OAuth 2.0/OIDC authentication flow
Learn more about the authentication flow for OAuth 2.0 compliant SSO.
- User as the Resource Owner
- Reltio Connected Data Platform as the Resource Server:
- Hub
- Reltio OAuth2 service
- Third-party identity provider (IdP) as the Authorization Server (for more information, see topicOAuth 2.0/OpenID Connect (OIDC) Single Sign On (SSO))
This diagram illustrates the authentication flow among these parties.
This authentication flow typically includes the following interactions:
- A user tries to log in to a Reltio tenant using the Hub.
- The Hub receives the request (with
tenantId
) and redirects the user to the Reltio OAuth2 service. - The Reltio OAuth2 service receives an authorization request and automatically redirects the user to the associated third-party Authorization Server to get an OAuth code. Using the
tenantId
provided by Hub, Reltio OAuth2 service chooses an IdP and redirects the user to the IdP login page. For example.https://auth-srv.customer.com/as/authorize?client_id=customer.reltio&client_secret=1A2b3C&grant_type=code&scope=profile_name,profile_email&redirect_uri=https://auth.reltio.com/callback&state=ABCD
where:- Login endpoint is the URL defined in the IdP configuration (for more information see section OAuth 2.0/OpenID Connect (OIDC) Single Sign On (SSO)).
- state is an internal identifier of the Authorization Server request to tie the redirect URL to the Reltio OAuth2 service callback page.
- The Hub gets a token for the user from Reltio OAuth2 service and sends it in an authorization request to Reltio OAuth2 service. For example.
https://auth.reltio.com/authorize?grant_type=code&code=<Reltio code>
- The Reltio OAuth2 service generates an OAuth token request for the Authorization Server. For example:
https://auth-srv.customer.com/as/authorize?grant_type=authorization_code&code=<code>
where:- Token endpointi s the URL defined in the IdP configuration.
- code is the user token received from Authorization Server in the previous step.
- The Reltio OAuth2 service sends a validation request with an appropriate authorization header to the IdP to obtain user information For example.
https://auth-srv.customer.com/as/user
or
https://auth-srv.customer.com/as/checkToken
where
User info endpoint
is defined in the IdP configuration. - The Reltio OAuth2 service tries to associate the user information from the IdP with a user it holds using
Reltio OAuth2-IdP
based on an unambiguous identifier such as an email address or user ID:-
If it can map the user, the Reltio Connected Data Platform validates the roles/privilege against those defined in IdP.
-
If it can't map the user, the Reltio Connected Data Platform creates a new user in Reltio OAuth2 with the roles predefined in the IdP configuration.
-
- The Authorization Server returns a response containing the OAuth
access_token
andrefresh_token
, which must be within 400 characters of each other.Note: For a refresh token request, the Reltio OAuth2 service uses the refresh token directly in the IdP.