Thanx SSO authenticates the user via a password-less flow using email authentication, rather than a password. This reduces the friction of a user having to manage yet another password as well as reduces the friction of transitioning an existing user-base to Thanx.
Thanx follows the standard OAuth 2.0 spec, using the Authorization Code grant type. Refer to the OAuth 2.0 Authorization Framework RFC: Section 4.1 for additional details.
Here is what the flow would look like:
- User navigates to the partner website and clicks an authentication button.
- The partner website prompts the user to input an email address
- The partner website makes a request to the
POST /oauth/authorizeendpoint described below. (Continue to #4 or #5)
- If no account exists for the specified email address, a 401 error is thrown.
A user can be created via the
- If an account exists for the specified email address, an auth email is sent
to specified email. The user clicks the auth email link which redirects to
the partner website at the specified
redirect_uriwith an authorization code in the params.
- Partner website exchanges the authorization code for an access token via the
POST /oauth/tokenendpoint described below. User is now authenticated with the Thanx system through the returned access token.