.. 2party_sso: ================ 2-Party SSO Flow ================ This flow, based on the authorization code flow defined in `RFC6749 Section 4.1 `_ is used to persist a guest's SSO between one integration and another. For example, a guest logs into an integrated mobile app and navigates to a different integrated online ordering website. SSO is persisted without needing the guest to sign in again. To authenticate a guest using an authorization code --------------------------------------------------- .. image:: sso_2party.png 1. User logs into the 1st party's integration (such as an integrated mobile app) 2. Once logged in, guest taps on a link to navigate to the 2nd party's integration (such as an online ordering webview). This should trigger the 1st party integration to make a :http:post:`oauth/requestAuthorizationGrant.json` API call, and append the resulting ``authorizationGrant`` as a query param to the URL in the link. This auth grant is one-time-use and expires 5 minutes after being generated. eg. https://myawesomesite/login?code=APA91bFdV3CWmJpMors50gWwQqtmmwxYKpyy1&expires_in=300 3. The 2nd party integration should then make a requestGuestToken call by auth grant to the Paytronix to obtain an access and refresh token pair. a. If the result is a success, Paytronix will return the guest's username, an access token and a refresh token. The access token may then be used to authenticate functionality such as account balance and user information. b. If the result is a failure, an error should be provided to the guest. Paytronix will include additional information regarding why the message failed. See `Grant By Authorization Grant <.././pxs_api_reference/oauth.html#grant-by-authorization-grant>`_ for more information