OAuth 2.0 SSO overview

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2.0 provides authorization flows for web and desktop applications, and mobile devices.

Learn more about OAuth 2.0

Basic SSO

Regardless of the feature choices you’ve selected, basic SSO requires some specific data, particularly a public key. Adding loyalty or credit card implementations will require additional information.

Setup information

To properly set up the OAuth 2.0 SSO access to your template site, we need a few things, including:

  • APIs (authorize, token, userProfile)
  • ClientId
  • Client secret
  • ResponseMode
  • isNounceEnabled
  • customerDetailsAPIKey (if available)

A standard OAuth 2.0 SSO implementation at Expedia will be encrypted using our public key, create a post-authorization endpoint, enable nounce, and set scope parameters. We’ll also include user information.

Authorization

The GET /authorize endpoint is used for authentication and authorization. It returns an authorization grant to the client.

FieldDescriptionData typeSample valueMandatory?
client_idIdentifies the client. Must match the value preregistered in your identity provider (IDP). Obtained during either manual client registration or via the Dynamic Client Registration API.String Yes
nonceUsed to mitigate replay attacks. This value is returned in the ID token.String Yes
promptThe type of interaction required to validate.StringValid values:
none
consent
No
redirect_uriCallback location where the authorization code or tokens should be sent. Must match the value preregistered in your IDP during client registration.String Yes
response_typecode (IDP) value.String Yes
response_modeHow the authorization response should be returned.StringValid value:
query
No
scopeAccess token, used for fetching profile details. Required for authentication requests.StringOpenID, profile, and emailYes
stateThe state of the interaction. This value is returned in the token, and enables the user to click through, authenticate, and be returned to the page they’re originally interested in. The value can contain alphanumeric, comma, period, underscore, and hyphen characters.String Yes

Response parameters

ParameterDescriptionData typeMandatory?
codeAuthorization code that identifies the client. This must match the value preregistered in your IDP. Obtained during either manual client registration or via the Dynamic Client Registration API.StringYes
stateThe state of the interaction. This value is returned in the token, and enables the user to click through, authenticate, and be returned to the page they’re originally interested in. The value can contain alphanumeric, comma, period, underscore, and hyphen characters.StringYes

Tokens

The POST /token endpoint is used to verify the user’s identity by presenting an authorization grant.

Request parameters

ParameterDescriptionData typeSample valueMandatory?
grant_typeThe mechanism your IDP uses to authorize the creation of the tokens.Stringauthorization_codeYes
redirect_uriSpecifies the callback location where the authorization was sent. This value must match the redirect_uri used to generate the original authorization_code.String Yes
codeClient identification code received in /authorize call response.String Yes

Request headers

ParameterDescriptionData typeSample valueMandatory?
acceptMust be "application/json"Stringapplication/jsonYes
authorizationEncodes the client ID and secret with Base64. Use the encoded information in the HTTP authorization header.StringBasic<Base64 encoded client ID and secret>Yes
Content-TypeMust be "application/x-www-form-urlencoded"Stringapplication/x-www-form-urlencodedYes

Response properties

FieldDescriptionData type
access_tokenAn access tokenString
token_typeThe audience of the tokenString
expires_inThe expiration time of the access token in secondsInteger
scopeThe scopes contained in the access tokenString
id_tokenAn identifier that’s returned if the OpenID scope is grantedString

ID token

ID_token is a JSON Web Token (JWT) that includes pieces of authentication information called claims. Expedia template solutions use the claims header, payload, and signature.

Header claims

FieldDescriptionData typeMandatory?
algIdentifies the digital signature algorithm used (always RS256)StringNo
kidKey ID: Identifies the public key used to verify the ID token; the corresponding public key can be found via the JSON Web Key Set (JWKS)StringYes

Payload claims

FieldDescriptionData typeMandatory?
amrJSON array of strings that are identifiers for authentication methodsArrayNo
audIdentifies the audience that this ID token is intended for (one of your application's OAuth 2.0 client IDs)StringYes
auth_timeThe time the end user was authenticated, represented in Unix time (seconds)IntegerNo
expThe time the ID token expires, represented in Unix time (seconds)IntegerYes
iatThe time the ID token was issued, represented in Unix time (seconds)IntegerNo
idpAn indicator of the identity providerStringYes
issThe URL of the authorization server that issued this ID tokenStringNo
jtiA unique identifier for this ID token for debugging and revocation purposesStringYes
subA unique identifier for the subject of the authorization call (the user)StringNo
verThe semantic version of the ID tokenIntegerYes

Signature claims

Signature validation: The signature will be validated against the appropriate key for that client_id and algorithm.

Add loyalty

As part of your template site, you can include the ability for your customers to earn loyalty points on their travel purchases. If you choose, your template can also allow your customers to use their accumulated loyalty points to purchase travel.

The same setup requirements as the standard implementation apply, as do many of the values. Only those that are different are included here.

In addition to the standard user information, the loyalty program setup will include the following values.

programAccount

FieldDescriptionMandatory?
programIdIdentifier for the loyalty program the customer is affiliated to or the tier name associated with the loyalty programYes
loyaltyAccountNumberThe customer’s loyalty account number; should only be populated if a secondary identifier (other than the unique membershipId) is required for loyalty operationsNo
lastFourDigitsOfCreditCardThe last 4 digits of the credit card the customer used for the bookingNo
accountNameProgram name (if different from tier name)No
loyaltyConversionRatioRatio of how payment converts to points earned (for example, $1 = 1 point)No
loyaltyAccountBalanceCurrent balance of customer’s earned loyalty pointsYes
valueLoyalty balance; nested under loyaltyAccountBalanceYes
currencyThe earn currency used by the loyalty program, for example, CAD, USD, POINTS, MILES; nested under loyaltyAccountBalanceYes
Did you find this page helpful?
How can we improve this content?
Thank you for helping us improve!