This documentation outlines the Oauth 2.0 + OpenID endpoints implemented by InCrowd for the purpose of SSO.
\nThe standard client flow will follow the Authorization Code flow as defined in the OAuth 2.0 spec.
This diagram outlines this flow from a user perspective:
![](\"https://media-cdn.incrowdsports.com/ac803f00-c08b-4d6b-8421-4a490203d47b.png\")
\n\nNote: The state parameter can be used to return the user back to where they were before initiating the login/registration flow. Before redirecting the user in step 2., generate a UUID for the state param and store the current URL path against this value in either a cookie or local storage. When the user is redirected back, the state param is returned in the URL and can be used to fetch the original URL path from the cookie or local storage.
Returns OpenID Connect metadata about the Authorization Server for a given client ID.
\n","urlObject":{"path":[".well-known","openid-configuration"],"host":["{{url}}"],"query":[{"description":{"content":"Required - Client ID provisioned by InCrowd
\n","type":"text/plain"},"key":"client_id","value":"INCROWD"}],"variable":[]}},"response":[{"id":"3d3978a3-2b8c-479c-89e6-52a5f9cff66f","name":"Open ID Configuration","originalRequest":{"method":"GET","header":[],"body":{"mode":"urlencoded","urlencoded":[]},"url":{"raw":"{{url}}/.well-known/openid-configuration?client_id=INCROWD","host":["{{url}}"],"path":[".well-known","openid-configuration"],"query":[{"key":"client_id","value":"INCROWD","description":"Required - Client ID provisioned by InCrowd"}]}},"_postman_previewlanguage":"json","header":null,"cookie":[],"responseTime":null,"body":"{\n \"issuer\": \"{{websiteUrl}}\",\n \"authorization_endpoint\": \"{{websiteUrl}}/oauth/authorize\",\n \"token_endpoint\": \"{{url}}/oauth/token\",\n \"jwks_uri\": \"{{url}}/oauth/keys?client_id=INCROWD\",\n \"response_types_supported\": [\n \"code\"\n ],\n \"scopes_supported\": [\n \"openid\",\n \"profile\",\n \"email\",\n \"address\",\n \"phone\"\n ],\n \"grant_types_supported\": [\n \"password\",\n \"refresh_token\",\n \"register\",\n \"register_minor\",\n \"anonymous\",\n \"authorization_code\"\n ],\n \"id_token_signing_alg_values_supported\": [\n \"RS256\"\n ],\n \"subject_types_supported\": [\n \"public\"\n ],\n \"userinfo_endpoint\": \"{{url}}/oauth/userinfo\",\n \"claims_supported\": [\n \"aud\",\n \"exp\",\n \"jti\",\n \"iat\",\n \"iss\",\n \"nbf\",\n \"sub\",\n \"client_id\",\n \"first_name\",\n \"last_name\",\n \"email\",\n \"minor_id\",\n \"scope\",\n \"authorities\",\n \"ati\"\n ]\n}"}],"_postman_id":"3212378c-906c-48e2-a47a-117b0ffbd723"},{"name":"OAuth Authorization Server","id":"6e585265-efe2-4457-8963-c1b98b3d297a","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"body":{"mode":"urlencoded","urlencoded":[]},"url":"{{url}}/.well-known/oauth-authorization-server?client_id=INCROWD","description":"Returns OAuth 2.0 metadata about the Authorization Server for a given client ID.
\n","urlObject":{"path":[".well-known","oauth-authorization-server"],"host":["{{url}}"],"query":[{"description":{"content":"Required - Client ID provisioned by InCrowd
\n","type":"text/plain"},"key":"client_id","value":"INCROWD"}],"variable":[]}},"response":[{"id":"51e79891-6f58-4f86-bdee-30656955036d","name":"OAuth Authorization Server","originalRequest":{"method":"GET","header":[],"body":{"mode":"urlencoded","urlencoded":[]},"url":{"raw":"{{url}}/.well-known/oauth-authorization-server?client_id=INCROWD","host":["{{url}}"],"path":[".well-known","oauth-authorization-server"],"query":[{"key":"client_id","value":"INCROWD","description":"Required - Client ID provisioned by InCrowd"}]}},"_postman_previewlanguage":"json","header":null,"cookie":[],"responseTime":null,"body":"{\n \"issuer\": \"{{websiteUrl}}\",\n \"authorization_endpoint\": \"{{websiteUrl}}/oauth/authorize\",\n \"token_endpoint\": \"{{url}}/oauth/token\",\n \"jwks_uri\": \"{{url}}/oauth/keys?client_id=INCROWD\",\n \"response_types_supported\": [\n \"code\"\n ],\n \"scopes_supported\": [\n \"openid\",\n \"profile\",\n \"email\",\n \"address\",\n \"phone\"\n ],\n \"grant_types_supported\": [\n \"password\",\n \"refresh_token\",\n \"register\",\n \"register_minor\",\n \"anonymous\",\n \"authorization_code\"\n ],\n \"code_challenge_methods_supported\": [\n \"S256\"\n ]\n}"}],"_postman_id":"6e585265-efe2-4457-8963-c1b98b3d297a"},{"name":"Keys","id":"a9b6a300-3a46-4da4-8b4b-41cdea1edf36","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"body":{"mode":"urlencoded","urlencoded":[]},"url":"{{url}}/oauth/keys?client_id=INCROWD","description":"Returns a JSON Web Key Set (JWKS) that contains the public keys that can be used to verify the signatures of tokens for a given client ID.
