Login to PLAY via SMA:
When entering email and hitting next: lookup
Account
and see if there's anexternalId
. If noexternalId
continue logging in normally. If there's anexternalId
redirect user to Spordle My Account (SMA) to login.Once successfully logged into SMA, it will send the user back to
/login
with a SMAaccessToken
and theusername
of the user trying to sign in.The client (admin) listens to the url for the
accessToken
/username
and sends it to the Authorization Server (/token
of our api) with other information to validate that it's the correct client. Side note, it uses agrant_type: password
so that theoauth2orize
package doesn't complain about a custom grant type.The Authorization Server validates that it's coming from the correct client, that the SMA
accessToken
is valid, that the username trying to sign in matches the validated SMAaccessToken
, then when the Authorization Server deems all is valid, it returns the users PLAYaccessToken
andrefreshToken
. TheaccessToken
will have the same expiry time (TTL) as the SMAaccessToken
so that the PLAY user session doesn’t outlive the SMAaccessToken
validity.The client logs the user in and sets the session (same as with regular username/password flow)