Skip to content

XPKit SSO

If you require registration or login functionality XPKit provides the Single Sign On (SSO) option.

Rather than creating your own authentication system you can allow users to sign in to your apps using their XPKit or social accounts. This is all achieved by using the OAuth 2.0 authorization-code flow.

In this flow users click a sign in button in your application, are redirected to the chosen provider to login and redirected back with an authorization code. Finally your app makes a request to exchange this code for an access token. You can then use this token to make authenticated requests to XPKit.

If you are unfamiliar with OAuth 2.0 and the authorization flows it provides, it may be helpful to read about these first. OAuth 2.0 Simplified is a good resource.

Creating a new OAuth application

  • Log into XPKit Portal
  • In the authentication section, create a new application under "Users"

Settings

In XPKit Portal account administrators can set up the permitted authentication providers and configure them as necessary:

  • Logins can be restricted with the use of a domain lock.
  • If using XPKit as the provider, registrations can be restricted to invite only with MFA (multi-factor authentication) enabled as standard.
  • A group can be created (a resource containing a series of permissions) and assigned as the default. Upon initial login (or registration) only these permissions will be granted to the user.
    • If this group is not changed, the default one set by XPKit (called Single sign-on) is used which is very restrictive. An access token granted from this group would only be able to request details about the logged in user (no access to any XPKit resources).

Updating a user's permissions

If an administrator changes the permissions (scopes) of a group a user belongs to in XPKit Portal the user's access token will become invalid and they will need to sign in again.

Registration

If an account administrator has choosen to use XPKit as the authentication provider, registration and invite flows are provided and you can direct users into these flows using the following instructions.

If a social account has been selected as the authentication provider, user details will be requested on sign in and no separate registration flow will be required.

Demo

To see the SSO in action, head over to the registration site demo: