// Identity Federation

Dragon Key

Dragon Key is the identity federation layer for the DragonSource ecosystem. Built on OAuth2 / OpenID Connect, it enables partner platforms to validate Dragon credentials and establish trust.

OIDC Endpoints

GET/.well-known/openid-configuration

OIDC Discovery document — returns all endpoint URLs, supported scopes, and signing algorithms

GET/auth/authorize

Authorization endpoint — initiates the authentication flow. Params: client_id, redirect_uri, response_type=code, scope, state

POST/auth/token

Token endpoint — exchanges authorization code for access_token and id_token. Params: grant_type, code, client_id, client_secret

GET/auth/userinfo

UserInfo endpoint — returns claims about the authenticated user. Requires Bearer token in Authorization header

Integration Flow

Authorization Code Flow

1

User clicks 'Sign in with Dragon Key' on your app

2

Your app redirects to https://dragonsource.org/auth/authorize with client_id, redirect_uri, scope

3

User authenticates with DragonSource credentials

4

DragonSource redirects back with authorization code

5

Your server exchanges code for tokens at /auth/token

6

Use the access token to fetch user info at /auth/userinfo

ID Token Claims

subUnique identifier for the partner/user
nameDisplay name of the partner organization
emailContact email (requires email scope)
partner_idDragonSource partner ID
tierPartnership tier: community, technology, research, strategic
verifiedBoolean — whether the partner holds DragonSource Verified status

Quick Start

// 1. Get OIDC Discovery
const discovery = await fetch(
  'https://dragonsource.org/.well-known/openid-configuration'
).then(r => r.json());

// 2. Build authorization URL
const authUrl = new URL(discovery.authorization_endpoint);
authUrl.searchParams.set('client_id', YOUR_CLIENT_ID);
authUrl.searchParams.set('redirect_uri', YOUR_REDIRECT_URI);
authUrl.searchParams.set('response_type', 'code');
authUrl.searchParams.set('scope', 'openid profile');
authUrl.searchParams.set('state', generateRandomState());

// 3. Redirect user
window.location.href = authUrl.toString();

// 4. Exchange code for tokens (server-side)
const tokens = await fetch(discovery.token_endpoint, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    grant_type: 'authorization_code',
    code: authorizationCode,
    client_id: YOUR_CLIENT_ID,
    client_secret: YOUR_CLIENT_SECRET,
    redirect_uri: YOUR_REDIRECT_URI,
  }),
}).then(r => r.json());

// 5. Fetch user info
const userInfo = await fetch(discovery.userinfo_endpoint, {
  headers: { Authorization: `Bearer ${tokens.access_token}` },
}).then(r => r.json());

console.log(userInfo);
// { sub: "...", name: "Partner Name", tier: "technology", verified: true }
Register to Get Client Credentials