Tidepool uses standard OpenID Connect or OAuth2 for authentication and authorization flows. This provides a mechanism for 3rd party developers to securely request Tidepool to authenticate a user while ensuring privacy and confidentiality of that user's login credentials.
We also support external identity providers (IdP) for clinics that wish to utilize their own single sign-on (SSO) solution. Please contact Tidepool Sales Team to enable SSO for your clinic. Clinicians who log in to Tidepool are directed to their clinic's SSO login page that may be hosted by services such as Okta, Auth0, Microsoft ADFS, and so on. Upon successful login, the clinician user will be redirected back to Tidepool Web.
The following references provide more detailed information on the principles and implementation of OAuth 2.0:
- How OpenID Connect Works
- OAuth - RFC 7649
- An Introduction to OAuth 2
- OAuth 2 Simplified
- OAuth 2.0 Servers
Tidepool access tokens are relatively short-lived (as in, minutes). Once expired, they must be refreshed using the refresh token returned by Tidepool's authentication service.
In the future, Tidepool will be offering the option for users to enable 2-factor authentication (2FA) to their account to further secure their account. In order to login, the user will have to present their email and password as well as a 6-digit number generated by the 2FA provider such as 1Password or Google Authenticator.