Some OpenChannel customers have custom built SSO solutions that are not compliant with the OpenId Connect specification. To connect custom built SSO to OpenChannel and allow users and developer to be able to login and make calls through our Client API we can simulate the OpenIdConnect Flow.

Setup Marketplace or Partner Portal

The first step would be to setup and run your new marketplace or partner portal site. For more details about setting up a site see: Setting up self hosted sites. Once running, you may need to configure this marketplace or partner portal site as a service provider in your system. Typically this is required so that after the user is redirected to login, your system knows how to redirect the user back to the marketplace or partner portal site. The redirect should also provide a JWT token in the “token” query parameter. The marketplace or partner portal client should then store the JWT as the access token and pass it along with every API call. When our API received the access token, we’ll validate it against your introspection API.

The second step is to create two API endpoints: openid-configuration and introspect.

Openid-configuration

Create a public GET API endpoint /.well-known/openid-configuration that returns JSON with authorization_endpoint and introspection_endpoint attributes that contain the URLs to our next two endpoints. The authorization_endpoint should point to the URL where the user will be redirected once they choose to login. Example:

{
  "authorization_endpoint": "https://openchannel.free.beeceptor.com/v1/authorize"
  "introspection_endpoint": "https://openchannel.free.beeceptor.com/v1/introspect"
}

Introspect

Create a protected POST endpoint like /introspect that returns JSON with an active attribute. Below are the traits for this API:

  • The endpoint must take the JWT token in the POST body
  • If the JWT token is valid then return a 200 status code with active: true. Otherwise return a 401 status code. Also, this endpoint may return the details about the user.  Example:
    {
      "active" : true,
      "sub": "00uid4BxXw6I6TV4m0g3", 
      "name" :"John Doe", 
      "nickname":"Jimmy", 
      "given_name":"John", 
      "middle_name":"James", 
      "family_name":"Doe"
    }
  • The endpoint should be protected using basic authentication.

Add Identity Configuration

The last step is to setup the authentication details within OpenChannel. In order to setup the identity configuration, follow the steps below:

  1. Log into https://my.openchannel.io
  2. Click on Sites from the left navigation
  3. Click on the Authentication tab
  4. Click the Add Identity Configuration button
  5. Enter the following sample details into the form:
    Name: Any name for this configuration
    Validation Mode: Introspection
    Client ID: The username for the introspection URL
    Client Secret: The secret for the introspection URL
    Issuer URL: The base URL before “/.well-known/openid-configuration
    Classification: USER for a marketplace and DEVELOPER for a partner portal
    Claims Mappings: Configure the mapping to the data returned by the introspection endpoint. See Configuring Login and SSO for sites for more details.
  6. Click the Create button
  7. Click the … menu beside the new configuration and select Make Default