SID-1940 Authentication
V1 is an integration as a third-party client. A future iteration is intended to support first-party integration once we have migrated most accounts over.
SMA refers to Spordle My Account
Requirements
Replace Play account registration flow with SMA login
Link existing Play accounts to SMA accounts
Continue to allow login with Play accounts but prompt to link SMA account if not linked
Session durations and global logout not implemented
Implementation
Login and Registration Flow
User clicks on Login with SMA
Registration button has been removed
User completes the SMA flow and is successfully redirected back to Play with an access token
SMA flow is out of scope for this document
Play app send the token to a new Play API for authentication
API will use the token to retrieve account details (account id, email address) and linked participant details (id, name, etc) from SMA
Play to sync account (based on
externalId
andemail
, similar to participants)If neither exist, create a new account with the
email
andexternalId
If the
email
exists butexternalId
does not, update the account with theexternalId
.If the
externalId
exists with a mismatchedemail
, updateemail
Play to sync identities and participants
Import participants based on the linked participant details
This process already exists as part of the sync
How do we match tenants?
Create any missing account identities
Primary to be determined from SMA?
API will create any additional contacts for notifications
API returns a Play access token to the app with the same response/behaviour as the password flow
If the participant doesn’t have any permissions, the existing unauthorized message will be shown
Linking Flow
User logs in with their Play credentials
/accounts/current
request will flag if the account is linked or not based on ifexternalId
is set on the accountIf this flag is not set, skip this flow
Profile page will show a link my SMA alert prompt
Alert makes a request to the Play API which will make a request to the SMA API to search for accounts by email address (maybe participant ID?)
If there’s a matching account, message will offer to link the account
If there isn’t a matching account, message will suggest creating an account in SMA
Alert is hidden until the request is completed, no loading state
Alert action will link to SMA to prompt link process
Out of scope for this document, but redirect back to Play would follow registration flow
Model Changes
Add
externalId
onAccount
to indicate the link to the SMA account
API Changes
Login API with SMA token
Add linked account flag to /accounts/current
Additional information
My Account
https://api.account.spordle.dev/doc/
Terminology
SMA | Play | Notes |
---|---|---|
identity | Account | Credentials |
identity_member | AccountIdentity | Link between credentials and profile |
member | Participant | Profile details (name, etc) |
identity_role | AccountPermission | Not 1:1 |
provider | Tenant/Provider |
|
identity_member_provider | ? |
|