Klubero SSO - Integration Guide
Welcome to the Klubero SSO integration guide. This documentation helps you integrate Klubero SSO into your applications using standard OpenID Connect (OIDC) and OAuth 2.0 protocols.
What is Klubero SSO?
Klubero SSO is a centralized authentication and authorization service that allows users to sign in once and securely access multiple applications. It implements OpenID Connect (OIDC) on top of OAuth 2.0 and provides:
- Single Sign-On (SSO) - Users authenticate once and gain access to all connected applications
- Secure token-based authentication - Standard JWT tokens for secure API access
- Multiple authentication methods - Password, Magic Link (passwordless), and external providers (Google, Facebook, Seznam.cz)
- Two-factor authentication - An additional security layer via authenticator app (TOTP) or email
- Granular permissions - Scope-based access control for API resources
- Session management - Full visibility and control over active sessions
OpenID Connect compatibility
Klubero SSO is fully compatible with the OpenID Connect Core 1.0 specification. For integration, you can use any standard OIDC client library. We recommend maintained libraries such as:
- JavaScript/Node.js:
openid-client,oidc-client-ts - C# / .NET:
Microsoft.AspNetCore.Authentication.OpenIdConnect - Python:
authlib,python-jose - Java:
Spring Security OAuth2 - PHP:
league/oauth2-client
Prerequisites
Before you start integration, make sure you have:
- HTTPS enabled in your application (required for all OAuth redirects)
- Application credentials (
client_idand optionallyclient_secret) from Klubero support - Registered redirect URIs for your application
- Understanding of OAuth 2.0 / OIDC concepts (see glossary below)
Glossary
| Term | Definition |
|---|---|
| Access Token | JWT token used to authenticate API requests. Short-lived (30 minutes). |
| Refresh Token | Long-lived token (14 days) used to obtain new access tokens without user interaction. |
| ID Token | JWT containing user identity information (claims) after successful authentication. |
| Authorization Code | Temporary code exchanged for tokens. Valid for 5 minutes and single-use. |
| Scope | Permission defining which data or actions an application can access. |
| PKCE | Proof Key for Code Exchange — a security extension for public clients (SPA, mobile apps). |
| Client ID | Public identifier of your application. Safe to expose in frontend code. |
| Client Secret | Secret key of your application. Never expose in frontend code. |
| Redirect URI | URL where users are redirected after authentication. Must be pre-registered. |
| Consent | User approval for an application to access their data. |
| Claims | User information (for example email or name) included in tokens. |
Support
If you run into issues or have questions not covered in this documentation, contact us at:
Email: support@klubero.cz