Implementing Single Sign-On with the Schibsted account API

When you have completed this guide, your users can log into your application via Schibsted account, and you can access the Schibsted account API on their behalf.

Overview

This is the flow to log in a user:

  • The user is sent to the Schibsted account login page along with your client ID.
  • Once the user is logged in, they are sent back to your site with a code.
  • You use the code to fetch user information and set up a session.

This is a simple overview explaining the complete process between the client service (yellow) and Schibsted account (blue): Single Sign on using redirect flow

Configure your application

These variables change between production and staging environments:

  • Your client ID
  • Your client secret
  • Your client signature secret
  • The base URL to Schibsted account
  • Your base URL

How you choose to configure your application is up to you, but these variables should not be hard coded.

Get ready to receive the user's login code

The Schibsted account login page expects a redirect URI back to your site, where the user will be sent after logging in. This is where you'll create the user's local session with the given code.

Let's just set up a basic handler for this now, and we can fill it in later.

Java

@RequestMapping("/create-session")
String createSession(@RequestParam String code) {
    return "redirect:/";
}

Send the user to the Schibsted account login page

Once you've got your configuration, you can patch together the URL to the Schibsted account login page. It's on <spid-base-url>/login, with these parameters:

  • client_id: Yeah, it's your client ID.
  • response_type: Which is always code in this version of the API.
  • redirect_uri: The URI where the user is redirected after logging in.

Patch together and use it for your login link.

NB! redirect_uri has to be a full URL back to your site. The domain also has to match the predefined URI that you have registered with Schibsted account. Only predefined redirect URIs are accepted by the Schibsted account login page.

Build login URL

Java

@RequestMapping("/create-session")
String createSession(@RequestParam String code) {
    return "redirect:/";
}

The login URL can be served directly to your end users for logging in. As Schibsted account supports remember me type functionality there is no need for users to make a detour through a local /login URL or similar.

Create an API client with the given login code

When the user finishes logging in with Schibsted account, they will be redirected back to your application via the redirect URI you provided. The redirect will come with a code. Using this code, you can create a client to communicate with the Schibsted account API on behalf of the user.

Java

String redirectURL = appBaseUrl + "/create-session";
String loginUrl = "https://<schibsted account>/flow/login?response_type=code&" + 
    "client_id=<client id>&state=<app state>&redirect_uri=" + redirectURL;

Fetch user information and create a session

Use the API client you just created to fetch basic user information, and create a local session with it. You should also make sure to hang on to the client. You'll need it later.

Java

@RequestMapping("/create-session")
String createSession( @RequestParam String code, HttpServletRequest request) {
    // Retrieve this user's access token
    String token = getUserToken(clientId, clientSecret, code);
    // Use the access token to get info about the user
    Map<String, String> headers = new HashMap<>();
    headers.put("Authorization", "Bearer " + userAccessToken);
    Response response = spidClient.GET("/oauth/userinfo", headers);
    JSONObject userData = response.getJsonData();

    // Save token and info in session
    request.getSession().setAttribute("userToken", token);
    request.getSession().setAttribute("userInfo", user);

    return "redirect:/";
}

Log user out

When the user wants to log out, just deleting the local session isn't sufficient. They should also be logged out of Schibsted account. Otherwise they'll have a hard time logging in as another user, and they will still be logged into Schibsted account even if they think they have logged out.

To get this right, you should:

  • delete the local session
  • redirect the user to the Schibsted account logout URL

In addition to the user's access token, you pass along another redirect URI, so that the user is sent back to your site after logging out of Schibsted account.

Java

@RequestMapping("/logout")
String logout( HttpServletRequest request) throws SpidOAuthException {
    request.getSession().removeAttribute("userToken");
    request.getSession().removeAttribute("userInfo");
    return "redirect:https://<schibsted account>/logout";
}

Table of Contents

Prerequisites

In order to complete this guide, you need to know your:

  • client ID
  • client secret

You should also have gone through the Getting Started guide, in particular that you have downloaded and installed the appropriate SDK for your platform.

See also

Help us improve

Did you spot an error? Or maybe you just have a suggestion for how we can improve? Leave a comment, or better yet, send us a pull request on GitHub to fix it (in-browser editing, only takes a moment).

History of this page

Comments/feedback

Do you have questions, or just want to contribute some newly gained insight? Want to share an example? Please leave a comment. Our team reads and responds to every question. Additionally, your experience can help others using Schibsted account, and it can help us continuously improve our documentation.