Thine - Responsive Modern HTML Template
Simple Safe Quick
  • Slide
  • Slide
  • Slide
  • Slide


Service description

Download as .pdf

Usage scope

In the current beta version of SSQ signon registration is not automatic. Your beta access request (sent via e-mail or by starting registration with the module admin application) will be processed by our staff, and, after validation, an e-mail message with an activation code will be sent to the e-mail address you provided. Once your beta access request has been accepted, and you have obtained your activation code you may start using SSQ signon. Please note that your beta access request may not be accepted. The current beta version of SSQ signon is subject to no other usage restrictions, however such restrictions (e.g. maximum number of modules, maximum number of clients per module, maximum number of requests to the REST API in a specified period of time) may be applied in the future.

REST API description

SSQ signon's core feature is a RESTful web service that communicates primarily through the HTTPS protocol. The web service is composed out of the following endpoints:

Token endpoint

This endpoint issues access tokens which can later be used to grant access to protected resources. The endpoint will output an access token (and, if configured, an optional refresh token) when presented with a valid instance of one of four sets of credentials (or grant types). The password grant type will produce an access token based on a username and password. The authorization code grant type will produce an access token based on an authorization code issued by the redirect validation endpoint and a set of client credentials. The client credentials grant type will produce an access token based solely on a set of client credentials. The refresh token grant type will produce an access token based on a refresh token. Each issued access token will expire after a set amount of time.

Token validation endpoint

This endpoint will validate a given access token and, if successful, produce the user id and scope contained in the access token. If validation fails (i.e. the access token was null, invalid, expired, revoked or counterfeited) an error message will be produced.

Redirect validation endpoint

This endpoint will facilitate single sign-on by checking whether redirection to the given URI is allowed, and if so building a safe redirect URI which may be used to redirect the user's identity into another application. If a given access token is valid, (and access was not explicitly denied) the safe redirect URI will contain an authorization code. Once redirected, the authorization code may be swapped for an access token via the token endpoint. If the access token provided in the header is not valid, or access was explicitly denied, the safe redirect URI will contain an authorization error.

Token nullification endpoint

This endpoint can be used to revoke all (access and refresh) tokens for a given user id. A valid access token for this endpoint may be obtained by querying the token endpoint of the special tokenrevokers module. When querying the tokenrevokers module, supply client_credentials as the grant_type, your module name as the client id and the special token revoker secret as the client secret. If token revoking is disabled (set in module settings), authorization with the tokenrevokers module will fail.

Module admin description

The SSQ signon module admin application is a web application that will enable users to create and manage their SSQ signon modules. The following components are at the user's disposal:

Login dialog

This dialog will always be displayed over the current view, when the user's session in the module admin application does not exist or is expired. The user may start a new session by typing his/hers e-mail address and password into the provided inputs and clicking the login button. A new session will be started provided that the credentials are correct, a warning message will be displayed otherwise. The user may also use the register link to navigate into the registration dialog. The login dialog may not be discarded until a session is started.

Registration dialog

This dialog will enable the user to create an account in the module admin application. The user must input his/hers e-mail address, which must be an RFC 5322 compliant e-mail address and point to an existing e-mail account. The e-mail address must also be unique among all of the e-mail addresses of all users. The user must also input his/hers password, which must be a string of at least 8, but at most 64 UTF-8 characters. Clicking the register button will start the registration process provided that the input is correct. Clicking the back to login button will navigate back to the login dialog. The registration dialog may not be discarded.

Please note that in the current beta version of SSQ signon registration is not automatic. Your registration request will be processed by our staff, and, after validation, an e-mail message with an activation code will be sent to the e-mail address your provided. To complete the registration process, type the received activation code into the field that will appear in the login dialog after logging in (in case your account is not active).

The top navigation bar is visible in every view, and enables the user to move around the module admin application. Clicking the SSQ signon module admin logo will navigate to the list of modules view. Clicking the user e-mail address will display a drop down menu with the logout option. Clicking the logout option will log the user out of the application, and navigate to the login dialog.

