Federated Login Design

Overview

Interject uses a Duende (previously Identity Server 4) API to handle authentication for federated user logins. The following diagram shows the relationship between the Interject Excel Add-in and the Auth API when users login to a federated identity system.

Enterprise Login Code

The Enterprise Login Code is a text string given to each Interject company that is used to navigate a user from the general login page to the federation's login page. The login code can be set to any text string that is not currently in use by another Interject company.

See Logging In/Out: Enterprise User for a walkthrough on how to login with your Enterprise token.

Web Pages with Webview2

In order for the Interject Addin to show the login page and redirect properly to federated login pages, a web browser environment is needed. Webview2 is a framework for embedding web technologies like HTML and JavaScript in native windows apps of various kinds.

To learn more about Webview2, refer to this documentation.

Tokens and Refresh Cycle

Open ID Connect (OIDC) is built on top of OAuth2 which uses an access token for authorized requests and a refresh token to get new access tokens when they expire. Both of these tokens expire after the following durations:

• Refresh token - expires every 30 days (this requires the user to login again)
• Access token - expires every hour

How Tokens are Stored

Login access and refresh tokens are stored in a .dat file using Microsoft's Windows data protection API. It is located in the user's AppData folder for Interject/Settings.

You can open this folder easily by clicking on Diagnostics on the Advanced Interject ribbon, select Open User Folders and then click Execute Selected Action.

Legacy Interject Logins

Users can be configured to continue using their existing Interject basic Auth accounts while also having access to federated logins. The Interject Login Manager will show all your logins: