KKU OAuth2
OAuth 2.0 Authentication Service following IETF RFC 6749 standard, using KKU's SSO credentials.
Endpoints
GET
Authorize
/authorize
POST
Exchange Token
/token
GET
Verify Token
/token
Requires Authorization: Bearer <token>
GET
User Details
/api/v2/user
Requires Authorization: Bearer <token>
POST
Revoke Token
/revoke
GET
JWKS
/.well-known/jwks.json
GET
Logout
/logout
With client_id: per-app logout. Without: full SSO logout.
How to Use
1
Redirect user to authorize
GET /authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&state={state}
state — A random string for CSRF protection. Verify it matches in the callback to ensure the request wasn't tampered with.
2
Exchange code for token
POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code={authorization_code}
&redirect_uri={redirect_uri}
&client_id={client_id}
&client_secret={client_secret}
3
Fetch user data with token
GET /api/v2/user
Authorization: Bearer {access_token}
4
Refresh token (optional)
POST /token
Content-Type: application/x-www-form-urlencoded
grant_type=refresh_token
&refresh_token={refresh_token}
&client_id={client_id}
&client_secret={client_secret}
5
Logout
GET /logout?client_id={client_id}&redirect_uri={redirect_uri}
Per-app logout — Logs out from this app only. The user stays signed in to SSO and other apps.
GET /logout?redirect_uri={redirect_uri}
Full logout — Logs out from all apps and terminates the SSO session.