/
SSO - Authentication Code Grant Integration

SSO - Authentication Code Grant Integration

USTA’s implementation of Okta redirects the user to the Okta Universal Login Page (Okta Universal Login). When the user signs in for the first time, we employ a just in time migration strategy. Users are presented with the ability to Sign Up (create a new account) or Sign In with an existing account.

Approach

Before you begin the development of your browser-based application, contact USTA to discuss what data you will need to access from USTA.  Credentials will be issued for use to connect via HTTP.

Credentials:

  1. client id

  2. client secret

USTA Admin will register your application as a client in the Okta configuration.

Add a link in the form of:

https://stage-account.usta.com/authorize?client_id=[your_client_id]&response_type=code&scope=openid offline_access&redirect_uri=[your_redirect_url]&audience={audience_id}&state={state}

When the token for the authorized customer is needed Client API application needs to follow typical OAuth 2.0 flow using authorization code grant type. To perform such flow Client API should be registered in the USTA authentication service and should have valid:

  • clientId - generated for every API Client during registration

  • secret - generated for every API Client during registration

  • callbackUri - an endpoint where authorization code will be passed after successful login - should be configured for all clients

  • state - a random generated value such as UUID to prevent CSRF attacks. ie '29ca0dd4-966d-400d-9abc-570568f5c339'

To perform login as a customer, API Client application should follow such steps:

Client App redirect to login or authorize URLs:

  1. https://stage-account.usta.com/authorize - can be used for authentication.

  2. client_id={clientId} - mandatory, for example: 25idmdru0ucur4loa3hklcvpsa

  3. response_type=code - mandatory

  4. scope={requested scopes} - openid offline_access email

  5. state - a random generated value such as UUID to prevent CSRF attacks. ie '29ca0dd4-966d-400d-9abc-570568f5c339'

  6. audience={audeince_id}

  7. redirect_uri= mandatory

On This Page:

Add Logic to Client Secure Landing Page

When valid credentials are provided then the browser is redirected to {callbackUri} with code={authorizationCode} param in the url

Call /customers/me endpoint and check validation errors:

  • EXAMPLE:

    curl --request GET 'https://stage-services.ustacoaching.com/profile/me/membership/insurance' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --header 'Authorization: Bearer eyJraWQiOiJiQWhoTGRGQlpEV3B6YkNEaXVRcERKNDBCcmljbjNhdlRMM2w5TFp4QjNZPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI1ZGQzMDE0MS1mYzdiLTQ2MzctOGQyZS0wYTcwMTU3MmU4MmQiLCJ0b2tlbl91c2UiOiJhY2Nlc3MiLCJzY29wZSI6ImFwaS1jdXN0b21lclwvY3VzdG9tZXI6dXBkYXRlIG9wZW5pZCBhcGktY3VzdG9tZXJcL2N1c3RvbWVyOnJlYWQiLCJhdXRoX3RpbWUiOjE1ODA3NjcwMTUsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX3FoWTNLWTdPTCIsImV4cCI6MTU4MDc3MDYxNSwiaWF0IjoxNTgwNzY3MDE2LCJ2ZXJzaW9uIjoyLCJqdGkiOiI4NzliYTNmYS04NzBlLTRiZGYtYjQ4NS0wMDg2ZTcxOTFjODgiLCJjbGllbnRfaWQiOiI1ZXY4YWk1M3Q1dXVkMXAyNDZya3MydjFkYiIsInVzZXJuYW1lIjoiNWRkMzAxNDEtZmM3Yi00NjM3LThkMmUtMGE3MDE1NzJlODJkIn0.h2FUNO0QPe0LXdI0PhsvpNMyjvo45pRUVlgFyYSS_muB718rsX8CIJnEj3pXyLyzEKBGF734u2uV-AtQZY1fRdsb6Hu2rPxzt7w6W8q2dUTO6E_TRHrQ5qD9m8GMnjhHJQvVcpC9S9uX6j2QwUBJ6qmEH4E4yVeVlTp_jgtv93H4fL2epcpTvXtAmLKvdtRDH0lMHxosGtfBKWbuglmQreROpt3Jq8hJ0cD__13EtbT_XFNzyIwCkqMmma8o_xLDnvzxcl7ozIEgBm_vrGzY2VWWvpTWak0g9JXlKUeZQLHck8alOFYygE-_NijHWSyrTyzSaTXu4UzIOc97K5ckxQ'