OAuth 2.0 Integration Guide
This guide is designed to assist you in integrating your Identity Provider (IdP) with our product using OAuth 2.0. Follow these steps to establish a secure authentication flow, enabling your users to access our product seamlessly with their existing credentials.
Setup in Northpass
- Log in to your Northpass Admin account.
- Open side navigation and go to
Settings
. - Change the tab to
Authentication
. - There click
Edit
. - In the Authentication tab dropdown, select
Shared Accounts
and make sure that OAuth 2.0 is marked below it. - Fill in the data in the permissions section:
Client Identifier - CLIENT_ID. Unique string representing the registration information provided by the client. The Authorization server provides this value and is specific to Northpass.
Secret Code - CLIENT_SECRET. The client secret. The Authorization server provides this value and is specific to Northpass.
Authorization Endpoint - AUTHORIZATION_ENDPOINT. The authorization endpoint is used to interact with the resource server MUST first verify the identity of the resource owner. The Authorization server provides this value.
Token Endpoint - TOKEN_ENDPOINT. The client uses the token endpoint to obtain an access token by presenting its authorization grant or refresh token. The Authorization server configuration provides this.
Users API Endpoint - USER_API_ENDPOINT. This is provided by Resource server configuration. This is not specific to OAuth. It is an API endpoint, that can retrieve information about a single learner with the token received from the Token Endpoint.
SSO issuer - name that is supplied to the identity provider.
- Fill destination details.
- (Optional) Fill Group organization.
- Click
Save
button.
Authentication flow
- The user clicks on the link to the Northpass school.
- User is redirected to the AUTHORIZATION_ENDPOINT, with following GET request:
client_id - CLIENT_ID.
redirect_uri - YOUR_SCHOOL_URL/auth/oauth_base/callback.
response_type -code
.
state - random string.
Example:
https://oauth_authenticator_example.com/auth/oauth_base/authorize?client_id=CLIENT_ID&redirect_uri=YOUR_SCHOOL_URL/auth/oauth_base/callback&response_type=code&state=STATE
- After correct authorization, server redirects user to the YOUR_SCHOOL_URL/auth/oauth_base/callback with the following parameters:
code - code that is used to obtain an access token.
state - random string.
Example:
https://YOUR_SCHOOL_URL/auth/oauth_base/callback?code=CODE&state=STATE
- Northpass sends a POST request to the TOKEN_ENDPOINT with the following parameters:
Body:
code - code that is used to obtain an access token.
grant_type - authorization_code.
redirect_uri - YOUR_SCHOOL_URL/auth/oauth_base/callback.
Headers:
Content-Type - application/json.
Authorization - Authorization token is a string calculated by adding the wordBasic
separated by space with encoded with base64USER_DATA
. WhereUSER_DATA
isCLIENT_ID:CLIENT_SECRET
. So it looks this way:Basic base64(USER_DATA)
.
Example:
Endpoint:https://oauth_authenticator_example.com/oauth/token
Body:
Headers:{ "code": "CODE", "grant_type": "authorization_code", "redirect_uri": "YOUR_SCHOOL_URL/auth/oauth_base/callback" }
{ "Content-Type": "application/json", "Authorization": "Basic Token" }
- The authorization server responds with the following parameters:
{ "access_token": "TOKEN_GENERATED_BY_AUTHORIZATION_SERVER", "token_type": "Bearer", "expires_in": VALUE IN SECONDS, "refresh_token": "REFRESH TOKEN GENERATED BY AUTHORIZATION SERVER", "scope": "read", "created_at": TIMESTAMP }
- Northpass sends GET request to the USER_API_ENDPOINT with the following headers:
Authorization - Bearer TOKEN_GENERATED_BY_AUTHORIZATION_SERVER.
Example:
Endpoint:https://oauth_authenticator_example.com/api/v1/userinfo
- User API responds with the following parameters:
- First possibility:
{ "first_name": "USER_FIRST_NAME", "last_name": "USER_LAST_NAME", "email": "USER_EMAIL", "user_id": "USER_ID", "lms": { "groups": [ "GROUP_1_NAME", "GROUP_2_NAME" ] } }
- Second possibility:
{ "first_name": "USER_FIRST_NAME", "last_name": "USER_LAST_NAME", "email": "USER_EMAIL", "id": "USER_ID", "lms": { "groups": [ "GROUP_1_NAME", "GROUP_2_NAME" ] } }
- First possibility:
- Northpass creates user with the following parameters:
first_name - USER_FIRST_NAME.
last_name - USER_LAST_NAME.
email - USER_EMAIL.
sso_uid - USER_ID.
groups - adds learner to groups with names: GROUP_1_NAME, GROUP_2_NAME. - Northpass redirects authenticated user to the destination page.
Updated 28 days ago