Integrating towards the authorization server
To begin, we need you to register client details with us so that we can use these details to manage how CONNECT will interact with your client. The list of details required can be found on the client registration page.
You will have to decide on a redirect URI to be used to redirect users back to your client after authentication has been completed in CONNECT, see choosing a redirect URI for details.
Once the client details are finalised, you will receive a client_id, client_secret, and a series of cURL commands from Telenor Digital, which can be used to test responses from the authorization server and to get CONNECT ID user data via the OAuth access token APIs.
The client_id and client_secret are required to perform HTTP Basic authentication for confidential clients towards the authorization server (/oauth/token and /oauth/revoke endpoints only). Public clients will only receive a client_id.
When the user wishes to access the specific page that requires them to be logged in, they must be redirected via the authorization server's user authorization endpoint /oauth/authorize. The parameters you send will contain the scope that will be used by you, as well as the redirect URI, where the user will end up after finishing the login process. A state field is also present that must contain a cryptographically random string, which you must use to validate that the response matches the original request.
A list of scope values can be found at the scope page.
Once the user has logged in with CONNECT they will be redirected to the redirect URI you have specified, and an authorization code parameter will be included.
If there is an error, the redirect to the redirect URI will include an error parameter instead.
The authorization code must be exchanged for tokens by sending a request to the token endpoint /oauth/token. In return, you will get an access and a refresh token, and potentially an ID token if the openid scope was requested.
The access token can be used to access the user's protected resources on resource servers and needs to be validated in the process. Access tokens have a short life and when they expire, refresh tokens can be used to get a new access and refresh token. To do this, follow the refresh token instructions towards the token endpoint /oauth/token.
The ID token can be used to validate the authentication and verify the identity of the user.
How to log a user out is depending on whether the client has been configured with single sign-on (SSO) functionality. Logging out might involve sending a request to the revoke token endpoint /oauth/revoke and potentially also accessing the logout endpoint /oauth/logout. See the description of logout on the SSO page for details.
Example code for a client can be found at the authorization examples page.