OAuth 2

last updated: 2025-08-12

Use DTZ Identity as your OAuth 2.0 and OpenID Connect (OIDC) provider to let users sign in to your applications with their DTZ accounts.

What is OIDC?

OpenID Connect (OIDC) lets your application authenticate users through DTZ Identity without handling passwords directly. Instead of managing user credentials, you redirect users to DTZ for login, then receive a secure token to access their information.

Perfect for: Web apps, mobile apps, or any service that needs secure user authentication.

Quick Start

1. Get Your Context ID

In DTZ, every application uses a “context” as its identifier. You’ll need a context-{uuid} that your users have access to.

Example: context-abc123

Note: In DTZ’s system, both your client_id and client_secret are the same context ID. This simplifies setup while maintaining security.

2. Essential Endpoints

You only need these two endpoints to get started:

Purpose Endpoint
User Login https://identity.dtz.rocks/api/2021-02-21/oauth/authorize
Get Token https://identity.dtz.rocks/api/2021-02-21/oauth/token
User Info https://identity.dtz.rocks/api/2021-02-21/oauth/userinfo

3. Auto-Discovery

Most OAuth libraries can auto-configure using DTZ’s discovery endpoint:

https://identity.dtz.rocks/.well-known/openid-configuration

How It Works

Step 1: Redirect User to DTZ

When a user wants to sign in, redirect them to:

https://identity.dtz.rocks/api/2021-02-21/oauth/authorize?
  response_type=code&
  client_id=YOUR_CONTEXT_ID&
  redirect_uri=https://yourapp.com/callback&
  scope=openid&
  state=random-string-for-security

Step 2: User Signs In

DTZ handles the login process:

  • If already signed in → immediate redirect back to your app
  • If not signed in → shows login form, then redirects back

Step 3: Exchange Code for Token

DTZ redirects back to your app with a code. Exchange it for a token:

curl -X POST https://identity.dtz.rocks/api/2021-02-21/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "client_id=YOUR_CONTEXT_ID" \
  -d "client_secret=YOUR_CONTEXT_ID" \
  -d "redirect_uri=https://yourapp.com/callback" \
  -d "code=THE_CODE_FROM_REDIRECT"

Step 4: Get User Information

Use the access token to get user details:

curl -X GET https://identity.dtz.rocks/api/2021-02-21/oauth/userinfo \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Response:

{
  "sub": "identity-12345678",
  "iss": "dtz.rocks",
  "contexts": ["abc124"],
  "roles": ["https://dtz.rocks/context/admin/abc123..."]
}