While in the context of a module, clicking the Clients and Settings links will navigate to the List of clients and module settings views accordingly. Clicking the module name link will display a drop down menu with the names of all of the user's modules. Clicking a module name will navigate to the list of clients view of that module.

List of modules view

This view serves as a splash screen, and enables the user to navigate to one of his/hers modules. Clicking a link with a module name will navigate to the list of clients view of that module. The add new module button can be used to navigate to the create new module view.

Create module view

This view enables the user to create a new module by completing the 4 steps of the provided wizard:

Step 1

In this step the user must select the module name. The module name may be a string composed of lower case ASCII letters, digits, dashes and underscores. The maximum length of the module name is 64 characters. The module name must be unique among all modules created by all SSQ signon users.

The user may also add any initial allowed origins to the module. Doing so will preset the allowed origins section in the module settings view of the new module. Each allowed origin must be a valid URL address (i.e. must begin with http:// or https:// followed by one or more characters) with a maximum of 256 characters in length. A maximum of 20 allowed origins may be added.

Clicking the next button will navigate to Step 2 provided that the input in Step 1 is correct.

Step 2

In this step the user must select and configure the user endpoint used by the module. The user may choose between a dummy user endpoint and an HTTPS user endpoint.

If the dummy user endpoint is chosen, the user must add at least one dummy user account to the list of dummy user accounts. A maximum of 10 dummy user accounts may be added. Each dummy user account is composed of a username, a password and a scope. The username and password may be strings of at most 64 UTF-8 characters, and must be set of each dummy user account. The scope may be a string of at most 1024 ASCII letters, digits, dashes, underscores and spaces, and is optional.

If the HTTPS user endpoint is chosen, the user must configure the Authenticate and authorize and reauthorize URL addresses as well as choose the HTTP authentication type (Basic or NTLM) and set the username and password for that authentication. The Authenticate and authorize and reauthorize URL addresses must be valid URL addresses (i.e. must begin with http:// or https:// followed by one or more characters) with a maximum of 256 characters in length. Both the username and password used for authentication may be strings of at most 64 UTF-8 characters.

Clicking the previous button will navigate back to Step 1, clicking the next button will navigate to Step 3 provided that the input in Step 2 is correct.

Step 3

In this step the user must configure and register the first client in the module. The user must input the client name, which may be a string of at most 128 UTF-8 characters, as well as the time of live of the access tokens (i.e. the number of minutes before an access token expires), which can be an integer from 1 to 1000000. The user must also choose the client authorization type, which may be: password, authorization code or client credentials.

If the password authorization type is chosen, the user may choose refresh tokens to be generated by this client by checking the generate refresh tokens checkbox. If the generate refresh tokens checkbox was checked, the user must set the time to live of the refresh tokens (i.e. the number of hours before a refresh token expires), which can be an integer from 1 to 1000000. The user may also choose that this client use the dummy user endpoint by checking the Use dummy user endpoint checkbox, and may set a client secret for the client, which can be a string of at most 64 UTF-8 characters.

If the authorization code authorization type is chosen, the user must set the client secret to a string of at most 64 UTF-8 characters, as well as the time to live of authorization codes (i.e. the number of seconds before an authorization code expires) to an integer from 1 to 600. The user must also add at least one valid redirect URI to the list of valid redirect URIs. Each valid redirect URI must be a valid URI according to RFC 3986 (published in January 2005) of at most 256 characters. The user may add at most 10 valid redirect URIs. The user may choose refresh tokens to be generated by this client by checking the generate refresh tokens checkbox. If the generate refresh tokens checkbox was checked, the user must set the time to live of the refresh tokens (i.e. the number of hours before a refresh token expires), which can be an integer from 1 to 1000000. The user may also choose that this client use the dummy user endpoint by checking the Use dummy user endpoint checkbox.

