Estimated reading time: 5 minutes | Target users: IT Admins

OAuth 2.0 is an industry-standard authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as productname.label. The core authorizing workflow of OAuth 2.0 is to delegate user authentication to productname.label (the service that hosts the user account) and authorize third-party applications to access the user account.

OAuth 2.0 can be used with our Single Sign-On feature, which enables your users to log in to productname.label without having to enter their login credentials before each login.

Note: Activating this feature requires an initial setup at both your and productname.label’s end. For more details, please get in touch with your contact person at productname.label.

In this lesson, you will learn:

• About the Structure of OAuth 2.0
• How to set up Single Sign-On with OAuth 2.0

1. The Structure of OAuth 2.0

OAuth operates based on four roles:

• Resource Owner
• Client
• Resource Server
• Authorization Server

The resource owner is the user, who uses OAuth to authorize productname.label to their account. productname.label’s access to the user’s account is limited to a predefined range – so it can be set, exactly which kind of access is granted for a certain user (eg. read or write access).

The client in this case is productname.label, the application that wants to access the user’s account. This shall be authorized by the user, and the authorization shall be validated by the API.

The resource server hosts all of the user accounts and the authorization server identifies the users, who provide access tokens to the application. In most cases, a service’s API fulfills both the resource and authorization server roles.

2. Using Single Sign-On with OAuth 2.0

Our single sign-on authentication method uses the OAuth 2.0 open standard. In order to implement Single Sign-On for productname.label, please follow the below steps.

1. You must have an OAuth 2.0 server installed and hosted.
2. Register the productname.label application with the OAuth 2.0 system server. This will enable productname.label to connect to an authentication system of your choice.
3. You will receive access details from the authorization server, including your client identifier, client server name, access token, and more.
4. Please send us the access details. Our developer will register them in theproductname.label system. Also, we are activating the single sign-on feature for you.
5. Your productname.label users will be able to login using the OAuth Login button, without having to enter their usernames and passwords. (Important: once this feature is enabled, it is not possible to use your username + password combination for logging in.) Upon opening productname.label, a browser window will appear, where users need to enter their centralized login credentials only the first time. If you have more than one user account, you can choose which account you want to log in with.

Note: OAuth 2.0 is an open protocol, and is not developed by productname.label.

Note: During the login process, OAuth 2.0 will return the email addresses to the productname.label application, and the application will authenticate the users with the email address. This requires you to provide the same email address for all the users in both OAuth 2.0 and the productname.label system.

Warning: Once this feature is enabled, you and your users will no longer be able to log in using the old method, unless you ask us to disable OAuth 2.0.

Congratulations!

You’ve just learned how to set up and configure Single Sign-On with OAuth 2.0 for the productname.label application.

Ready for the next lesson? You’ll learn how to restrict access to your VCC Live account or to its individual features based on IP addresses.
Start next lesson >