Help / Authentication / SSO Integration

SSO Integration Workflow (OTROTL)

TubeRaker supports Single Sign-On (SSO) through the OTROTL identity provider. This flow handles user authentication via an external SSO server, session bridging to JWT tokens, and both front-channel and back-channel logout mechanisms.

SSO INTEGRATION WORKFLOW (OTROTL) BROWSER TUBERAKER API OTROTL SSO Click "OTROTL Login" User action Redirect to SSO SSO Login Page otrotl.com User Authenticates Credentials verified Callback /auth/sso/callback Server-side handler Create Session Server-side session Token Valid? Yes Error No /auth/sso/token Bridge endpoint (GET) JWT Response Store JWT localStorage Dashboard LOGOUT FLOWS Front-Channel Logout Browser redirect to SSO SSO Clears Session Cookies invalidated Back-Channel Logout Server-to-server POST Invalidate All Sessions TubeRaker server-side Browser API SSO Success Decision Error/Logout

Step-by-Step Explanation

SSO Login Flow

  1. User clicks "OTROTL Login" — The browser initiates the SSO flow by clicking the OTROTL login button on the TubeRaker login page.
  2. Redirect to SSO server — The browser is redirected to otrotl.com SSO login page with the appropriate client ID and redirect URI.
  3. User authenticates at OTROTL — The user enters their OTROTL credentials. The SSO server validates them and generates an authorization code.
  4. Callback to /auth/sso/callback — The SSO server redirects back to TubeRaker's callback endpoint with the authorization code.
  5. Server creates session — TubeRaker's backend exchanges the authorization code for user info, creates or matches a local user account, and establishes a server-side session.
  6. Token validation — The SSO token is validated for signature, expiration, and audience claims. Invalid tokens are rejected with an error.
  7. Bridge endpoint serves JWT — The frontend calls GET /auth/sso/token to receive a TubeRaker JWT, bridging the server-side session to a client-side token.
  8. JWT stored in localStorage — The frontend stores the JWT in localStorage for use in all subsequent API calls.
  9. Redirect to Dashboard — The user is taken to their personalized dashboard, fully authenticated.

Logout Flows

  1. Front-channel logout — When the user clicks "Logout," the browser redirects to the OTROTL SSO logout endpoint. The SSO server clears its session cookies and redirects back to TubeRaker. The frontend clears the JWT from localStorage.
  2. Back-channel logout — If a user logs out from another OTROTL-connected app, the SSO server sends a server-to-server POST to TubeRaker's back-channel logout endpoint, which invalidates all active sessions for that user.
  3. Token validation on requests — Every authenticated API request validates the JWT. If the token has been revoked (via back-channel logout) or has expired, the request is rejected with a 401 status.