2-Party SSO Flow

This flow, based on the authorization code flow defined in RFC6749 Section 4.1 is used to persist a guest’s SSO between one integration and another. For example, a guest logs into an integrated mobile app and navigates to a different integrated online ordering website. SSO is persisted without needing the guest to sign in again.

To authenticate a guest using an authorization code

  1. User logs into the 1st party’s integration (such as an integrated mobile app)

  2. Once logged in, guest taps on a link to navigate to the 2nd party’s integration (such as an online ordering webview). This should trigger the 1st party integration to make a POST oauth/requestAuthorizationGrant.json API call, and append the resulting authorizationGrant as a query param to the URL in the link. This auth grant is one-time-use and expires 5 minutes after being generated.

    eg. https://myawesomesite/login?code=APA91bFdV3CWmJpMors50gWwQqtmmwxYKpyy1&expires_in=300

  3. The 2nd party integration should then make a requestGuestToken call by auth grant to the Paytronix to obtain an access and refresh token pair.
    1. If the result is a success, Paytronix will return the guest’s username, an access token and a refresh token. The access token may then be used to authenticate functionality such as account balance and user information.
    2. If the result is a failure, an error should be provided to the guest. Paytronix will include additional information regarding why the message failed.

    See Grant By Authorization Grant for more information