Thanx SSO authenticates the user via a password-less flow using email authentication, rather than a password. This reduces the friction of a user having to manage yet another password as well as reduces the friction of transitioning an existing user-base to Thanx. Thanx follows the standard OAuth 2.0 spec, using the Authorization Code grant type. Refer to the OAuth 2.0 Authorization Framework RFC: Section 4.1 for additional details. Here is what the flow would look like:
  1. User navigates to the partner website and clicks an authentication button.
  2. The partner website prompts the user to input an email address
  3. The partner website makes a request to the POST /oauth/authorize endpoint described below. (Continue to #4 or #5)
  4. If no account exists for the specified email address, a 401 error is thrown. A user can be created via the POST /users endpoint.
  5. If an account exists for the specified email address, an auth email is sent to specified email. The user clicks the auth email link which redirects to the partner website at the specified redirect_uri with an authorization code in the params.
  6. Partner website exchanges the authorization code for an access token via the POST /oauth/token endpoint described below. User is now authenticated with the Thanx system through the returned access token.