\n","urlObject":{"path":["oauth","keys"],"host":["{{url}}"],"query":[{"description":{"content":"Required - Client ID provisioned by InCrowd
\n","type":"text/plain"},"key":"client_id","value":"INCROWD"}],"variable":[]}},"response":[{"id":"39c90716-94e7-4dab-af64-315b0fbec8e5","name":"Keys","originalRequest":{"method":"GET","header":[],"body":{"mode":"urlencoded","urlencoded":[]},"url":{"raw":"{{url}}/oauth/keys?client_id=INCROWD","host":["{{url}}"],"path":["oauth","keys"],"query":[{"key":"client_id","value":"INCROWD"}]}},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"281"},{"key":"Connection","value":"keep-alive"},{"key":"Cache-Control","value":"max-age=300"},{"key":"Date","value":"Thu, 04 Mar 2021 13:43:07 GMT"},{"key":"Vary","value":"Origin"},{"key":"X-Cache","value":"Miss from cloudfront"},{"key":"Via","value":"1.1 6ee1ff35a93d86a6b935b6d59393098c.cloudfront.net (CloudFront)"},{"key":"X-Amz-Cf-Pop","value":"LHR62-C4"},{"key":"X-Amz-Cf-Id","value":"YpAsJyrJtANlzyU4Jjd_z5s1gQ_B0JWfsakS7dXDFbbqbhLUM-defg=="}],"cookie":[],"responseTime":null,"body":"{\n \"keys\": [\n {\n \"alg\": \"RS256\",\n \"e\": \"AQAB\",\n \"kid\": \"hDVojLgTUBlwhzRDCrg68ItFWxn65oM1\",\n \"kty\": \"RSA\",\n \"n\": \"sMwA6AZmwNoIpIEk-0rgExOzBa7GB54kdR034VreaGyQtVLSmFJ7z-8dGXLSh4OmyTCpxiBapn4uBxmF05KpA7Nqbg66NNsLhmnNE_qBImMVUIABxzA4RjkxocWRdh_qANNtlK9zil4DFxDHnJE3xxz_ONkT2nc-Gj8FfbHtjnk\",\n \"use\": \"sig\"\n }\n ]\n}"}],"_postman_id":"a9b6a300-3a46-4da4-8b4b-41cdea1edf36"},{"name":"Authorize (Resource Server / SP)","id":"be35ab3a-d573-478f-a83a-c4cf590cf3e2","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"noauth","isInherited":false},"method":"GET","header":[],"url":"{{url}}/oauth/authorize?client_id=INCROWD&redirect_uri=https://incrowdsports.com&response_type=code&scope=openid profile&state=6917cd02-a479-4994-86ff-8e266640afb9&code_challenge=qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es=&code_challenge_method=S256&nonce=89942aef-ef30-41ff-bf55-81c5c8235b98","description":"The user is sent here from the Resource Server / Service Provider (SP) to interact with the resource owner and obtain an authorization grant. This is a starting point for browser-based OpenID Connect flows such as the authorization code flow.
\n\nThe users browser will be redirected back to the redirect_uri once the user has completed the grant.
A successful callback:https://incrowdsports.com?code=QnowT-aeawtOJKp-MtkH&state=e97f03dd-d006-4e2d-8aa6-c221702a29ec
code: an opaque value that can be used to redeem tokens from the token endpoint. The code has a lifetime of 60 seconds.state: the unmodified state value from the request.
An error response:https://incrowdsports.com?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed
error_description: additional error information (if any)error: the error code, if something went wrong
Required - Client to authenticate against. Client ID provisioned by InCrowd.
\n","type":"text/plain"},"key":"client_id","value":"INCROWD"},{"description":{"content":"Required - Callback location where the authorization code or tokens should be sent.
