The goal is a smooth SSO integration between your bank app and the Paylead
WebApp, ensuring:
- correct cookie and session handling between the WebView and the IdPs,
- no spurious redirects to the authentication screen,
- and silent re-authentication as long as the IdP sessions are valid.
Authentication flow architecture
Actors
Paylead WebApp
The end-user interface.
Paylead IdP
The Paylead Identity Provider. Manages the WebApp session (the Paylead session
cookie).
Partner IdP
Authenticates the bank user. OIDC delegation flows from the Partner IdP to the
Paylead IdP.
The Consumer URL for your Program (
https://consumer-<reference_pm>.paylead.eu)
is provided by your Paylead contact.Flow at a glance
Create the Paylead session
The Paylead IdP creates a Paylead session and redirects back to the WebApp.
Session management
Session types
| Level | IdP | Lifetime | Impact |
|---|---|---|---|
| Paylead SSO | Paylead IdP | 30 min idle / 10h max (default) | Manages the SSO authentication |
| Partner IdP | Partner | Variable | Authenticates the bank user |
Recommended durations
- Paylead IdP (configurable):
- SSO Session Idle: 30 min
- SSO Session Max: 10h
- Partner IdP: must be ≥ the Paylead IdP session to avoid showing the
authentication screen after a redirect to
/authorize.
The idle session timer counts from the moment the session stops being active,
not from the moment it was created.
Expected behaviour by session state
| Paylead IdP session | Partner IdP session | Result |
|---|---|---|
| ✅ Valid | ✅ Valid | Direct access |
| ⚙️ Expired | ✅ Valid | Silent re-authentication |
| ⚠️ Expired | ⚠️ Expired | Partner IdP auth screen |
| ⚠️ Valid | ⚠️ Expired | Partner IdP auth screen |
| ❌ Cookies lost | n/a | Redirect to /auth |
Access check & re-authentication
Step 1: Pre-check before opening
Before opening the WebApp, perform aGET without automatically following
redirects:
- If the response is 2xx → the session is considered valid, open the WebApp directly.
- If the response is a 3xx redirect and the
Locationheader points to/auth(the Paylead IdP auth route) → start the full SSO flow (Step 2).
The response of this
GET is also useful for what follows, as it carries:state: lets you send the user back to the page they originally requested.nonce: lets you bind the session to the token we create.
Step 2: Web authentication
Validate the final redirect
Check that the last redirect contains
scope, state, nonce, client_id
and redirect_uri. Otherwise, clear the cookies for the Paylead domain and
retry once.What’s next
WebView configuration
Cookie and WebView setup required for the flow above to work reliably.
Troubleshooting
Diagnose a recurring auth screen, lost cookies, or hard-to-trace behaviour.