Skip to content

Authorization URL

Authorization URL is the first step in the single sign-on flow where you will redirect the user to Scalekit to authenticate the user with the appropriate identity provider.

Your application constructs a URL with specific parameters that tell the authorization server (in this case: Scalekit) what the app is requesting. This URL looks like:

Terminal window
https://your-subdomain.scalekit.dev/oauth/authorize?
response_type=code&
client_id=skc_1234&
scope=openid%20profile&
redirect_uri=https%3A%2F%2Fyoursaas.com%2Fcallback&
organization_id=org_1243412&
state=aHR0cHM6Ly95b3Vyc2Fhcy5jb20vZGVlcGxpbms%3D
ParameterRequirementDescription
client_id
RequiredUnique identifier obtained from the API credentials page
nonce
OptionalRandom value for replay protection
organization_id
Required*Identifier for the organization initiating SSO
connection_id
Required*Identifier for the specific SSO connection
domain
Required*Domain part of the email address configured for an organization
provider
Required*Unique provider name for social login. Currently, we support the following providers: google, microsoft, github, gitlab, linkedin, salesforce
response_type
RequiredMust be set to code
redirect_uri
RequiredURL where the response is sent, must match an authorized value
scope
RequiredMust be set to openid email profile
state
OptionalOpaque string for request-response correlation
login_hint
OptionalEmail address of the user for authentication hint

* One of organization_id, connection_id, domain, or provider must be provided.

  1. The redirect_uri must exactly match one of the authorized redirect values set in the API credentials page.
  2. The state parameter is recommended for security purposes, including protection against cross-site request forgery.
  3. The login_hint can be used to prefill login information at the identity provider.
import { ScalekitClient } from '@scalekit-sdk/node';
const scalekit = new ScalekitClient('https://your-subdomain.scalekit.dev', '<SCALEKIT_CLIENT_ID>', '<SCALEKIT_CLIENT_SECRET>');
const options = {
loginHint: 'user@example.com',
organizationId: 'org_123235245',
};
const authorizationURL = scalekit.getAuthorizationUrl(redirectUri, options);

When constructing your authorization URL, you need to specify which connection to use. The system follows a specific precedence order when multiple parameters are provided:

  1. provider: If this parameter is present, all other connection parameters are ignored, and the user is directed to the Google login screen if provider=google.

  2. connection_id: Takes highest precedence among enterprise SSO parameters. If provided with a valid value, this specific connection will be used regardless of other parameters. If invalid, the authorization will fail.

  3. organization_id: Used when no valid connection_id is provided. It uses the SSO connection configured for the specified organization.

  4. domain: Used when neither connection_id nor organization_id are provided. The system will use the SSO connection configured for the specified domain.

  5. login_hint: Lowest precedence. The system extracts the domain portion of the email address and uses the corresponding SSO connection.

If multiple parameters are provided (e.g., both domain and organization_id), the system will follow this precedence order to determine which parameter takes effect.

If multiple parameters are provided (e.g., both domain and organization_id), the system will follow this precedence order to determine which parameter takes effect.