Single Sign On

Trybe supports Single Sign On for Customers, guests and members through OpenID on top of OAuth.

All requests to the OAuth endpoints happen on the booking engine subdomain.

You can find the OpenID autodiscovery endpoint here https://{booking_engine_subdomain}.try.be/.well-known/openid-configuration

Code example

Below is an example code snippet in PHP to retrieve a id_token, access_token and refresh_token for the authenticated customer on behalf of Palm Tree Spa.

1. Your login endpoint should redirect the user to the Trybe OAuth authorize endpoint.

    # Login endpoint (https://mywebsite.com/login)
    Route::get('/login', function (Request $request) {
        $request->session()->put('state', $state = Str::random(40));

        $query = http_build_query([
            'client_id' => '##ClientId##',
            'redirect_uri' => 'https://mywebsite.com/callback',
            'response_type' => 'code',
            'scope' => 'openid memberships:read',
            'state' => $state,
        ]);

        return redirect('https://palmtreespa.try.be/oauth/authorize?'.$query);
    });

2. Upon successful login, the user will be redirected back to your callback endpoint with an authorization code. Use this code to retrieve the id_token, access_token and refresh_token from the Trybe OAuth token endpoint with your OAuth client credentials.

    # Callback endpoint (https://mywebsite.com/callback)
    Route::get('/callback', function (Request $request) {
        $state = $request->session()->pull('state');

        throw_unless(
            strlen($state) > 0 && $state === $request->state,
            InvalidArgumentException::class
        );

        $response = Http::asForm()->post('https://palmtreespa.try.be/oauth/token', [
            'grant_type' => 'authorization_code',
            'client_id' => '##ClientId##',
            'client_secret' => '##ClientSecret##',
            'redirect_uri' => 'https://mywebsite.com/callback',
            'code' => $request->code,
        ]);

        return $response->json();
    });

Scopes

Pass the below scopes to retrieve additional information about the authenticated user in their id_token.

Multiple scopes should be delimited with a space.

Scope	Description
openid	Provide access to your account details
profile	Allow access to basic information
email	Allow access to your email address
memberships:read	Allow read access to your memberships
memberships:write	Allow write access to your memberships

ID Token format

The ID token is a JSON Web Token (JWT) that contains identity information about the authenticated user.

{
  "aud": "Trybe",
  "iss": "https://palmtreespa.try.be",
  "iat": 1718108808,
  "exp": 1718112408,
  "sub": "9138914d-5f01-414a-9cca-3df6b43d42c6",
  "name": "Jane Doe",
  "family_name": "Doe",
  "given_name": "Jane",
  "picture": null,
  "updated_at": 1649234295,
  "email": "janedoe@example.com",
  "email_verified": true,
  "organisation_ids": [
    "00000000-0000-0000-0000-000000000000"
  ],
  "default_organisation_id": "00000000-0000-0000-0000-000000000000",
  "site_ids": [
    "00000000-0000-0000-0000-111111111111"
  ],
  "default_site_id": "00000000-0000-0000-0000-111111111111",
  "brand_ids": [
    "00000000-0000-0000-0000-222222222222"
  ],
  "default_brand_id": "00000000-0000-0000-0000-222222222222",
  "managed_by_sso": false,
  "sso_tenant_id": null
}