Authorization Code Flow

For integration, OpenID Connect Authorization Code Flow is used. More details on implementing Authorization Code Flow with Identity and Access Management and request examples can be found in the Identity and Access Management documentation.

A sequence diagram of the entire flow for a successful user authorization is provided below.


Sequence diagram of the authorization code flow with additional explanation provided in this topic

  1. A customer accesses the website of the third-party standalone application. Since the user is not logged in, the third-party website responds with a redirect to the Utility Identity and Access Management [IDCS_IAM_URL]/oauth2/v1/authorize endpoint. This endpoint requires a redirect_uri parameter containing a callback URL, which defines where to return the user after successful authentication.
  2. The Utility Identity and Access Management instance responds with a redirect to the Utility Identity Provider (IdP) to begin the authentication process according to SAML or OpenId protocol.
  3. The Utility IdP displays the login form to the user.
  4. The user provides credentials in the login form and submits it to the Utility IdP. Upon successful authentication on the Utility IdP side, the user is redirected to the Utility IAM providing authentication assertion according to SAML or OpenId protocols.
  5. User get logged in to the Utility Identity and Access Management instance and then it redirects back to the third-party application callback URL.
  6. The user visits the third-party application callback URL with AuthCode provided as a query parameter.
  7. The third-party application makes a call to [IDCS_IAM_URL]/oauth2/v1/token endpoint of the Utility Identity and Access Management instance providing the AuthCode and client credentials. The Utility Identity and Access Management instance responds back with an ID token, an access token, and optionally a refresh token.
  8. The third-party application makes a customer data request call to the Oracle Utilities Opower GraphQL API, authorized by the access token with pre-defined scopes. For more information on scopes, refer to the GraphQL API Documentation.
  9. The third-party application issue a session cookie and displays the website to the logged in customer, including applicable data and insights from the Oracle Utilities Opower GraphQL API call.