Zum Ende der Metadaten springen
Zum Anfang der Metadaten

Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen View Version History

« Vorherige Version anzeigen Version 5 Nächste Version anzeigen »

This section provides insights into the oAuth protocoll and how to use it for hotelkit together with the user synchronization.

Scenario

The partner acts as an identity provider in a Single Sign On scenario implemented with OAuth 2.0. An authorization server is provided by the partner that hotelkit authenticates its user against.

Therefore, the partner imports all available users to hotelkit and manages its attributes.

This is done in separate communication parts:

  • Setup of partner – configuration of authentification details

  • Creating user

  • Updating user

  • Deleting user

  • Login process

The user handling (creating/updating/deleting users) is part of User Synchronization and User Synchronisation for Multi-property Cases.

Login Process

One of the main benefits of Single SignOn is that the user does not need a separate authentication but can authenticate at the identity provider. Based on “RFC 6749 – The OAuth 2.0 Authorization Framework” the login process at hotelkit with an authorization server is presented:

image-20240701-061923.png

A more detailed description of how to create users is available in User Synchronization .

It starts with an unidentified user (resource owner) requests a resource from hotelkit. Hotelkit (Client) identifies the identification provider and returns the URL of the according authorization server (partner). This url must be set prior to the request at partner.sso.authorizationServer.
The user will be forwarded to the authorization server where he authenticates itself against the identity provider. The identity provider responds with an authToken. Hotelkit then validates this authToken at the identity provider and will be returned with user attributes.

With those attributes hotelkit will identify the user within its system. Therefore, it is necessary, that the user attributes include the clientID that was prior attached to the user via PUT /users.
If identification succeeds, the requested resource will be provided to the user and the user is authenticated.

There is also the option to skip the pending phase during SSO. For more information, please contact our support team.

  • Keine Stichwörter