Fanatics EcoSystem
  • Fanatics ID
  • Loyalty
  • Start Here
  • Setup
  • Single Sign On
    • Authorization
    • Code Exchange
    • Refresh Token
    • Logout
    • ID Token
    • Environments
    • Scopes
    • Account Management
    • OpenID Config
  • Server to Server
    • Authentication
    • Environments
    • Scopes
  • Point of Sale
    • Assertion Usage
Powered by GitBook
On this page
  • Request
  • URL
  • Query Parameters
  • Example
  • Redirect Query Parameters
  • Notes
  1. Single Sign On

Authorization

Our website follows the OAuth 2.0 for Browser-Based Apps spec. Your application simply needs to send the user to the Fanatics ID SSO website with some important url parameters (defined below). Then when the user is done registering or logging in Fanatics ID will perform a redirect back to a uri that you provide at the beginning. That redirect will contain a code that can be exchanged server side for an access token as part of the OAuth2 code exchange.

Request

URL

/oauth2/auth

Query Parameters

To have the user authenticate in our SSO and authorize your app the following URL parameters are supported. For more details please see the OAuth 2.0 documentation. You will need to URL encode all values.

Parameter
Required?
Description
Value

scope

yes

A space-delimited list of permissions that the application requires.

openid

response_type

yes

Tells the authorization server which grant to execute.

code

client_id

yes

The client ID of the application that asks for authorization.

This will come from your client setup.

redirect_uri

yes

Holds a URL. A successful response from this endpoint results in a redirect to this URL. Please note that this redirect URI must be registered with your client id.

You will provide this as part of your client setup.

nonce

no

You will generate this.

state

no

You will generate this.

Example

https://id.fanatics.com/oauth2/auth?scope=openid%20fancash%3Alookup&response_type=code&client_id=ficiMBmceBIN7mQbUtzLMYiHklz31Q6MdtTaKlLUXJlN4DAT&redirect_uri=https%3A%2F%2Fwww.yourhostname.com%2Floggedin%2F&nonce=daEaCN8zOJf4upye8P0b58G3&state=SJ0tIS51hKi2XVXPVOw6bP1v

Redirect Query Parameters

After the user is done on Fanatics ID we will perform a redirect back to the redirect_uri that you provided.

Parameter
Required?
Description
Value

code

yes

We will generate this.

state

no

The optional opaque value provided on the request.

You will generate this.

Notes

Please be aware that for security reasons our SSO must load in a full browser window or tab. There are security vulnerabilities with authentication in nested browsing contexts such as iframe & embed. Attempting to load our SSO in anything other than a full browser tab is not supported.

PreviousSingle Sign OnNextCode Exchange

Last updated 3 months ago

See for detailed information.

While not required per spec it is strongly encouraged! String value used to associate a Client session with an ID Token, and to mitigate replay attacks. For more details including how you should use it, see the OpenID .

While not required per spec it is strongly encouraged! An opaque value. If this request parameter is set in the request, then it is returned to the application as part of the redirect_uri. This is used to prevent cross-site request forgery exploits. For details on how you should use this, see .

OAuth 2.0 code that can be exchanged server side for an access token as part of the

Scopes
documentation
here
OAuth2 code exchange