How to integrate your login page
Enterprises can enjoy a branded and fully customised login / consent experience with the Connect2id server.
This is facilitated by a powerful web API for binding arbitrary UIs to the OAuth 2.0 authorisation endpoint of the server. Any language / framework can be utilised for that, leveraging your existing development resources and experience. Enterprises can operate multiple logins tailored for each target audience (e.g. corporate vs consumer users) or device (PC vs mobile). The login UI can be hosted independently from the Connect2id server, employing HA proxies and CDN if needed.
The job of the login page
The job of the login page is to intercept HTTP requests directed at the OAuth 2.0 authorisation endpoint. This is the URL where client applications send the end-user's browser to perform the following tasks:
Authenticate the end-user with the Connect2id server (in its role as an OpenID Connect identity provider);
Let the end-user allow / deny the client app access to requested personal details (UserInfo), or other protected data / web APIs secured by the Connect2id server (in its role an OAuth 2.0 authorisation server).
Registering the login page
The login page URL must be saved in the op.authz.endpoint configuration property of the server.
Them Connect2id server will then advertise the login page location as its OAuth 2.0 authorisation endpoint, as described above. This happens through the OpenID Connect provider metadata, which is published at a well-known location as a JSON object:
Authentication / consent flow
Upon receiving an OpenID Connect authentication request the login page must perform the following steps:
Extract the query string and the session cookie (if one is present) from the HTTP request. Then use the these two parameters to make a POST request to start a new authorisation session. This session is basically a set of interactions to establish the end-user's identity and ask for their consent.
The Connect2id server will create an authorisation session, and return its
sid, in the response (not to be confused with the browser
session established with the cookie).
The user has no session with the Connect2id server;
The authentication strength, or level, (ACR) needs to be upgraded to match the application's security requirement.
For the simple case (1), create an HTML form, get the user's credentials, then verify them (using whatever mean you have to, such as a call to your Active Directory / LDAP server).
On success do a PUT to
the authorisation session ID (
sid) with the end-user authentication
details. With that the identity of
the end-user will have been established, and the Connect2id server will create
an internal session for the user.
Proceed to step 5.
Proceed to step 5.
Gather / compose the authorisation, by presenting a credentials form to the end-user, or by some other mean. When you're done do a PUT with the consent. The response will be an HTTP 302 redirection, which you can then use to send the browser back to the client app.
If you get an HTTP 302 response at any other time, use the
to redirect the browser back to the client app.
If you get a 220 response at any time this means some kind of an authorisation error has occurred, but the browser must NOT be redirected.
If the user chooses not to authorise the client app, do a DELETE and handle the redirection as described above.
Example login page