search

Authorization

Our website follows the OAuth 2.0 for Browser-Based Appsarrow-up-right spec. Your application simply needs to send the user to the Fanatics ID SSO website with some important url parameters (defined below). Then when the user is done registering or logging in Fanatics ID will perform a redirect back to a uri that you provide at the beginning. That redirect will contain a code that can be exchanged server side for an access token as part of the OAuth2 code exchangearrow-up-right.

hashtag
Request

hashtag
URL

/oauth2/auth

hashtag
Query Parameters

To have the user authenticate in our SSO and authorize your app the following URL parameters are supported. For more details please see the OAuth 2.0 documentationarrow-up-right. You will need to URL encode all values.

Parameter
Required?
Description
Value

scope

yes

A space-delimited list of permissions that the application requires.

openid

See Scopes for detailed information.

response_type

yes

Tells the authorization server which grant to execute.

code

client_id

yes

The client ID of the application that asks for authorization.

This will come from your client setup.

redirect_uri

yes

Holds a URL. A successful response from this endpoint results in a redirect to this URL. Please note that this redirect URI must be registered with your client id.

You will provide this as part of your client setup.

nonce

no

While not required per spec it is strongly encouraged! String value used to associate a Client session with an ID Token, and to mitigate replay attacks. For more details including how you should use it, see the OpenID documentationarrow-up-right.

You will generate this.

state

no

While not required per spec it is strongly encouraged! An opaque value. If this request parameter is set in the request, then it is returned to the application as part of the redirect_uri. This is used to prevent cross-site request forgery exploits. For details on how you should use this, see herearrow-up-right.

You will generate this.

hashtag
Example

https://id.fanatics.com/oauth2/auth?scope=openid%20fancash%3Alookup&response_type=code&client_id=ficiMBmceBIN7mQbUtzLMYiHklz31Q6MdtTaKlLUXJlN4DAT&redirect_uri=https%3A%2F%2Fwww.yourhostname.com%2Floggedin%2F&nonce=daEaCN8zOJf4upye8P0b58G3&state=SJ0tIS51hKi2XVXPVOw6bP1v

hashtag
Redirect Query Parameters

After the user is done on Fanatics ID we will perform a redirect back to the redirect_uri that you provided.

Parameter
Required?
Description
Value

code

yes

OAuth 2.0 code that can be exchanged server side for an access token as part of the OAuth2 code exchangearrow-up-right

We will generate this.

state

no

The optional opaque value provided on the request.

You will generate this.

hashtag
Notes

Please be aware that for security reasons our SSO must load in a full browser window or tab. There are security vulnerabilities with authentication in nested browsing contexts such as iframe & embed. Attempting to load our SSO in anything other than a full browser tab is not supported.

PreviousSingle Sign OnNextCode Exchange

Last updated