Integrating cidaas with your Business

Integrating cidaas with your business is simple and can be done for the Admin and User Service portals.

To secure various business apps and APIs using cidaas, you can use the cidaas SDKs within your applications after configuring the necessary elements that include Apps, Groups, Users, Authentication flows, Login Types, Consents, and others. Configuration can be done on the cidaas Administration Interface.

After signup, every cidaas customer will be provided an administration URL. Once configured, your business users can register/login (carried out by cidaas), and use their business applications. They can further customize the configuration for login and multi-factor authentication from within their User Profile.

The three components relevant to cidaas integration include:

1. cidaas Admin UI - Useful to configure various features and workflows needed by your business app after integrating with cidaas.

2. cidaas SDK - To be used by your business application IT specialist or developers.

3. cidaas User UI - This refers to the user profile or self help to customize the login experience.

Here are more details on these three components.

For Administrators

By default, the Admin UI is accessible at yourcidaasbaseurl/admin-ui.

For Users

Using the user self-service portal on your website or mobile app, you can seamlessly set up the customer login and customize access on your business application using email and password, MFA, passwordless access (Email and SMS OTP), FIDO, social login, and other mechanisms.

Because cidaas works on the OAuth2 and OpenID Connect standards, the login URL cannot be directly accessed at yourcidaasbaseurl/user-ui. You need to construct it explicitly using the following parameters.

1. Client/App: The link to the client application.

2. client_id: The unique client ID assigned to the application.

3. redirect_uri: The URL to which the user is redirected after successful authentication.

4. response_type: The response type of the login request.

Example: https://sampleshop.cidaas.de/authz-srv/authz?client_id=your_client_id&response_type=code&scope=profile&redirect_uri=https://sampleshop.cidaas.de/user-profile/editprofile&view_type=login

Integration with SDKs

cidaas offers SDKs for multiple technology stacks to generate this login url.

With SDKs the following integration steps need to be followed.

  1. Admin Portal login
  2. Application creation
  3. Authz URL generation

Admin Portal Login

Open the Admin portal https://sampleshop.cidaas.de/admin-ui and sign in.

Application Creation

1. Navigate to the Apps section and click on + Create new App.

2. Select an Application type from the options iOS, Android, Windows, Regular, Non-Interactive or Single Page application.

3. Select the scopes you want to include from the list to define the additional level of permissions or access rights for the app users.

cidaas matches these scopes with the actual scopes allowed for the user during sign in and grants access. cidaas supports inbuilt scopes on the Admin UI like “email”, “profile”, “openid”, “offline_access”, “phone”, “cidaas:register", as well as, custom scopes created by the admin for the application.

4. Select the Hosted page group (from the default and custom options).</li></p>

5. Add the redirect and Logout URLs have to be added. The user is routed to the redirect URL after successful login and to the Logout URL after logging out successfully.

6. Select the Response Type based on your need from code, token or id_token.

  • Code
  • The authorization code flow is used by private and public clients to exchange an authorization code for an access token. After the user returns to the client via redirect url, the application will get the authorization code from the URL and use it to request an access token.

  • Token
  • When the response type selected is **token**, the access token is directly issued.

  • ID Token
  • An ID token is issued only when the scope is openid. The id_token issued is a [JWT](introduction/json-1.md) which is compact, URL safe, and transferable between two parties. The claims in a JWT are enclosed as a JSON object sed as a payload in a **JSON Web Signature (JWS)** structure or as the plain text of a JSON Web Encryption (JWE) structure which enables the claims to be digitally signed and protected with a message.

7. Select the Grant Type from implicit, authorization_code, password, refresh_token or client_credentials. It is a good practice to select the "implicit" grant type for Single-page web applications and "authorization_code" for Native applications.

8. Add the "Access token" and "Id token expires in" values.

9. Select the required fields for your app. If the fields are marked as "required", then, your customer will have to provide information for that particular field before Login/Registration.

