🚧
Note: client_id for SSO APIs and Keka APIs is different, please reach out to your CSM for access to Keka SSO

Overview:

This guide walks you through implementing an OAuth 2.0 authorization flow with Keka as the Identity Provider (IdP). This flow is ideal for server-side or web applications that can securely store secrets. By integrating Keka’s SSO, your application can leverage Keka to authenticate users and manage sessions seamlessly. (Currently, this integration is only supported for privileged partners on request basis)

Flow Specification:

Step 1: Request an Authorization Code

Your application redirects the browser to the Keka sign-in page. Before implementing this, you'll need to obtain SSO Client details from Keka Support.
Keka presents the sign-in page to the user for authentication.
The user authenticates through Keka, which requires an active employee profile registered in the Keka HR portal.

Example Request:

https://<Keka_Idp_Authority>/connect/authorize?response_type=code id_token&client_id=<Keka_Provided_ClientId>&redirect_uri=<redirect_uri>&scope=openid&nonce=<random_nonce>

Key Parameters:

client_id: Provided by Keka Support.
response_type: Set to code for authorisation code grant type.
scope: Set to openid to return an ID token.
redirect_uri: The callback URI where the authorization code is sent.
state: A unique string to prevent CSRF attacks.
nonce: A unique value echoed back in the ID token for replay protection.
If the user already has a session, or after they authenticate, they are redirected to the specified redirect_uri along with an authorization code. This code is valid for 300 seconds.

Step 2: Exchange Authorization Code for Tokens
To exchange the authorization code for access and ID tokens, make a POST request to the /token endpoint.

https://developers.keka.com/reference/exchange-authorization-code-for-tokens

Step 3: Fetch User Details
Once you have the access_token, you can retrieve the authenticated user's details.

https://developers.keka.com/reference/fetch-user-details