Automatic Single Sign On (SSO) for Client Portals | Voters

Automatic Single Sign On (SSO) for Client Portals

Tim Lock

I know there is a plan for SSO for all apps here already: https://ideas.gohighlevel.com/app-marketplace/p/single-sign-on-sso
However, I would like to mention that we need SSO for Client Portals to be automatic and to turn it off and on with a switch. So if you turn it on, the client is already logged in on the iframed custom menu you link when they login to GHL and if the switch is off, the client has to login in manually.
The reason I ask this is a lot of us don't know how to implement SSO or API and it might be cumbersome and difficult to setup. So I see why you would have to manually set it up if you are using SSO for an external app but we definitely need automated setup for internal apps like Client Portals and other places that require seperate logins

November 27, 2023

Sales & Marketing

Merged in a post:

Donald Moore

It would be great if there was a way to create an Authorization Provider for HighLevel using the traditional OAuth Flow. I've made a few other posts around this subject but I just want to make it as clear as possible.
If a user is logged into HighLevel and they want to log into another app, you have to grant the app access to that user's permission and
 return information about the user so that we can identify them in our own internal software.
Related: https://ideas.gohighlevel.com/app-marketplace/p/userinfo-endpoint-on-oauth-flow
https://ideas.gohighlevel.com/saas/p/remove-extra-login-step-between-saas-mode-and-marketplace
https://ideas.gohighlevel.com/apis/p/api-v2-oauth-issuer-user-info-endpoint
https://ideas.gohighlevel.com/apis/p/user-level-oauth2-or-providing-installerid
https://ideas.gohighlevel.com/app-marketplace/p/single-sign-on-sso
https://ideas.gohighlevel.com/app-marketplace/p/allow-app-developers-to-opt-out-of-white-labelling-and-allow-agency-owners-to-op

A day ago

Sales & Marketing

Merged in a post:

SSO Object should contain an Authorization Code.

Donald Moore

Without an Authorization Code, the current SSO Object does not work as a method of Authenticating the User and generating a Session using OAuth 2.0 with PKCE.
My proposal:
{
  "userId": "voyt7xXYSNmCizMl0CPe",
  "companyId": "STsoOZWCeRcFajyk6gL4",
  "role": "admin",
  "type": "account",
  "activeLocation": "WQZjWNMM1muqdOrhPcO3",
  "planId": "658e549b3afeab64858ccad6",
  "code": "[pkce-authorization-code]"
}
The developer should be able to pass the code as a search param to the Redirect URL to log the user in and create the session. This solves a number of different problems, from having to build a separate UI to introduce features that already exist in GHL to managing sessions between multiple locations, multiple users, and even multiple companies.
There's no way to sign the user in without an Authorization Code.
Reference:
https://next-auth.js.org/configuration/providers/oauth
https://blog.postman.com/pkce-oauth-how-to/
https://aaronparecki.com/oauth-2-simplified/

A day ago

Donald Moore

James Wagoner This is pretty much done with the

userId

in the token response. There might be a few more steps taken to get the

userinfo

endpoint working, but it's completely possible to do this today.

notifications unmonitored-address

Donald Moore this is possible now? I'm trying to get clarity on this. I thought we got location but not user id?

Donald Moore

It could also be a "Log in with LeadConnector" button for those who are white-labelling.