If the client credentials authorization type is chosen, the user must set the client secret to a string of at most 64 UTF-8 characters, and may also set the user_id inside the access tokens generated by this client to a string of at most 256 UTF-8 characters, and the scope inside the access tokens generated by this client to a string of at most 1024 ASCII letters, digits, whitespaces, dashes or underscores.

Clicking the previous button will navigate back to Step 2, clicking the next button will navigate to Step 4 provided that the input in Step 2 is correct.

Step 4

In this step, the user must accept the SSQ signon terms and conditions by checking the I accept the terms and conditions checkbox. Clicking the view full terms and conditions will navigate to a .pdf file with SSQ signon terms and conditions. Clicking the previous button will navigate back to Step 3, clicking the Create button will create the module and navigate to it's list of clients provided that the I accept the terms and conditions checkbox was checked.

List of clients in module view

This view will enable the user to view all of the clients registered in a given module. The user will also be able to register new clients, as well as edit and delete existing clients in this view. Clicking the register a new client button will open the register new client dialog. Each client registered in the module will be displayed as an entry on the list of clients. The client id, client name and authorization type will be displayed for each client, as well as an edit icon. Clicking on a client's edit icon or double clicking on the client on the list will open the client details dialog for that client.

Register new client dialog

This dialog enables the user to register a new client in the current module. The user must input the client name, which may be a string of at most 128 UTF-8 characters, as well as the time of live of the access tokens (i.e. the number of minutes before an access token expires), which can be an integer from 1 to 1000000. The user must also choose the client authorization type which may be: password, authorization code or client credentials.

If the password authorization type is chosen, the user may choose refresh tokens to be generated by this client by checking the generate refresh tokens checkbox. If the generate refresh tokens checkbox was checked, the user must set the time to live of the refresh tokens (i.e. the number of hours before a refresh token expires), which can be an integer from 1 to 1000000. The user may also choose that this client use the dummy user endpoint by checking the Use dummy user endpoint checkbox, and may set a client secret for the client, which can be a string of at most 64 UTF-8 characters.

If the authorization code authorization type is chosen, the user must set the client secret to a string of at most 64 UTF-8 characters, as well as the time to live of authorization codes (i.e. the number of seconds before an authorization code expires) to an integer from 1 to 600. The user must also add at least one valid redirect URI to the list of valid redirect URIs. Each valid redirect URI must be a valid URI according to RFC 3986 (published in January 2005) of at most 256 characters. The user may add at most 10 valid redirect URIs. The user may choose refresh tokens to be generated by this client by checking the generate refresh tokens checkbox. If the generate refresh tokens checkbox was checked, the user must set the time to live of the refresh tokens (i.e. the number of hours before a refresh token expires), which can be an integer from 1 to 1000000. The user may also choose that this client use the dummy user endpoint by checking the Use dummy user endpoint checkbox.

If the client credentials authorization type is chosen, the user must set the client secret to a string of at most 64 UTF-8 characters, and may also set the user_id inside the access tokens generated by this client to a string of at most 256 UTF-8 characters, and the scope inside the access tokens generated by this client to a string of at most 1024 ASCII letters, digits, whitespaces, dashes or underscores.

Clicking the add client button will register the client provided that the input is correct. Clicking the cancel button will close the register new client dialog and discard the changes.

Client details dialog

This dialog enables the user to view and edit the details of an existing client in the current module. The client id of the current client is shown at the top, followed by the client name, time to live of the access tokens, authorization type, and the features specific to the authorization type (i.e. the generate refresh tokens checkbox, time to live of refresh tokens and use dummy user endpoint checkbox for password and authorization code types, the time to live of the authorization codes and valid redirect URI list for the authorization code type, and the user_id and scope for the client credentials type). If a client secret was set, it will not be shown to the user. When editing, the user must input the client name, which may be a string of at most 128 UTF-8 characters, as well as the time of live of the access tokens (i.e. the number of minutes before an access token expires), which can be an integer from 1 to 1000000. The user may also change the client authorization type which may be: password, authorization code or client credentials.