\n","type":"text/plain"},"key":"redirect_uri","value":"https://incrowdsports.com"},{"description":{"content":"Required - Response type of the authorization. Supported values: code
Required - Scope that is being requests, requires openid. Supported values: profile, email, address, phone
Required - Opaque value used to maintain state between the request and the callback to help mitigate against Cross-Site Request Forgery (CSRF, XSRF). The value will be returned in the response.
\n","type":"text/plain"},"key":"state","value":"d432edb3-ab48-4817-87b7-0b5131b9287f"},{"description":{"content":"Optional - Used in PKCE flow. The challenge is verified in the access token request.
\n","type":"text/plain"},"key":"code_challenge","value":"qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es="},{"description":{"content":"Optional - Method used to dervice the code challenge in PCKE flow. Supported values: S256
Optional - Used to associate a Client session with an ID Token, and to mitigate replay attacks
\n","type":"text/plain"},"key":"nonce","value":"95ce1b8e-1b84-47ba-bc0d-cef8e78f813d"}],"variable":[]}},"response":[{"id":"b6f9b202-5c30-4cf6-beb2-351b5dff0204","name":"Authorize","originalRequest":{"method":"GET","header":[],"url":{"raw":"{{url}}/oauth/authorize?client_id=INCROWD&redirect_uri=https://incrowdsports.com&response_type=code&scope=openid profile&state=f0cd91fd-fa10-404a-8acf-52b825ab96ed","host":["{{url}}"],"path":["oauth","authorize"],"query":[{"key":"client_id","value":"INCROWD"},{"key":"redirect_uri","value":"https://incrowdsports.com"},{"key":"response_type","value":"code"},{"key":"scope","value":"openid profile"},{"key":"state","value":"f0cd91fd-fa10-404a-8acf-52b825ab96ed"}]}},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Content-Type","value":"application/json"},{"key":"Content-Length","value":"175"},{"key":"Connection","value":"keep-alive"},{"key":"Access-Control-Allow-Origin","value":"*"},{"key":"Date","value":"Thu, 04 Mar 2021 13:44:21 GMT"},{"key":"Vary","value":"Origin"},{"key":"X-Cache","value":"Miss from cloudfront"},{"key":"Via","value":"1.1 6ee1ff35a93d86a6b935b6d59393098c.cloudfront.net (CloudFront)"},{"key":"X-Amz-Cf-Pop","value":"LHR62-C4"},{"key":"X-Amz-Cf-Id","value":"oLlmYngelq0RsCD0oUQnY-QdrfWu7kKGr-RXuxTGz7tdA5CXGhq8LQ=="}],"cookie":[],"responseTime":null,"body":""}],"_postman_id":"be35ab3a-d573-478f-a83a-c4cf590cf3e2"},{"name":"Authorize (Authorization Server / IdP)","id":"5c1b2aff-8201-4eb9-9115-20b93ad02646","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"auth":{"type":"oauth2","oauth2":{"basicConfig":[]},"isInherited":false},"method":"POST","header":[{"key":"Content-Type","value":"application/x-www-form-urlencoded"},{"key":"Origin","value":"https://login.incrowdsports.com","type":"text"},{"key":"Authorization","value":"Bearer {{access_token}}","type":"text"}],"body":{"mode":"urlencoded","urlencoded":[{"key":"client_id","value":"INCROWD","description":"Required - Client to authenticate against. Client ID provisioned by InCrowd.
\n","type":"text"},{"key":"redirect_uri","value":"https://incrowdsports.com","description":"Required - Callback location where the authorization code or tokens should be sent.
\n","type":"text"},{"key":"response_type","value":"code","description":"Required - Response type of the authorization. Supported values: code
Required - Scope that is being requests, requires openid. Supported values: profile, email, address, phone
Required - Opaque value used to maintain state between the request and the callback to help mitigate against Cross-Site Request Forgery (CSRF, XSRF). The value will be returned in the response.
\n","type":"text"},{"key":"code_challenge","value":"qjrzSW9gMiUgpUvqgEPE4_-8swvyCtfOVvg55o5S_es=","description":"Optional - Used in PKCE flow. The challenge is verified in the access token request.
\n","type":"text"},{"key":"code_challenge_method","value":"S256","description":"Optional - Method used to dervice the code challenge in PCKE flow. Supported values: S256
Optional - Used to associate a Client session with an ID Token, and to mitigate replay attacks
\n","type":"text"}]},"url":"{{url}}/oauth/authorize","description":"This endpoint is used by the frontend of the Authorization Server / Identity Provider (Idp) to:
a. validate the parameters, and
b. complete the user grant before redirecting the user browser back to the redirect_uri
Required - Client to authenticate against. Client ID provisioned by InCrowd.
