UserInfo Endpoint on OAuth Flow
D
Donald Moore
When a User Logs in with a Marketplace App, the response that we get back from the API when exchanging the
authorization_code
for a token should have the User's information on it.Without a UserInfo endpoint, there is no way to allow the user to log in with LeadConnector/HighLevel, but instead you have to authenticate the user first
with a separate provider
and then add a Location or a Company as a separate entity apart from the user who is logging in.There's no way to log into a Marketplace App without the UserInfo endpoint, as it's not a User who is logging in without it.
The Marketplace App provider is forced to authenticate the user in another way before allowing them to log in, which just
wreaks all sorts of havoc
when it comes to getting signups and managing APIs.The Location/Company "UserType" doesn't have an email address or a password. It's not a true user, which makes the Marketplace App a bit like "Frankenware" * 🧟‍♂️ . When the user's session is invalidated, the only way they can get back in is to reauthenticate them with a separate provider.
TLDR: It's just too many steps and it makes it so that the OAuth flow doesn't follow the Standard OID specs **.
Reference:
* Frankenware, https://www.youtube.com/watch?v=-wwgUjalork
** OpenID Specs on the UserInfo endpoint, https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
Log In
D
Drew Cain
The OAuth flow definitely needs to follow the OID specs if we're going to be able to use it as an identity provider. I need to be able to set the return_to property so that when someone logs in I can send them to the right place instead of just landing them on the dashboard. https://openid.net/specs/openid-authentication-2_0.html#anchor27