If the password authorization type is chosen, the user may choose refresh tokens to be generated by this client by checking the generate refresh tokens checkbox. If the generate refresh tokens checkbox was checked, the user must set the time to live of the refresh tokens (i.e. the number of hours before a refresh token expires), which can be an integer from 1 to 1000000. The user may also choose that this client use the dummy user endpoint by checking the Use dummy user endpoint checkbox, and may set a client secret for the client, which can be a string of at most 64 UTF-8 characters.

If the authorization code authorization type is chosen, the user must set the client secret to a string of at most 64 UTF-8 characters, as well as the time to live of authorization codes (i.e. the number of seconds before an authorization code expires) to an integer from 1 to 600. The user must also add at least one valid redirect URI to the list of valid redirect URIs. Each valid redirect URI must be a valid URI according to RFC 3986 (published in January 2005) of at most 256 characters. The user may add at most 10 valid redirect URIs. The user may choose refresh tokens to be generated by this client by checking the generate refresh tokens checkbox. If the generate refresh tokens checkbox was checked, the user must set the time to live of the refresh tokens (i.e. the number of hours before a refresh token expires), which can be an integer from 1 to 1000000. The user may also choose that this client use the dummy user endpoint by checking the Use dummy user endpoint checkbox.

If the client credentials authorization type is chosen, the user must set the client secret to a string of at most 64 UTF-8 characters, and may also set the user_id inside the access tokens generated by this client to a string of at most 256 UTF-8 characters, and the scope inside the access tokens generated by this client to a string of at most 1024 ASCII letters, digits, whitespaces, dashes or underscores.

Clicking the save changes button will save any changes made to the client provided that the input is correct. Clicking the cancel button will close the client details dialog and discard any changes.

Clicking the remove client button will show a remove client confirmation dialog. If the client removal is confirmed, the client will be removed. Please note that removed clients may not be restored.

Module settings view

This view enables the user to configure the various features of a module not connected to a specific client.

Allowed origins section

Your module will only allow web browser requests from web pages running under URL addresses listed on the allowed origins list. The list in this section enables the user to add, edit and removed URL addresses to the allowed origins list. Each allowed origin must be a valid URL address (i.e. must begin with http:// or https:// followed by one or more characters) with a maximum of 256 characters in length. A maximum of 20 allowed origins may be added.

Dummy user endpoint section

The list in this section enables the user to add, edit or remove the dummy user accounts served by the dummy user endpoint. The user may add up to 10 dummy user accounts. Each dummy user account is composed of a username, a password and a scope. The username and password may be strings of at most 64 UTF-8 characters, and must be set of each dummy user account. The scope may be a string of at most 1024 ASCII letters, digits, dashes, underscores and spaces, and is optional. Please note that the passwords for these accounts are shown as plain text, thus the dummy user accounts are not recommended for production use.

HTTPS user endpoint section

The enabled checkbox in this section allows the user to turn the HTTPS user endpoint on or off. Once enabled, the user may set the endpoint's authorize and get URL addresses, choose the authentication type as Basic or NTLM, and set the username and password required for the authentication. The Authenticate and authorize and reauthorize URL addresses must be valid URL addresses (i.e. must begin with http:// or https:// followed by one or more characters) with a maximum of 256 characters in length. Both the username and password used for authentication may be strings of at most 64 UTF-8 characters. Please note that a set password will not be shown to the user again.

Automatic token revoking section

The enabled checkbox in this section allows the user to turn automatic token revoking on or off. Once enabled, the user must set the token revoker secret required to obtain a valid access token for the token nullification endpoint. The token revoker secret may be a string of at most 64 UTF-8 characters. Please note that a set token revoker secret will not be shown to the user again.

Remove module button

This button enables the user to remove an existing module. Confirmation in an extra dialog box will be required before the removal takes place. Please note that removed modules may not be restored.

Save changes button

This button enables the user to save the changes made to the module settings.

Module best practices view

This view will show some useful tips on getting the most value out of the current module.