\n","key":"client_id","type":"text","value":"INCROWD"},{"key":"grant_type","value":"authorization_code","description":"Required - Must be authorization_code for this flow
Required - This must match the redirect_uri sent in the authorization code request.
\n","type":"text"},{"key":"device_id","value":"acb93057-1b6b-4152-9990-6d078b74335a","description":"Required - UUID to identify the users device
\n","type":"text"},{"key":"code","value":"b25de70f-7a3c-43c8-a87a-291d85c3eb7f","description":"Required - Short lived code returned by authorize endpoint
\n","type":"text"},{"key":"code_verifier","value":"M25iVXpKU3puUjFaYWg3T1NDTDQtcW1ROUY5YXlwalNoc0hhakxifmZHag","description":"Optional - Used in PKCE flow, to recompute the code_challenge and verify if it matches the original code_challenge
\n","type":"text"}]},"url":"{{url}}/oauth/token","description":"This endpoint returns access tokens, ID tokens, and refresh tokens by exchanging a code returned in the callback from the authorize endpoint as part of the Authorization Code flow.
It is the second step in the Authorization Code flow.
Error response format:
\n{\n \"error\": \"invalid_client\",\n \"error_description\": \"Bad client credentials\"\n}\nerror_description: additional error information (if any)error: the error code, if something went wrong
Return claims about the authenticated end user.
\n","urlObject":{"path":["oauth","userinfo"],"host":["{{url}}"],"query":[],"variable":[]}},"response":[{"id":"3fa38524-26ce-4069-b1fd-908b83502ea4","name":"User Info","originalRequest":{"method":"GET","header":[{"key":"Authorization","value":"Bearer {{access_token}}","type":"text"}],"body":{"mode":"urlencoded","urlencoded":[]},"url":"{{url}}/oauth/userinfo"},"status":"OK","code":200,"_postman_previewlanguage":"json","header":[{"key":"Content-Type","value":"text/plain; charset=utf-8"},{"key":"Content-Length","value":"19"},{"key":"Connection","value":"keep-alive"},{"key":"Date","value":"Thu, 04 Mar 2021 14:12:11 GMT"},{"key":"X-Content-Type-Options","value":"nosniff"},{"key":"Vary","value":"Origin"},{"key":"X-Cache","value":"Error from cloudfront"},{"key":"Via","value":"1.1 0bf3f0b7038d55ea4f178432aa6ddc53.cloudfront.net (CloudFront)"},{"key":"X-Amz-Cf-Pop","value":"LHR62-C4"},{"key":"X-Amz-Cf-Id","value":"ncJ3rwS9B1HSgnfI_NKeMYt-R1XZQqyDFXPDjImvqSbwAp3KYb9CMA=="}],"cookie":[],"responseTime":null,"body":"{\n \"sub\": \"123\",\n \"name\": \"First Last\",\n \"given_name\": \"First\",\n \"family_name\": \"Last\",\n \"middle_name\": \"Other\",\n \"preferred_username\": \"Example\",\n \"email\": \"test@example.com\",\n \"email_verified\": false,\n \"gender\": \"male\",\n \"birthdate\": \"1990-09-12\",\n \"locale\": \"en\",\n \"phone_number\": \"07777777777\",\n \"phone_number_verified\": false,\n \"address\": {\n \"street_address\": \"1 Street\",\n \"locality\": \"Brighton\",\n \"postal_code\": \"BN14LK\",\n \"country\": \"GB\"\n },\n \"updated_at\": 1614866718,\n \"external_ids\": [\n {\n \"provider\": \"SPORTS_ALLIANCE\",\n \"user_id\": \"OhFk_A4Fu063nACmUEmA0Q\",\n \"created_at\": 1621420685,\n \"updated_at\": 1621420685\n }\n ]\n}"}],"_postman_id":"6cf28014-1195-4dfe-b975-8c825335fae2"},{"name":"End Session / Logout","id":"6788dfcf-225f-4876-8b89-61addddb864b","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[],"body":{"mode":"urlencoded","urlencoded":[{"key":"id_token_hint","value":"","description":"Required - A valid user token e.g. access token or ID token
\n","type":"text"},{"key":"post_logout_redirect_uri","value":"","description":"Optional - The redirect URI the RP requested the user to be redirected to. This will be validated against the list of allowed logout redirect URIs.
\n","type":"text"}]},"url":"{{url}}/oauth/logout","description":"This endpoint is used to invalidate all refresh tokens associated with a user if a id_token_hint is supplied and validate a logout redirect URI provided by a Relaying Party against the list of allowed logout redirect URIs configured.