Single Sign On

In the context of Paytronix, Single Sign On is a concept to refer to a user being able to create credentials in the Paytronix environment and then using those credentials to authorize themselves in other environments. We use existing OAuth integrations in order to achieve this.

Flow

To authenticate a guest using their Paytronix account information

../_images/sso_flow.png

  1. User navigates to integrator’s website (eg. https://www.myawesomewebsite.com/login)

  2. User clicks the login button and is redirected to Paytronix’s guest website, passing in the following GET parameters:
    • “state” optional - An opaque value that should be used by the client to maintain state between the request and callback. See OAuth 2.0 IETF RFC6749 for more information
    • “redirect_uri” required - A allow-listed Uniform Resource Identifier (URI) to which the guest may be redirected after an authorization grant is issued (Must be provided to Paytronix before integrating)
    • “client_id” required - A Paytronix issued id for which the authorization grant is issued
    • “scope” optional - A space separated sequence of values representing the requested access scope. Values are ‘account_read’, ‘account_write’, ‘user_read’, ‘user_write’
    • “response_type” required - Must be ‘code’

    eg. https://myawesomesite.myguestaccount.com/guest/accountlogin?response_type=code& client_id=awesomesite&redirect_uri=https%3A%2F%2Fwww.myawesomewebsite.com%2Flogin

  3. On successfully logging in, an authorization grant will be issued for the client_id and the guest will be redirected to the URI passed in. Note: This grant will expire 5 minutes after being generated.

    eg. https://myawesomesite/login?code=APA91bFdV3CWmJpMors50gWwQqtmmwxYKpyy1&expires_in=300

  4. The client should then make a requestGuestToken call to the Paytronix to obtain an access and refresh token pair.

    1. If the result is a success, Paytronix will return the guest’s username, an access token and a refresh token. The access token may then be used to authenticate functionality such as account balance and user information.
    2. If the result is a failure, an error should be provided to the guest. Paytronix will include additional information regarding why the message failed.

    See Grant By Authorization Grant for more information