Overview

Reapit Connect is our hosted identity solution designed to allow applications to securely authenticate Reapit users against a single, trusted identity. Backed by our OpenID Connect compliant system, it is quick and easy to build applications that adhere to best security practices and extend an excellent experience to your users.

Building your application with Reapit Connect is our recommended way to interact with our Platform.

Why use Reapit Connect

Simplicity

Reapit Connect removes the overhead of having to build and maintain a user credential directory for your app. Instead, users can be securely authenticated against a single, trusted Reapit identity.

Security

Our identity provision is an implementation of OpenId Connect, the defacto industry standard for authentication and authorisation for web and mobile applications. Simply put, you don't need to worry about securely capturing or storing user credentials - we do that part for you.

Single sign on

Reapit Connect supports single sign on (SSO) to allow authenticated sessions to be shared between any application using Reapit Connect to manage its authentication. The experience of interacting with your application is streamlined as users aren't re-prompted for their credentials.

Cross platform

You can use Reapit Connect to authenticate users regardless of your front or back end technologies. Reapit Connect is agnostic of technology and integration is as simple as a redirect to our hosted login screen and a subsequent REST API call.

Trust

Your users will be presented with a unified login screen from a brand they already know and trust. They will receive the same user experience as they do from other Reapit applications and of those that exist in our AppMarket.

AppMarket integration

Registering your application

Registering your app in our AppMarket is the first step for it to be able to interact with Reapit customer data.

Our application submission page will capture information about your application, including the details required for integration with Reapit Connect.

• Select Authenticate with Reapit Connect as your required authentication flow **

• Provide one or more redirect URLs and a logout URL to define the acceptable URLs that Reapit Connect is permitted to redirect back to after a successful authentication or logout

Once you have successfully registered, you will be issued with a client id. You can obtain this by clicking your app in the My Apps area of our developer portal.

Customer installation

In order for Reapit Connect to authenticate your application on a users behalf, the user must belong to a Reapit customer that has opted to allow your application access to their data.

Customer administrators are able to control your applications access by choosing to install from our AppMarket. As part of this process, they will grant your application with any permissions (scopes) it requires to interact with Foundations API endpoints.

Authentication flow

OAuth 2.0 is an authorization framework that we use to allow a user to grant limited access to resources in our Foundations platform without having to expose their credentials.

We use the Authorization Code Grant **flow to authenticate, which is broken down into the following steps.

• Your application redirects the user to our Reapit Connect in the browser

• Reapit Connect presents the user with a login screen to capture their credentials

• Reapit Connect will direct the browser back to your application with an authorization code in the query string

• Your application exchanges the authorization code for tokens with a REST API call

Direct user to Reapit Connect

To initiate a login, your application should redirect users to our authorize endpoint:

https://connect.reapit.cloud/authorize?response_type=code&client_id=<client id>&redirect_uri=<redirect url>&state=<state>

Present login form

The user will be presented with a Reapit branded login screen where they are required to input their credentials and submit. They can also initiate password recovery for their Reapit identity from this form.

This step will be automatically skipped if the user has an authenticated session with Reapit Connect. The user will immediately be redirected back to your app.

Redirect back to your app

If the user provides valid credentials, Reapit Connect will redirect back to your application using the redirect_uri that was provided when directing the user to Reapit Connect.

A code parameter will be appended to the redirected URL, as well as any state you passed through to the authorize endpoint.

https://your_redirect_url?code=<code>&state=<state>

Exchange code for tokens

Once your application has successfully guided the user through the OAuth flow, you can extract the authorization code from the redirected URL. You are then able to use this code to exchange for JWT tokens for proof of authentication and access for Foundations resources. You can only attempt to exchange authorization codes once and they will expire 10 minutes after they have been issued.

To make the exchange, send a POST request to the endpoint below with Content-type set to application/x-www-form-urlencoded:

https://connect.reapit.cloud/token

If your request is properly formed and valid, you'll receive a response similar to below.

HTTP/1.1 200 OK
Content-Type: application/json

{ 
 "access_token" : "eyJz9sdfsdfsdfsd", 
 "refresh_token" : "dn43ud8uj32nk2je", 
 "id_token" : "dmcxd329ujdmkemkd349r",
 "token_type" : "Bearer", 
 "expires_in" : 3600
}

Making authenticated requests

If the user successfully logged in and your application performed the code exchange, you will receive a JSON payload containing a series of tamper proof JWT tokens:

Using access tokens

Access tokens (also known as bearer tokens) are designed to provide your application with access to protected resources on the users behalf.

You can access Foundations API endpoints by including the access token as an Authorization header in all requests your application issues, subject to the scopes that your application requested during registration.

Using identity tokens

Identity tokens are intended to provide proof of authentication with Reapit Connect. Your application should decode and validate the id token that it has been issued. There are a variety of third party libraries to help accomplish this and the token should not be trusted until validated.

When validating your id token, you will need the production well known public keys - these are publicly accessible at https://cognito-idp.eu-west-2.amazonaws.com/eu-west-2_eQ7dreNzJ/.well-known/jwks.json. Our Connect Session JS module decodes and verifies the id token for you (if you are using a client side application). Our implementation comes from the AWS examples here.

Once decoded, your application can inspect the claims that the id token includes. Claims provide information about the users identity such as the customer they work for, their email address and name which your application can make use of.

You can also issue a GET request to the following endpoint to get information on the user. Be sure to include your access token:

https://connect.reapit.cloud/oauth2/userInfo

Using refresh tokens

Access tokens issued from Reapit Connect will expire after 60 minutes. Refresh tokens provide your application with a means of retrieving a new set of tokens without requiring an interaction from the user. They are long lived and will continue to function until they are revoked.

To use a refresh token, issue a POST request to the endpoint below with Content-type set to application/x-www-form-urlencoded:

https://connect.reapit.cloud/token