SPR-995 SSO V1

Owned by David Larouche
Last updated: Sept 05, 2024
1 min read

Login to PLAY via SMA:

  1. When entering email and hitting next: lookup Account and see if there's an externalId. If no externalId continue logging in normally. If there's an externalId redirect user to Spordle My Account (SMA) to login.

  2. Once successfully logged into SMA, it will send the user back to /login with a SMA accessToken and the username of the user trying to sign in.

  3. The client (admin) listens to the url for the accessToken/ username and sends it to the Authorization Server (/token of our api) with other information to validate that it's the correct client. Side note, it uses a grant_type: password so that theoauth2orize package doesn't complain about a custom grant type.

  4. The Authorization Server validates that it's coming from the correct client, that the SMA accessToken is valid, that the username trying to sign in matches the validated SMA accessToken, then when the Authorization Server deems all is valid, it returns the users PLAY accessToken and refreshToken. The accessToken will have the same expiry time (TTL) as the SMA accessToken so that the PLAY user session doesn’t outlive the SMA accessToken validity.

  5. The client logs the user in and sets the session (same as with regular username/password flow)

 

SSO MyAccount User Check Endpoint

/api/accounts/getUserByExternalId

Check if a Play user has an externalId (Spordle MyAccount linked)

Accepts

  • externalId (required)

Returns

  • Boolean