Before starting the implementation of an OAuth 2.0 client that will integrate with aID, your client needs to be registered in aID. When this is done, you will receive some info that you will need to provide during the authorization.
Registering your client
To register a new client that will integrate with aID, please send an email to aid.support@amedia.no providing the following information:
Title
Title
Field
Description
Application name
Name of the application/service you are developing. This name will be shown to the user in dialogues where the user grants your application access to aID data during authorization.
Needed scopes
List of scopes the application will need access to. Available scopes can be found here
redirect_uri
The URL we send the user to after authorization. This URL will receive a code parameter and must contact aID to get the access token. Se details here.
Publication
List of publications the application is developed for. If you are developing for Amedia/all publications, just say “all”.
Purpose
What is the purpose of this application? What will the user get by using it? Not displayed to public.
Contact information
Who do we contact if we find something wrong with the integration, or we need to change things? Not displayed to public.
Legal entities
In a normal OAuth flow, the user will be sent to a page where all requested scopes are listed, and the user is asked to grant access to these scopes to the requesting application (your application). This familiar for user who have used Facebook, Google etc. when logging in to applications using accounts from their systems.
aID has been designed to be used as an identity service for news sites. Some of these sites are composed of several components that need their own OAuth client. If every client would need to ask for access to a scope, this user experience would be quite weird. For this reason, we do not use the standard OAuth scopes acceptance page. Instead we group clients by what we call Legal Entities (tjenesteleverandør).
The first time the user logs in on a certain legal entity, the user is asked to give that legal entity permission to get access to data from that aID. Once this has been done, we don't need to ask again for any client related to that legal entity.
The major legal entities today are Amedia, Aller, Berlingske Media and JFM.
What you will receive from aID
Once we have processed your request, you will be provided with two items from aID:
Title
Title
Title
Item name
Alternative name
Description
client_id
Client Identifier
Used to identify the client in OAuth authorization
client_secret
Client Password
Used to verify authenticity of OAuth client when giving access token to client
The client_id can be considered public information. It’s not a big deal if everyone in the world knows this. But the client_secret must be kept a secret. If this secret is known, all current access tokens for this client must be deleted in aID in order to ensure that no evil minded systems will get access to the user’s data. The client_secret can ONLY be shared between your application and aID, never with the user, and never with other applications (like browsers).