Authorization URL
Authorization URL is the first step in the single sign-on flow where you will redirect the user to Scalekit to authenticate the user with the appropriate identity provider.
Your application constructs a URL with specific parameters that tell the authorization server (in this case: Scalekit) what the app is requesting. This URL looks like:
https://your-subdomain.scalekit.dev/oauth/authorize? response_type=code& client_id=skc_1234& scope=openid%20profile& redirect_uri=https%3A%2F%2Fyoursaas.com%2Fcallback& organization_id=org_1243412& state=aHR0cHM6Ly95b3Vyc2Fhcy5jb20vZGVlcGxpbms%3D
Parameters
Section titled “Parameters”Parameter | Requirement | Description |
---|---|---|
client_id | Required | Unique identifier obtained from the API credentials page |
nonce | Optional | Random value for replay protection |
organization_id | Required* | Identifier for the organization initiating SSO |
connection_id | Required* | Identifier for the specific SSO connection |
domain | Required* | Domain part of the email address configured for an organization |
provider | Required* | Unique provider name for social login. Currently, we support the following providers: google , microsoft , github , gitlab , linkedin , salesforce |
response_type | Required | Must be set to code |
redirect_uri | Required | URL where the response is sent, must match an authorized value |
scope | Required | Must be set to openid email profile |
state | Optional | Opaque string for request-response correlation |
login_hint | Optional | Email address of the user for authentication hint |
* One of organization_id
, connection_id
, domain
, or provider
must be provided.
Usage notes
Section titled “Usage notes”- The
redirect_uri
must exactly match one of the authorized redirect values set in the API credentials page. - The
state
parameter is recommended for security purposes, including protection against cross-site request forgery. - The
login_hint
can be used to prefill login information at the identity provider.
SDK usage
Section titled “SDK usage”import { ScalekitClient } from '@scalekit-sdk/node';
const scalekit = new ScalekitClient('https://your-subdomain.scalekit.dev', '<SCALEKIT_CLIENT_ID>', '<SCALEKIT_CLIENT_SECRET>');
const options = { loginHint: 'user@example.com', organizationId: 'org_123235245',};
const authorizationURL = scalekit.getAuthorizationUrl(redirectUri, options);
from scalekit import ScalekitClient, AuthorizationUrlOptions
scalekit = ScalekitClient( 'https://your-subdomain.scalekit.dev', '<SCALEKIT_CLIENT_ID>', '<SCALEKIT_CLIENT_SECRET>')
options = AuthorizationUrlOptions( organization_id="org_12345", login_hint="user@example.com",)
authorization_url = scalekit.get_authorization_url( redirect_uri, options)
import ( "github.com/scalekit/scalekit-sdk-go")
func main() { scalekitClient := scalekit.NewScalekitClient( "https://your-subdomain.scalekit.dev", "<SCALEKIT_CLIENT_ID>", "<SCALEKIT_CLIENT_SECRET>" )
options := scalekitClient.AuthorizationUrlOptions{ OrganizationId: "org_12345", LoginHint: "user@example.com", }
authorizationURL := scalekitClient.GetAuthorizationUrl( redirectUrl, options, )}
package com.scalekit;
import com.scalekit.ScalekitClient;import com.scalekit.internal.http.AuthorizationUrlOptions;
public class Main { public static void main(String[] args) { ScalekitClient scalekitClient = new ScalekitClient( "https://your-subdomain.scalekit.dev", "<SCALEKIT_CLIENT_ID>", "<SCALEKIT_CLIENT_SECRET>" ); AuthorizationUrlOptions options = new AuthorizationUrlOptions(); // Option 1: Authorization URL with the organization ID options.setOrganizationId("org_13388706786312310"); // Option 2: Authorization URL with the connection ID options.setConnectionId("con_13388706786312310"); // Option 3: Authorization URL with login hint options.setLoginHint("user@example.com");
try { String url = scalekitClient.authentication().getAuthorizationUrl(redirectUrl, options).toString(); } catch (Exception e) { System.out.println(e.getMessage()); } }}
When constructing your authorization URL, you need to specify which connection to use. The system follows a specific precedence order when multiple parameters are provided:
-
provider
: If this parameter is present, all other connection parameters are ignored, and the user is directed to the Google login screen ifprovider=google
. -
connection_id
: Takes highest precedence among enterprise SSO parameters. If provided with a valid value, this specific connection will be used regardless of other parameters. If invalid, the authorization will fail. -
organization_id
: Used when no validconnection_id
is provided. It uses the SSO connection configured for the specified organization. -
domain
: Used when neitherconnection_id
nororganization_id
are provided. The system will use the SSO connection configured for the specified domain. -
login_hint
: Lowest precedence. The system extracts the domain portion of the email address and uses the corresponding SSO connection.
If multiple parameters are provided (e.g., both domain
and organization_id
), the system will follow this precedence order to determine which parameter takes effect.
If multiple parameters are provided (e.g., both domain and organization_id), the system will follow this precedence order to determine which parameter takes effect.