How to use Arc XP identity as IDP (OIDC)

Note

Before attempting to integrate with Arc XP’s OIDC (provider) APIs you should have a good understanding of the OIDC protocol with emphasis on the auth code flow.

See this article

A client may have a web application/site that is not hosted by Arc XP, but to which the publisher wishes for its existing customers, with accounts hosted by Arc XP, to be able to sign in. For this use case Arc XP has implemented a set of APIs that make it possible to use Arc XP as an identity provider (IdP) via the OIDC protocol.

When using Arc XP as an IdP (using the OIDC protocol), your OIDC client application must be capable of interacting with Arc XP’s APIs as an OIDC client that complies with the OIDC/OAuth authorization code with PKCE flow.

The flow of events, when using Arc XP as an IdP look like this

1. User visits site/application owned by the publisher, but not hosted by Arc XP. The site has its own account management system, but as a convenience to the user, he/she will be allowed to sign in using an account that has already be registered with Arc XP.
2. Publisher’s site redirects the user to a sign-in page hosted by Arc XP. The redirect URL must include a hashed OIDC PKCE string issued by the client site in addition an OIDC state/session tracker also issued by the client site.
3. (a) The Arc XP hosted sign-in page ensures that the user is signed into his/her Arc XP account and then calls Arc XP’s OIDC login API which returns an OIDC code flow token.
4. The Arc XP hosted sign-in page redirects the user to the publisher’s site passing the code flow token.
5. The publisher’s site calls Arc XP’s token exchange API passing the code flow token and receiving Arc XP’s access, refresh and ID tokens.
6. The user is now signed into the publisher hosted site which may call Arc XP hosted APIs on behalf of the user, or which tracks the user in its own database knowing who he/she is based on the ID token received in step 5.

Arc XP’s OIDC provider APIs are

API	Notes
Login	Called by an already authenticated (to Arc XP) user to obtain the auth code that the publisher’s backend application must use during the token exchange.
Token Exchange	To be called by the publisher’s backend application to exchange an auth token for access, refresh and ID tokens.
JWKS	To be called by the publisher’s backend application to retrieve the public key used by Arc XP for signing the ID token returned by Arc XP during the token exchange step.