OAuth
This is a guide to using OAuth to enable SSO logins on your app. OAuth is recommended if you are setting up your own server, especially if it is a non-Warwick domain, since it doesn't require an SSL certificate and there are many 3rd party OAuth libraries for whatever programming language your app uses.
Find a suitable OAuth library
It is recommended that you find a suitable 3rd party library to handle most of the OAuth signing process (see the Useful links section on this page). Then follow the general instructions for doing OAuth with your library in combination with general information about our APIs to get up and running with making submissions. To summarise, this is the information you need to make a request to get a user's attributes:
Request Token URL: https://websignon.warwick.ac.uk/oauth/requestToken
Authorize Token URL: https://websignon.warwick.ac.uk/oauth/authorise
Access Token URL: https://websignon.warwick.ac.uk/oauth/accessToken
Scope: urn:websignon.warwick.ac.uk:sso:service
User attributes URL: https://websignon.warwick.ac.uk/oauth/authenticate/attributes
The consumer key and secret you receive when registering your app
When your user clicks on a login link, your code should check for up-to-date tokens that your app has previously stored, and if found it should make an OAuth request for the user's attributes from the above User attributes URL. Otherwise it should proceed through OAuth to acquire an access token for the above scope, and then get the user's attributes. It can then store these in the session storage of your choice.
User attributes response
The user attributes URL will return a series of key=value lines. The "user" key will contain the username of the user who has logged in - if that is missing then you should not create a new login session, as there was some problem with login.
Logout
You can implement application specific logout in any way you like, generally by just clearing your session when the user visits a logout link. If your application is on a warwick.ac.uk domain and you would like single sign-out to work then you can check for the presence of a cookie called "WarwickSSO" and end the session if that cookie is missing before displaying any page.
Useful links
PHP OAuth library (use 3-legged auth)
Node.JS Passport module
May be a useful as reference code even if you are using a different language, as it specifically handles login to Warwick.