System user flow

High-level intro to system user flow for non-interactive server-to-server communications.

1. A customer tenant administrator must approve your application.

   • Behind the scenes, a system user token is generated and appended to an application authorization record in the Operation Center, and the application authorization record binds the application to the tenant.

2. The administrator is sent (via a POST) to your redirect URL with a JWT token.

   • Therefore, all applications must have a redirect URL.

3. Validate the token.

   • The application residing at the redirect URL is expected to receive the JWT from the request body, validate the id_token, and then reliably access the identity claims.

   • Extract the claims (including system user token) from SuperIdToken and store this information in your application in a multi-tenant fashion.

   • It's up to the application to securely store the system user token

4. Exchange system user token for system user ticket prior to each interactive session with the tenant web services. The ticket is shortlived and will only last a few hours.

5. Let the application go about its business chatting with the SuperOffice web services using the ticket as credentials.