OAuth 2.0 is an authorization protocol that gives an API client limited access to user data on a web server. It relies on authentication scenarios called flows, which allow the resource owner (user) to share protected content from the resource server without sharing user's credentials. For that purpose, an OAuth 2.0 server issues access tokens which the client applications can use to access protected resources on behalf of the resource owner.

SSO Using OAuth2 Authorization Code Flow#

  • auth domain
    • This domain is an intermediary where login and signup pages are hosted as per the current workflow
    • Once user logs in, a qt-auth cookie is set on the auth domain
    • This domain needs to be added as the authentication domain for the realm in bridgekeeper realm table
  • authorize
    • Endpoint /api/auth/v1/oauth/authorize?client_id=&redirect_uri=&response_type=code
    • If the request is made with no or invalid qt-auth, this will redirect the user to the auth domain so the user can login
    • Once the user is logged in on the auth domain and qt-auth is set, the user will be redirected to the specified redirect uri with the authorization code
  • token
    • Endpoint /api/auth/v1/oauth/token
    • Here the calling application can exchange the prior authorization code for a JWT access token, that corresponds to the user's logged in session