10. Select the allowed social and custom providers.

11. Enable or Disable Multifactor Settings. Enabling it will execute the two-step verification whenever your customer logs in on the App, otherwise, two-step verification is not prompted.

12. Select the access role for the app. By default, "USER" will be selected.

Generating the Authz URL

To create and list the app, you need to construct the Authz URL. An Authz URL requires redirect URL, viewtype and a response type. Please ensure to include all the scopes needed within the Authz URL.

Note: All the parameters given in the Authz URL will be validated in the request against those configured under the app settings on cidaas..

Handling the OAuth Flow

After generating the Authz URL, you can create the registration and login flows in one of the following ways.

Authorization Code flow

https://sampleshop.cidaas.de/authz-srv/authz?client_id=your_client_id&response_type=code&scope=profile&redirect_uri=https://sampleshop.cidaas.de/user-profile/editprofile&view_type=login

Authorization Code flow with openid scope

https://sampleshop.cidaas.de/authz-srv/authz?client_id=your_client_id&response_type=code&scope=profileopenidemailphone offline_access&nonce=12345&redirect_uri=https://sampleshop.cidaas.de/user-profile/editprofilee&view_type=login

If openid scope is added, then nonce parameter is mandatory. Nonce is an Opaque value, e.g. a random string, used to associate a client session with an ID Token, and to mitigate replay attacks. Use of this parameter is required in the implicit flow.

Change the response_type to token and id_token for other types.

Change the view_type parameter on the registration page.

Token Introspection

Token Introspection is used to validate reference tokens. It requires authentication using a scope credential (only scopes that are contained in the access token can introspect the token).

Requests to the introspection endpoint must be either authenticated with client credentials or authorized with a bearer access token

For implicit flow, token check happens on check session iframe

Check session

After a user signs in with OpenID Connect, the client application may need to periodically check if the user is still logged in with the openID provider. The check session feature helps achieve this.

The process of integration, either native or with webview is described using the Javascript SDK and iOS SDK illustrations below.

Integration with Javascript SDK

Installation

You can access the SDK at the following link.

https://cdn.cidaas.de/javascript/oidc/v2/cidaas-sdk.min.js

Initialization


var options = {
    authority: “your cidaas base url”,
    client_id: “your client id”,
    redirect_uri: “your redirect url”,
    post_logout_redirect_uri: “your post logout url”,
    response_type: “id_token token”,
    scope : “openid email roles profile”,
    mode : “redirect”
}

If you want to perform silent login, add "silent_redirect_uri" and set mode as “silent”.

Instance Creation

var cidaas = new CidaasSDK(options);

Login and Registration

Login with Browser

cidaas.loginWithBrowser();

Handle login callback (access token, id_token, expires_in and other params)

This will complete the login process by storing access_token, id_token, expires_in and other params in your browser session. If you forget to add this, login process will not be completed.


cidaas.loginCallback.then(function(response) {
    // your success code
    // Here you will get access_token, expires_at, id_token, scope, session_state, token_type and profile informations
}).catch(function(ex) {
    // your error code
    // Here you will get the error response such as any property or state missing
});

Registration

cidaas.registerWithBrowser();

Getting User Information


cidaas.getUserInfo().then(function(response) {
    // your success code
// Here you will get access_token, expires_at, id_token, scope, session_state, token_type and profile informations

}).catch(function(ex) {
    // your error code
// Here you will get the error response such as any property or state missing
});

Logout

cidaas.logout();

For more information, refer

https://github.com/Cidaas/cidaas-sdk-javascript-v2

Integration with iOS SDK

Installation

iOS SDK is available through Cocoapods. To install, simply add the following line in your Pod file.

pod ‘cidaas’

Create a plist file named ‘Cidaas.plist’ and add the properties DomainURL, RedirectURL, ClientID

Instance Creation

var cidaas = Cidaas.shared

Congratulations! You have now integrated cidaas to your application.

If you have any questions or need further assistance, please contact our support team.

We'll be happy to help. Thank you!



results matching ""

    No results matching ""