Opinsys Oy
This the documentation for the git master branch. For the current production documentation please see https://api.opinsys.fi/v3/sso/developers

Opinsys Authentication

For now to implement Opinsys Authentication to a external service you must receive a shared secret from Opinsys support tuki aet opinsys.fi. To receive it you must provide following:

Once the shared sercret is in place the external service may redirect user's web browser to https://api.opinsys.fi/v3/sso with a return_to query string key which determines where user is redirected back. The hostname of the return_to URL must match with the fqdn provided to us.

Example redirect URL might be:


When user is authenticated he/she will be redirected to the URL specified in the return_to query string key. The URL is augmented with a jwt query string key which will contain a JSON Web Token. The external service is expected to decode this token, validate it with the given shared secret and make sure that it is not issued too long a ago or in future. The token will contain following claims:

In addition to those above, there are some "extra" fields that can be used, but you should NOT rely on their existence (they might not always exist). These are:

Service activation

By default external services are not activated for all Opinsys organisations. Each organisation or individual schools must activate the external services on their behalf. They can do this directly from their management interface.

Organisation presetting

If the external service knows in advance from which organisation the user is coming from it can make the login bit easier by specifying an additional query string key organisation to the redirect URL:


Using this users don't have to manually type their organisation during login.


When user is coming from a Opinsys managed desktop Kerberos will be used for the authentication. User will not even see the Opinsys login form in this case. He/she will be directly redirected back to return_to url with a jwt key. The organisation presetting is ignored when Kerberos is active because the organisation will read from the Kerberos ticket. This is enabled by default for all external services using Opinsys Authentication.

Custom fields

If you need to relay some custom fields through the Authentication service you can just add them to the return_to URL. Just remember to escape the value.



Redirects user to:

http://example.com/path?custom_field=bar&jwt=<the jwt token>

Implementation help

Feel free to contact us at dev aet opinsys.fi or open up an issue on Github if you have any trouble implementing this. You can also send a pull request to this document if you feel it is missing something.