do in LoginRadius to implement OAuth functionality. The aim remains to obtain an access_token and use it to access protected resources. There are three flows involved, and you can choose one based on your requirements:

The following section covers how to utilize OAuth 2.0 Code Grant via Loginradius APIs.

Authorization Code Grant

You need to perform the following steps to obtain the token, the first involving the browser, the second a back-channel request.

Step 1: Authorization Code Link

To begin with Authorization Code flow, your application should redirect the customer to the following authorization URL:

 https://cloud-api.loginradius.com/sso/oauth/redirect?client_id={LoginRadius API key}&redirect_uri={Callback URL}&scope={Scope}&response_type=code&state={random long string}

Required Parameters

The access token request will contain the following parameters. Here is an explanation of the URL Parameter:

  • https://cloud-api.loginradius.com/sso/oauth/redirect: The API authorization endpoint.
  • client_id: The identifier of the customer at the authorization server. Enter the LoginRadius API key
  • Redirect_uri: Callback URL of your site where you want to redirect back your customers after an authorization code is granted.

    NOTE: Make sure that you have whitelisted the Redirect_uri in your LoginRadius Dashboard. For more information, refer to this document.
  • scope: [optional] Specifies the scope of the requested token. If omitted, the authorization server may assume some default scope.
  • state: [optional] This parameter will be returned as it is, part of the response
  • Response_type: Set to code to indicate an authorization code flow. Find responses below: Response of login dialog if responsetype=code: `YOURCALLBACK_URI?code={unique code}`

Step 2: Exchange Code for Access Token

The authorization code is an intermediate credential, which encodes the authorization obtained at Step 1. To retrieve the access token, the client must submit the code to the authorization server, use the Access token by OAuth 2 token API to obtain an access_token.
https://cloud-api.loginradius.com/sso/oauth/access_token

Request Body:
{
 client_id:{app-id},
 client_secret:{app-secret},
 redirect_uri:{redirect-uri},
 response_type:token,
 code:{code-parameter},
}

Required Parameters

Here is an explanation of the Request Body Parameter :

  • redirect_uri: Callback URL of your site where you want to redirect back your customers.
  • client_secret: LoginRadius API Secret.
  • code: The parameter received from the Login Dialog redirect above.
  • response_type: Value must be ‘token’ always.
API Response containing the access_token:
{
 "access_token": {Loginradius Access Token},
 "token_type": {type},
 "expires_in": {seconds till expiration},
 "refresh_token" : {Refresh Token}
}

Step 3: Use Obtained LoginRadius Access Token

You can use the obtained accesstoken with LoginRadius APIs supporting the accesstoken until the token expires or revokes.

Note: To include PKCE within this request, refer to this document for more information.

Implicit

This section covers use of the Implicit flow with LoginRadius. It is similar to Authorization Code flow except that the response_type can be token or both code and token.

Implicit Workflow Link

To begin with Authorization Code flow, your application should redirect the consumer to the following authorization URL:

https://cloud-api.loginradius.com/sso/oauth/redirect?client_id={LoginRadius API key}&redirect_uri={Callback URL}&scope={Scope}&response_type=code&state={random long string}

Required Parameters

The access token request will contain the following parameters. Here is an explanation of the URL Parameter:

  • https://cloud-api.loginradius.com/sso/oauth/redirect: The API authorization endpoint.
  • client_id: The identifier of the customer at the authorization server. Enter the LoginRadius API Key.
  • Redirect_uri: Callback URL of your site where you want to redirect back your customers after an authorization code is granted.

    NOTE: Make sure that you have whitelisted the Redirect_uri in your LoginRadius Dashboard. For more information, refer to this document.
  • scope [optional]: Specifies the scope of the requested token. If omitted, the authorization server may assume some default scope.
  • state [optional]: this parameter will be returned as it is, part of the response.
  • Response_type: Set to token, or it could be both code and token to indicate an authorization code flow. The following are the response structures for both cases: a. Response of login dialog if response_type=token: YOUR_CALLBACK_URI?token={LoginRadius access token} b. Response of login dialog if response_type=code,token: YOUR_CALLBACK_URI?code={unique code}&token={LoginRadius access token}&state={Same value which is passed in request}

Now you can use the obtained access_token with LoginRadius APIs supporting the access_token until the token expires or revokes.

Resource Owner Password Credentials Grant

The Resource Owner Password Credentials Grant flow allows you to obtain an access_token by utilizing the consumer’s traditional username/email/phoneid and password credentials.

Step 1: Obtain Access Token

Use the Access Token by Account Password to obtain an access_token.

POST

 https://cloud-api.loginradius.com/sso/oauth/access_token

Request Body:
{
 "client_id": <<Your LoginRadius API Key>>,
 "client_secret": <<Your LoginRadius API Secret>>,
 "grant_type": "password",
 "username": <<Should be, email/phoneid/username of the customer>>,
 "password": <<The password of the account to login>>
}

Required Parameters

Here is an explanation of the Request Body Parameters:

  • client_secret: LoginRadius API Secret.
  • grant_type: Value must always be ‘password’.
  • username: You must provide the customer’s email/username/phoneid, depending on how you have configured LoginRadius for authentication.
  • password: The customer’s account password.

API Response containing the access_token:

{
 "access_token": {Loginradius Access Token},
 "token_type": {type},
 "expires_in": {seconds till expiration},
 "refresh_token" : {Refresh Token}
}

Step 2: Use Obtained LoginRadius Access Token

You can use the obtained access_token with LoginRadius API supporting the access_token until the token expires or revokes.

Refresh Token

Once you have obtained an access_token, you can use the Refresh Access Token API to refresh the access_token.

Required Parameters

Here is an explanation of the Request Body Parameter:

API Response containing the refresh access_token:

{
 "access_token": {Loginradius Access Token},

 "token_type": {type},

 "expires_in": {seconds till expiration},

 "refresh_token": {Refresh Token}

}

Go Back to Home Page


Was this article helpful?

Have more questions? Submit a request