Authorization Flows
eCourtDate uses the OAuth 2.0 Authorization Code flow for all SSO integrations. This is the most secure flow for server-side applications and is recommended by OAuth 2.0 security best practices.
Authorization Code Flow
The Authorization Code flow follows these steps:
- Authorization Request -- The client application requests authorization from the resource owner (the user).
- User Consent -- The user authenticates with the Identity Provider and consents to the requested scopes. The client receives an authorization grant (authorization code).
- Token Exchange -- The client exchanges the authorization code for an access token at the authorization server's token endpoint.
- Resource Access -- The client uses the access token to access protected resources on behalf of the user.
Redirect URI
The redirect URI must be registered in your Identity Provider. The format is:
https://{region}.api.ecourtdate.com/oauth/{yoursignin}/redirect
Replace {region} with your eCourtDate region and {yoursignin} with your configured sign-in identifier.
Azure Active Directory
Portal: https://portal.azure.com
Required Permissions
Microsoft Graph > GroupMember.Read.AllMicrosoft Graph > User.Read(default)
Endpoints
| Setting | Value |
|---|---|
| Well Known URL | https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration |
| Authorization URL | https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize |
| Token URL | https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token |
| User URL | https://graph.microsoft.com/oidc/userinfo |
| End Session URL | https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/logout |
Replace {tenant-id} with your Azure AD tenant ID.
Google Workspace
Console: https://console.cloud.google.com
Required Scopes
./auth/userinfo.email./auth/userinfo.profilehttps://www.googleapis.com/auth/admin.directory.group.member.readonlyhttps://www.googleapis.com/auth/admin.directory.group.readonly
Endpoints
| Setting | Value |
|---|---|
| Well Known URL | https://accounts.google.com/.well-known/openid-configuration |
| Authorization URL | https://accounts.google.com/o/oauth2/v2/auth |
| Token URL | https://oauth2.googleapis.com/token |
| User URL | https://www.googleapis.com/oauth2/v3/userinfo |
| End Session URL | https://accounts.google.com/o/oauth2/revoke |
AWS Cognito
Console: https://console.aws.amazon.com GovCloud Console: https://console.amazonaws-us-gov.com/
Required Scopes
openidemailprofile
Callback URL
https://{region}.api.ecourtdate.com/oauth/{yoursignin}/redirect
Endpoints
| Setting | Value |
|---|---|
| Well Known URL | https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration |
| Authorization URL | https://{domain}.auth.{region}.amazoncognito.com/oauth2/authorize |
| Token URL | https://{domain}.auth.{region}.amazoncognito.com/oauth2/token |
| User URL | https://{domain}.auth.{region}.amazoncognito.com/oauth2/userInfo |
| End Session URL | https://{domain}.auth.{region}.amazoncognito.com/logout |
Replace {region} with your AWS region (e.g., us-east-1), {userPoolId} with your Cognito User Pool ID, and {domain} with your Cognito domain prefix.
Okta
Application type: OIDC - OpenID Connect Web Application Grant type: Authorization Code
Required Scopes
openidemailprofilegroups
Endpoints
| Setting | Value |
|---|---|
| Well Known URL | https://{your-domain}.okta.com/.well-known/openid-configuration |
| Authorization URL | https://{your-domain}.okta.com/oauth2/v1/authorize |
| Token URL | https://{your-domain}.okta.com/oauth2/v1/token |
| User URL | https://{your-domain}.okta.com/oauth2/v1/userinfo |
| End Session URL | https://{your-domain}.okta.com/oauth2/v1/logout |
Replace {your-domain} with your Okta organization domain.
Group Claims
To pass group membership information to eCourtDate, include a "groups" claim in the ID Token:
- Claim name:
groups - Include in: ID Token
- Value type: Filter
- Filter: Matches regex
.*_ECOURTDATE
This ensures only eCourtDate-relevant groups are included in the token.
Custom OIDC Provider
eCourtDate supports any Identity Provider that meets the following minimum requirements:
| Requirement | Details |
|---|---|
| OAuth 2.0 Authorization Code flow | Required |
| OpenID Connect 1.0 | Required |
| Standard claims | sub, email at minimum |
| PKCE | Recommended |
| Token revocation | Recommended |
| HTTPS endpoints | All endpoints must use HTTPS |
| RS256 signing algorithm | Recommended |
Configure the Well Known URL, Authorization URL, Token URL, User URL, and End Session URL according to your provider's documentation.