This is the preferred way to provide user registration and automated login from a partner. It supersedes the now deprecated alternatives 1.1a, 1.1b, 1.1c.

This flow provides Single Sign-On (SSO) functionality based on the OpenID Connect (OIDC) protocol. OIDC is a standardized authentication protocol that is built on top of OAuth 2.0. It allows o2o to verify the identify of a user via an external identity provider (IdP). At o2o we use the Authorization Code Flow: following authentication at the IdP, o2o receives an authorization code, that is exchanged for an ID-token. From the token, we extract the user data and custom claims.

Setting up OIDC is mainly a matter of configuration at both ends, i.e. at o2o side and at the partner side. In the End-to-end flow section below, we first describe the OIDC flow . In the section Configuration we list the configuration parameters that are required.

End-to-end flow

Diagram

To register or log in a user, the flow looks as follows:

sequenceDiagram
    participant U as User (in partner tool)
    participant O as my.o2o.be 
    participant IdP as Partner IdP

    U->>O: GET /auth/oidc/owner/flex_partner/{id}/redirect
    O->>IdP : Request discovery document
    IdP-->>O: Discovery document
    Note over O: Redirect to authorization_endpoint
    O-->>U: 302 to IdP /authorize
    U->>IdP: authenticate
    IdP-->>U: 302 to /auth/oidc/callback?code=...&state=...
    U->>O: GET /auth/oidc/callback
    
    Note over O: Call token_endpoint 
    O->>IdP: exchange code
    IdP-->>O: id_token + access_token (+ userinfo)

    Note over O: Call userinfo_endpoint
    O->>IdP: Request user info
    IdP-->>O:  userinfo
    
    Note over O: Validate claims

 
    O-->>U: logged in -> /home
    Note right of U: User is logged in and sees myo2o Biker homepage 

Flow recap

Note: steps 3 to 9 are supported more or less out of the box by any OIDC framework, when configured with the parameters specified in the next section.

1. User clicks "Go to o2o" inside the partner tool.

2. Partner directs browser to: https://my.o2o.be/auth/oidc/owner/flex_partner/{flexpartnerid}/redirect.

3. o2o resolves the call, and requests the IdP’s Discovery Document at the discovery endpoint URL, in order to retrieve the IdP’s OIDC capabilities, cryptographic keys, and endpoints (i.e., the authorization endpoint, the token endpoint and the userinfo endpoint).

4. o2o then 302-redirects the user to the partner's authorization endpoint, retrieved in the previous step.

5. User authenticates at the partner IdP (or is already signed in).

6. Partner IdP creates an authorization code, and redirects back to o2o: https://my.o2o.be/auth/oidc/callback?code=SOME_AUTHORIZATION_CODE....

7. o2o backend makes a direct, secure POST request to the partner’s IdP’s token endpoint. It does so to trade the code for the actual ID token.

   HTTP
   
   POST /oauth/token HTTP/1.1
   Host: partner-idp.com
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=authorization_code
   &code=SOME_AUTHORIZATION_CODE
   &redirect_uri=https://my.o2o.be/auth/oidc/callback
   &client_id=YOUR_O2O_CLIENT_ID
   &client_secret=YOUR_O2O_CLIENT_SECRET
   

8. Partner IdP validates the code and the client secret. If everything matches, it responds with a 200 OK and a JSON response body containing the tokens.

   JSON
   {
     "access_token": "eyJhbGciOiJSUzI1Ni...",
     "token_type": "Bearer",
     "expires_in": 3600,
     "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
     "refresh_token": "rF9a7w231..."
   }
   

   The id_token (base64-encoded JWT) contains the custom claims (see further below) to log the user into the o2o platform.

9. o2o backend requests the user info (name and email) via the partner’s IdP userinfo endpoint

10. o2o validates all claims. If all validations pass, the user is redirected to the my o2o home page and is logged in.