Sign in

Quick guide for getting started with your first client

The sign-in process starts with the users following a sign-in link in your application. Their browser redirects them to TAAS Identity where they enter their login credentials.

TAAS identity redirects authenticated users back to the specified Redirect URL.

The next step depends on the type of application you are developing, as each type has a recommended authentication flow.

Authentication Flow Application Type
Authorization Code Flow (auth) Server (e.g Node.js, Tomcat)
Implicit Flow iOS
Implicit Flow Android
Implicit Flow Client (Browser)

In the Authorization Code Flow, the response includes a query string parameter code, which contains an authorization code. This code can be exchanged for tokens. In the Implicit Flow, the response includes the tokens directly. For more details regarding each flow, please see authentication flows.

Let's take a quick look at the tokens as well, there are three types:

  1. Identity Contains data about the authenticated user.
  2. Access States what resources (e.g API endpoint) your application may request on their behalf.
  3. Refresh Is used to obtain a new Access Token when the current becomes invalid or expired.

Lastly, these are the endpoints used in the authentication flow: /auth This is the first endpoint that is called in the flow. It returns the Telia Identity website where your users sign in.

/token Applications that use the Authorization Code Flow obtain all tokens from this endpoint. Implicit Flow applications use this endpoint to request a new Access Token.

/userinfo This endpoint return claims (i.e. user attributes), about the authenticated user. You authorize the request by supplying your Access Token in the request header.

You must register your applications in Self-Service before you can gain access to our services. A registered app is given a unique Client ID and Client Secret, which should not be shared. We will show you how to use them in the next steps.

Log in to Self-Service to register your applications.

The sections below gives an in-depth explanation of the registration process. If you already have your have your Client ID and Client Secret, you can skip right ahead to step 2.

Application info

  1. Give a name to your application. This name will be shown to the user when they sign-in to your application.

  2. Let us know which kind of application you are creating and we will set the corresponding authentication flow:

Authentication Flow Application Type
Authorization Code Flow Server (e.g Node.js, Tomcat)
Implicit Flow iOS
Implicit Flow Android
Implicit Flow Client (Browser)
  1. The Redirect URLs delimits where we can send your users after a successful sign-in. It is possible to set localhost:port as a Redirect URL while developing your application. The Redirect URLs are also checked when the user logs out.

Save your credentials

After you have successfully registered your application, you will receive a Client ID and a Client Secret. Make sure you save these before you close the window. We'll explain how to use them in the next step.

Now that you have your Client ID and Client Secret, it is time to implement an OpenID Connect authentication flow. You can either write your own implementation or use an existing OpenID Connect library. We recommend the latter, due to security reasons.

When using an existing library, you need to make sure that the registered Redirect URLs point to endpoints that can handle the authentication flow and logout.

Code for setting up the authentication

The following will show a small example on how to set up a small node.js express app to login with TAAS identity. If you don't care about writing the authentication yourself there is an existing npm module that will do the setup for you. For more info on the npm module go here

First we will need a server so let's set up an express app.

import express from 'express';
const app = express();
app.listen(4000, () => {
  console.log('Server is listening on port 4000')

Then we will use the passport library to set up the authentication. We will also use the express-session for the session management.

We will start with the express-session

import session from  'express-session'

const sess = {
  secret: 'your secret',
  resave: true,
  saveUninitialized: true,
  cookie: {
    user: {},


Now that we have support for sessions, we can add the passport setup for doing the authentication

import passport from 'passport';
import { Strategy } from 'passport-openidconnect';

const scope = ['oidc'];
const users = [];

const ISSUER = '';
const IDPAPIURL = `${ISSUER}/protocol/openid-connect`;
const CLINETID = //The client ID you get from self service
const CLIENTSECRET = //The client Secret you get from self service
const CALLBACK = http://localhost:4000/auth/callback // The callback url you set in self service

  new Strategy({
    issuer: ISSUER,
    authorizationURL: `${IDPAPIURL}/auth`,
    tokenURL: `${IDPAPIURL}/token`,
    userInfoURL: `${IDPAPIURL}/userinfo`,
    clientID: CLIENTID,
    clientSecret: CLIENTSECRET,
    callbackURL: CALLBACK,
  (iss, sub, profile, jwtClaims, accessToken, refreshToken, params, done) => {
    profile.refreshToken = refreshToken;
    profile.accessToken = accessToken;
    users[profile.preferred_username] = profile;
    done(null, profile);

passport.serializeUser((user, done) => {
  done(null, user);

passport.deserializeUser((user, done) => {
  done(null, user);


app.get('/login', passport.authenticate('openid-connect'));
app.get('/auth/callback', passport.authenticate('openid-connect', { // this needs to match the callback url you specified above 
    successRedirect: '/',
    failureRedirect: '/failure',

Finally we need to add an endpoint that will redirect the user to the login if they are not authenticated.

app.get('/*', (req, res) => {
  if (req.isAuthenticated()) {
  } else {

Now all that is needed is to run the server and go to localhost:4000 and you will be redirected to the login setup

Even though it this will work, it is not using the refresh token provided which it should. To find out more about using the refresh token go here