Authorization URL

Authorization URL is the first step in the single sign-on flow where you will redirect the user to Scalekit to authenticate the user with the appropriate identity provider.

Your application constructs a URL with specific parameters that tell the authorization server (in this case: Scalekit) what the app is requesting. This URL looks like:

1
https://your-subdomain.scalekit.dev/oauth/authorize?
2
    response_type=code&
3
    client_id=skc_1234&
4
    scope=openid%20profile&
5
    redirect_uri=https%3A%2F%2Fyoursaas.com%2Fcallback&
6
    organization_id=org_1243412&
7
    state=aHR0cHM6Ly95b3Vyc2Fhcy5jb20vZGVlcGxpbms%3D

Parameters

Parameter	Requirement	Description
client_id	Required	Unique identifier obtained from the API credentials page
nonce	Optional	Random value for replay protection
organization_id	Required*	Identifier for the organization initiating SSO
connection_id	Required*	Identifier for the specific SSO connection
domain	Required*	Domain part of the email address configured for an organization
provider	Required*	Unique provider name for social login. Currently, we support the following providers: `google`, `microsoft`, `github`, `gitlab`, `linkedin`, `salesforce`
response_type	Required	Must be set to `code`
redirect_uri	Required	URL where the response is sent, must match an authorized value
scope	Required	Must be set to `openid email profile`
state	Optional	Opaque string for request-response correlation
login_hint	Optional	Email address of the user for authentication hint

* One of organization_id, connection_id, domain, or provider must be provided.

Usage notes

The redirect_uri must exactly match one of the authorized redirect values set in the API credentials page.
The state parameter is recommended for security purposes, including protection against cross-site request forgery.
The login_hint can be used to prefill login information at the identity provider.

SDK usage

1
import { ScalekitClient } from '@scalekit-sdk/node';
2

3
const scalekit = new ScalekitClient('https://your-subdomain.scalekit.dev', '<SCALEKIT_CLIENT_ID>', '<SCALEKIT_CLIENT_SECRET>');
4

5
const options = {
6
  loginHint: 'user@example.com',
7
  organizationId: 'org_123235245',
8
};
9

10
const authorizationURL = scalekit.getAuthorizationUrl(redirectUri, options);

1
from scalekit import ScalekitClient, AuthorizationUrlOptions
2

3
scalekit = ScalekitClient(
4
  'https://your-subdomain.scalekit.dev',
5
  '<SCALEKIT_CLIENT_ID>',
6
  '<SCALEKIT_CLIENT_SECRET>'
7
)
8

9
options = AuthorizationUrlOptions(
10
  organization_id="org_12345",
11
  login_hint="user@example.com",
12
)
13

14
authorization_url = scalekit.get_authorization_url(
15
  redirect_uri,
16
  options
17
)

1
import (
2
  "github.com/scalekit/scalekit-sdk-go"
3
)
4

5
func main() {
6
  scalekitClient := scalekit.NewScalekitClient(
7
    "https://your-subdomain.scalekit.dev",
8
    "<SCALEKIT_CLIENT_ID>",
9
    "<SCALEKIT_CLIENT_SECRET>"
10
  )
11

12
  options := scalekitClient.AuthorizationUrlOptions{
13
    OrganizationId: "org_12345",
14
    LoginHint: "user@example.com",
15
  }
16

17
  authorizationURL := scalekitClient.GetAuthorizationUrl(
18
    redirectUrl,
19
    options,
20
  )
21
}

1
package com.scalekit;
2

3
import com.scalekit.ScalekitClient;
4
import com.scalekit.internal.http.AuthorizationUrlOptions;
5

6
public class Main {
7
  public static void main(String[] args) {
8
    ScalekitClient scalekitClient = new ScalekitClient(
9
      "https://your-subdomain.scalekit.dev",
10
      "<SCALEKIT_CLIENT_ID>",
11
      "<SCALEKIT_CLIENT_SECRET>"
12
    );
13
    AuthorizationUrlOptions options = new AuthorizationUrlOptions();
14
    // Option 1: Authorization URL with the organization ID
15
    options.setOrganizationId("org_13388706786312310");
16
    // Option 2: Authorization URL with the connection ID
17
    options.setConnectionId("con_13388706786312310");
18
    // Option 3: Authorization URL with login hint
19
    options.setLoginHint("user@example.com");
20

21
    try {
22
      String url = scalekitClient.authentication().getAuthorizationUrl(redirectUrl, options).toString();
23
    } catch (Exception e) {
24
      System.out.println(e.getMessage());
25
    }
26
  }
27
}

When constructing your authorization URL, you need to specify which connection to use. The system follows a specific precedence order when multiple parameters are provided:

provider: If this parameter is present, all other connection parameters are ignored, and the user is directed to the Google login screen if provider=google.
connection_id: Takes highest precedence among enterprise SSO parameters. If provided with a valid value, this specific connection will be used regardless of other parameters. If invalid, the authorization will fail.
organization_id: Used when no valid connection_id is provided. It uses the SSO connection configured for the specified organization.
domain: Used when neither connection_id nor organization_id are provided. The system will use the SSO connection configured for the specified domain.
login_hint: Lowest precedence. The system extracts the domain portion of the email address and uses the corresponding SSO connection.

If multiple parameters are provided (e.g., both domain and organization_id), the system will follow this precedence order to determine which parameter takes effect.

If multiple parameters are provided (e.g., both domain and organization_id), the system will follow this precedence order to determine which parameter takes effect.