← Back to Docs

API Documentation

SSO Server REST API endpoints and usage

Authentication Endpoints

GET /auth/authorize/config/:configId/:appId

Initiate OAuth/OIDC authentication for a specific application.

Parameters:

  • configId (path): Client configuration ID
  • appId (path): Application ID
  • encoded (query, optional): Encoded parameters for custom integration

Response: Redirect to IdP authorization URL

GET /auth/authorize/ui/:configId

Initiate OAuth/OIDC authentication for UI mode.

Parameters:

  • configId (path): Client configuration ID

Response: Redirect to IdP authorization URL

GET /auth/callback

OAuth/OIDC callback endpoint.

Parameters:

  • code (query): Authorization code from IdP
  • state (query): State parameter for CSRF protection

Response: Redirect to external application with authentication token

GET /auth/callback/ui

UI mode callback endpoint.

Parameters:

  • code (query): Authorization code from IdP
  • state (query): State parameter with configuration

Response: Render UI authentication popup

SAML Authentication

GET /auth/saml/:providerId/:appId

Initiate SAML authentication.

Parameters:

  • providerId (path): SAML provider ID
  • appId (path): Application ID (use 'ui' for UI mode)
  • encoded (query, optional): Encoded parameters

Response: Redirect to SAML IdP or POST form for SAML request

POST /auth/saml/callback

SAML assertion consumer service (ACS).

Body:

  • SAMLResponse (required): Base64-encoded SAML response
  • RelayState (required): State/relay state from IdP

Response: Redirect to success handler or error

GET /auth/saml/success

SAML authentication success handler.

Parameters:

  • appId (query): Application ID
  • providerId (query): SAML provider ID

Response: Process user details and redirect to application

GET /auth/saml/metadata/:providerId

SAML SP metadata endpoint for IdP configuration.

Parameters:

  • providerId (path): SAML provider ID

Response: XML SP metadata document

Skip-Auth Flow

GET /auth/direct-skip

Direct skip-auth entry point for SSO-linked apps.

Parameters:

  • clientId (query, required): Client configuration ID
  • applicationId (query, required): Application ID
  • encoded (query, optional): Encoded parameters

Response: Redirect to skip-auth flow or initiate authentication

GET /auth/ui/app-skip/:configId/:appId

Skip-auth flow for UI-mode applications.

Parameters:

  • configId (path): Client configuration ID
  • appId (path): Application ID
  • encoded (query, optional): Encoded parameters

Response: Redirect to application with SSO token

POST /auth/verify-sso-token

Verify SSO token for skip-auth flow.

Body:

{
  "token": "sso-jwt-token"
}

Response:

{
  "valid": true,
  "email": "user@example.com",
  "name": "User Name",
  "sub": "user-subject",
  "provider": "google",
  "configId": "config-id",
  "appId": "app-id",
  "iat": 1234567890,
  "exp": 1234567900,
  "idpToken": "raw-idp-token"
}
GET /auth/verify-sso-token

Verify SSO token via GET request.

Parameters:

  • token (query): SSO JWT token

Response: Same as POST endpoint

Account Linking

POST /auth/link-account

Link user account to external application.

Body:

{
  "payload": {
    "email": "user@example.com",
    "password": "app-password"
  },
  "loginAttemptNumber": 1,
  "appId": "app-id",
  "providerId": "provider-id",
  "configId": "config-id",
  "encoded": "encoded-params"
}

Response:

{
  "redirectUrl": "https://app.example.com/callback",
  "redirectMethod": "GET",
  "redirectBody": null,
  "token": "external-app-token"
}

UI Endpoints

GET /auth/ui/app/:configId/:appId

UI mode application authentication page.

Parameters:

  • configId (path): Client configuration ID
  • appId (path): Application ID
  • encoded (query, optional): Encoded parameters

Response: Render popup-login page

Error Responses

400 Bad Request

{
  "error": "Missing required parameters",
  "details": "clientId and applicationId are required"
}

401 Unauthorized

{
  "valid": false,
  "error": "Invalid token"
}

422 Unprocessable Entity

{
  "error": "Unprocessable Entity",
  "details": {
    "message": "Invalid credentials"
  }
}

500 Internal Server Error

{
  "error": "Internal Server Error",
  "message": "Error message"
}

Security Considerations

Token Security

  • SSO tokens are short-lived (configurable expiration)
  • IdP tokens are cached server-side with TTL
  • Tokens are signed using JWT with secret key

CSP Compliance

  • All forms include CSP nonce
  • Configurable CSP policy via environment variables
  • Inline scripts use nonce for security

SAML Security

  • Assertion validation (timing, audience, signature)
  • Replay protection via request ID tracking
  • DB-backed state management for reliability