OAuth 2.0 SSO overview

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2.0 provides authorization flows for web and desktop applications, and mobile devices.

Learn more about OAuth 2.0

Basic SSO

Regardless of the feature choices you’ve selected, basic SSO requires some specific data, particularly a public key. Adding loyalty or credit card implementations will require additional information.

Setup information

To properly set up the OAuth 2.0 SSO access to your template site, we need a few things, including:

  • APIs (authorize, token, userProfile)
  • ClientId
  • Client secret
  • ResponseMode
  • isNounceEnabled
  • customerDetailsAPIKey (if available)

Authorization Flows

OAuth Authorization flows

Authorize endpoint

The GET /authorize endpoint is used for authentication and authorization. It returns an authorization grant or code to the client post user is logged-in. It is a browser redirect.

FieldDescriptionData typeSample valueMandatory?
client_idIdentifies the client. Must match the value preregistered in your identity provider (IDP). Obtained during either manual client registration or via the Dynamic Client Registration API.String Yes
nonceUsed to mitigate replay attacks. This value is returned in the ID token.String Yes
promptThe type of interaction required to validate. If "empty", the user must log in if not already authenticated. If "none," the IDP won't prompt for login but will return an authorization code if logged in, or an error otherwise.StringValid values:
none
OR EMPTY
No
redirect_uriCallback location where the authorization code or tokens should be sent. Must match the value preregistered in your IDP during client registration.String Yes
response_typecode (IDP) value.String Yes
response_modeHow the authorization response should be returned.StringValid value:
query
No
scopeAccess token, used for fetching profile details. Required for authentication requests.Stringprofile and emailYes
stateThe state of the interaction. This value is returned in the token, and enables the user to click through, authenticate, and be returned to the page they’re originally interested in. The value can contain alphanumeric, comma, period, underscore, and hyphen characters.String Yes
ui_localesUser's preferred languages and scripts for the user interface.Stringen_CA, fr_CANo
audienceThe intended recipient.StringDefined by PartnersNo

Response parameters

ParameterDescriptionData typeMandatory?
codeAuthorization code that identifies the client. This must match the value preregistered in your IDP. Obtained during either manual client registration or via the Dynamic Client Registration API.StringYes
stateThe state of the interaction. This value is returned in the token, and enables the user to click through, authenticate, and be returned to the page they’re originally interested in. The value can contain alphanumeric, comma, period, underscore, and hyphen characters.StringYes

Sample Authorize URL

https://example.com/authorize?client_id={clientID}&response_type=code&state=d6b93799-404b-4205-9bb3-c579b1180428&scope=email profile&nounce=234567687867&redirect_uri=https://{ExpediaDomain}/sso/auth

Sample Callback URL

https://{ExpediaDomain}/sso/auth?code=12345678&state=d6b93799-404b-4205-9bb3-c579b1180428

Token endpoint

The POST /token endpoint is a backend API call which is used to obtain an access token and ID token by presenting an authorization grant or code.

Request parameters

ParameterDescriptionData typeMandatory?
grant_typeThe mechanism your IDP uses to authorize the creation of the tokens. Value: authorization_codeStringYes
redirect_uriSpecifies the callback location where the authorization was sent. This value must match the redirect_uri used to generate the original authorization_code.StringYes
codeClient identification code received in /authorize call response.StringYes

Request headers

ParameterDescriptionData typeSample valueMandatory?
acceptMust be "application/json"Stringapplication/jsonYes
authorizationEncodes the client ID and secret with Base64. Use the encoded information in the HTTP authorization header.StringBasic<Base64 encoded client ID and secret>Yes
Content-TypeMust be "application/x-www-form-urlencoded"Stringapplication/x-www-form-urlencodedYes

Response properties

FieldDescriptionData type
access_tokenAn access tokenString
token_typeThe audience of the tokenString
expires_inThe expiration time of the access token in secondsInteger
scopeThe scopes contained in the access tokenString

Sample token CURL

curl --location 'https://example.com/token’ \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic {encoded ClientID:clientSecret}' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'redirect_uri=https://{ExpediaDomain}/sso/auth’ \
--data-urlencode 'code={Authorization code after login as part of callback to Expedia /sso/auth endpoint}'

Sample token response

{
    "access_token": "eyJhbGciOi.JSUzI1NiIsImtpZCI6Ilk1MkFDVXd3QV9SUzI1NiIsInBp.LmF0bSI6ImlrY20ifQ",
    "token_type": "Bearer",
    "expires_in": 1799
}

Userinfo endpoint

The GET /userinfo endpoint is a backend API call which returns claims about the authenticated user based on the provided access token.

Request Headers

FieldDescriptionData typeSample valueMandatory?
ClientIdIdentifies the client. Must match the value preregistered in your identity provider (IDP). Obtained during either manual client registration or via the Dynamic Client Registration API.String Yes
AuthorizationHTTP header used to send credentials or tokens to authenticate a userStringBearer [access_token]Yes

Response

FieldDescriptionData typeSample valueMandatory?
membershipIdIdentifier which uniquely identifies the Customer's accountString Yes
optInBoolean flag if customer Opts in for marketing emailBooleantrue/falseNo
languageIdPreferred language for the userStringen, frNo
channelTypeDifferent platforms through which a user interacts with an applicationStringWEB, MOBILE, TABLETNo
firstNameFirst name of the CustomerString Yes
middleNameMiddle name of the CustomerString No
lastNameLast name of the CustomerString No
emailEmail address of the CustomerString No
programAccountLoyalty related informationprogramAccountPlease refer to Add loyalty -> programAccount section below for Object detailsNo

Sample Userinfo CURL

curl --location 'https://example.com/userinfo' \
--header 'client_id: {clientId}' \
--header 'Authorization: Bearer {acess_token from token endpoint}'

Sample Userinfo response

{
  "membershipId": "12345678",
  "languageID": "en",
  "middleName": "MiddleName",
  "lastName": "LastName",
  "firstName": "FirstName",
  "email": "test@expediagroup.com",
  "programAccount": {
    "programId": "Gold",
    "loyaltyAccountBalance": {
      "value": "10000",
      "currency": "Points"
    }
  }
}

Add loyalty

As part of your template site, you can include the ability for your customers to earn loyalty points on their travel purchases. If you choose, your template can also allow your customers to use their accumulated loyalty points to purchase travel.

The same setup requirements as the standard implementation apply, as do many of the values. Only those that are different are included here.

In addition to the standard user information, the loyalty program setup will include the following values.

programAccount

FieldDescriptionDatatypeMandatory?
programIdIdentifier for the loyalty program the customer is affiliated to or the tier name associated with the loyalty programStringYes
loyaltyAccountNumberThe customer’s loyalty account number; should only be populated if a secondary identifier (other than the unique membershipId) is required for loyalty operationsStringNo
lastFourDigitsOfCreditCardThe last 4 digits of the credit card the customer used for the bookingIntegerNo
accountNameProgram name (if different from tier name)StringNo
loyaltyConversionRatioRatio of how payment converts to points earned (for example, $1 = 1 point)DoubleNo
loyaltyAccountBalanceCurrent balance of customer’s earned loyalty pointsAmount
(please refer to Amount section below for Object details)
No

Amount

FieldDescriptionDatatypeMandatory?
valueLoyalty balance; nested under loyaltyAccountBalanceLongYes
currencyThe earn currency used by the loyalty program, for example, CAD, USD, POINTS, MILES; nested under loyaltyAccountBalanceStringYes
Did you find this page helpful?
How can we improve this content?
Thank you for helping us improve!