Single Sign-On (SSO)

Update Time: 2025-06-11 08:01:00
Edit

This article describes how to use Authing to achieve application account access and single sign-on.

What is Single Sign-On

Let's illustrate with an example. Suppose there is a university with two internal systems, one is the mailbox system, and the other is the timetable query system. Now I want to achieve this effect: log in once in the mailbox system, and then enter the website of the curriculum system at this time, without logging in again, the curriculum website system directly jumps to the personal curriculum page, and vice versa. The more professional definitions are as follows:

Single Sign-On, referred to as SSO, is one of the more popular solutions for enterprise business integration. The definition of SSO is that in multiple application systems, users only need to log in once to access all mutually trusted application systems.

Authing Browser SDK

Based on the OIDC standard web application authentication SDK, you can complete the integration with Authing by calling the SDK, and realize the cross-main domain single sign-on effect in the browser for your multiple business software.

Create Self-built App

You can also use existing apps

On the "self-built application" page of the Authing Console (opens new window), click "create", select "SPA" for the application type, and fill in the following information:

  • Application Name: your app name;
  • Subdomain: select a second-level domain name, which must be in a legal domain name format, such as my-spa-app;

Configure SSO

Refer to the Self-built App SSO solution

Change Settings

Find the application you just configured, click to enter the configuration page, you need to update the following configuration items:

  • Authentication Configuration: Configure your Login Callback URL
  • Authorization Configuration: Authorization Flow enables authorization_code, refresh_token
  • Authorization Configuration: Return Type enables code

Click Save to save the configuration, as shown in the following figure:

Install

Authing Browser SDK supports integration into your front-end business software through package manager installation and script tag introduction.

Use NPM

$ npm install @authing/web

Use Yarn

$ yarn add @authing/web

Use script tag

<script src="https://cdn.jsdelivr.net/npm/@authing/web"></script>
<script>
  const sdk = new Authing({
    // Very important, please fill in carefully!
    // If the application enables SSO, you must write the "App Panel Address" for SSO here;
    // otherwise, fill in the application's "Subdomain".
    domain: "SSO App Panel Address",
    appId: "App ID",
    // The login callback address needs to be specified in the console
    // "Configuration - Authentication Configuration - Login Callback URL"
    redirectUri: "Login Callback URL",
  });
</script>

Initialize

App ID

as the picture shows:

Domain

as the picture shows:

Callback URL

Fill in the callback address according to your own business, as shown in the figure:

In order to use the Authing Browser SDK, you need to fill in the App ID, domain, callback url and other parameters, as shown in the following example:

import { Authing } from "@authing/web";

const sdk = new Authing({
  // Very important, please fill in carefully!
  // If the application enables SSO, you must write the "App Panel Address" for SSO here;
  // otherwise, fill in the application's "Subdomain".
  domain: "SSO App Panel Address",
  appId: "App ID",
  // The login callback address needs to be specified in the console
  // "Configuration - Authentication Configuration - Login Callback URL"
  redirectUri: "Login Callback URL",
});

Log in

The Authing Browser SDK can initiate authentication and authorization requests to Authing. Currently, three forms are supported:

  1. Redirect to the login page hosted by Authing in the current window;
  2. A pop-up window loads the Authing-hosted login page in the pop-up window.
  3. silent login

Redirect login

If you want to customize the parameters, you can also customize the following parameters. If you do not pass the parameters, the default parameters will be used.

You can also use the following method on your business software page to let users log in in a new window by popping up a new window:

If you want to customize the parameters, you can also customize the following parameters. If you do not pass the parameters, the default parameters will be used.

Silent login

As mentioned in the article Self-built App SSO solution, multiple self-built applications can be added to the SSO panel. If the user has already logged in to one of the applications, he can access other applications in another tab of the same browser. When the application is used, it can realize silent login, directly obtain user information, and realize the effect of single sign-on.

Advanced usage

The essence of each login is to access a URL, which can carry many parameters. The Authing Browser SDK uses default parameters by default. If you need fine-grained control over login request parameters, you can refer to this example.

import { Authing } from "@authing/web";

const sdk = new Authing({
  // Very important, please fill in carefully!
  // If the application enables SSO, you must write the "App Panel Address" 
  // for SSO here; otherwise, fill in the application's "Subdomain".
  domain: "SSO App Panel Address",

  appId: "App ID",

  // The login callback address needs to be specified in the
  // console "Configuration - Authentication Configuration - Login Callback URL"
  redirectUri: "Login Callback URL",

  // The permissions the app requests from Authing, separated by spaces,
  // defaults to 'openid profile'
  scope: "openid email phone profile",

  // Where to carry identity credentials when callback, default is fragment
  // fragment: carried in the URL hash
  // query: carried in query parameters
  responseMode: "fragment",

  // Whether to use OIDC implicit mode to replace the default PKCE mode
  // Due to the low security of implicit mode, it is not recommended to be used,
  // only for compatibility with browsers that do not support crypto
  useImplicitMode: false,

  // The type of credentials returned by implicit mode, the default is 'token id_token'
  // token: returns the Access Token
  // id_token: returns ID Token
  implicitResponseType: "token id_token",

  // Whether to request Authing to check the validity of the Access Token every time 
  // the login status is obtained, it can be used in a single sign-out scenario, 
  // default is false If set to true, you need to set "Configuration" - 
  // "Other Configuration" - "Client Verification Method for Validating Token" 
  // to none in the console
  introspectAccessToken: false,

  // width of the popup window
  popupWidth: 500,

  // height of the popup window
  popupHeight: 600,
});

Check login status and get Token

If you want to check the user's login state and get the user's Access Token, ID Token, you can call the getLoginState method. If the user is not logged in at Authing, this method will throw an error:

Get user information

You need to use the Access Token to get the user's personal information:

  1. When the user logs in successfully for the first time, they can get the user's Access Token in the callback function, and then use the Access Token to obtain user information;
  2. If the user is already logged in, you can first obtain the user's Access Token and then use the Access Token to obtain user information.

Sign out

You can call the logoutWithRedirect method of the SDK to log out

Code reference

Get help

  1. Join us on Gitter: #authing-chat (opens new window)