OIPA Login Behavior

1. /login/initializeLogin checks application.isSSOEnabled.

2. If SSO is enabled, the endpoint returns an SSO authorization URL instead of the normal login model.

3. The authorization URL includes response_type=code, client_id, scope=openid, redirect_uri, and the signed state.

4. /login/callback exchanges the authorization code for tokens.

5. The implementation validates the access token by using the provider JWKS.

6. The implementation maps claims to OIPA names such as clientNumber, firstName, lastName, and email.

7. If the user does not exist in OIPA, OIPA creates the user and assigns the default security group.

8. The implementation stores refresh tokens in ASOIDCUSERSESSIONS for logout and session extension.

Logout and Session Behavior

• Logout looks up the stored refresh token and calls the provider end_session_endpoint.

• Keep-alive and session extension call the token endpoint with grant_type=refresh_token.