Single Sign-on

Single Sign-on is used to grant Manifold users web access to a provider's application. The resulting user session on the provider's side is restricted to the resource but allows the user to access provider-specific features.

This flow is built on top of OAuth 2.0 using the authorization_code grant type flow for granting a provider an access token scoped to the user and the selected resource.

Manifold is responsible for creating a scoped authorization_code and forwarding the user to the Provider's implementation of the GET /v1/sso (Single Sign-on) route. The code to grant an access token and the selected resource_id are included as query parameters to the request.

An access token can be created by the provider by issuing a POST request to /v1/oauth/tokens which is a part of the Manifold Connector API.

Once an access token has been granted, the provider can issue requests on behalf of the user to the Connector API to retrieve information about the current user and the resource in question.

The provider must create their own login session with the user for further authentication for accessing the resources dashboard. The granted access token should be stored securely and only used by the provider's server to request data from Manifold to render or implement any dashboard functionality.

The granted access token will only be valid for 24 hours. After the token has expired, the user must complete the Sign-On flow from the Manifold dashboard to grant a new token.

IMPORTANT: A malicious user could tamper with the resource_id query parameter. To prevent this, the provider must validate that the user has access to the targeted resource by requesting information about it from the Connector API using the granted access token.