OAuth 2 FAQ
This article will cover:
- What does the flow look like from the Advocate point of view?
- Do Join URL/Codes work with OAuth 2?
- How do invites work with SSO?
- Things To Think About If Implementing SSO On An Active Hub
- Can I have some Advocates use OAuth 2 SSO but others to use the traditional method of login?
- Where are the 'Terms and Conditions' housed when using SSO?
- How does the Maven app work with SSO?
What does the flow look like from the Advocate point of view?
Using OAuth 2 Single Sign On
- Navigate to the AdvocateHub URL
- They will be immediately be redirected to the login screen you have configured as your login point for your Advocates
- Advocate enters the AdvocateHub
Note: If an advocate is already a member of another AdvocateHub with the same email address then there is one additional step in the flow. After they successfully enter their credentials into the customer portal, they will see a message like below:
An email will be sent to the Advocate which will include a link which they just have to click on and they will be brought back to the login screen to enter their credentials once more before gaining access to the AdvocateHub.
Here is a visual walkthrough of the flow the Advocate will experience:
Using OAuth Dual Login
The flow for the advocate is as follows:
- Navigate to the AdvocateHub URL
- They will be brought to the AdvocateHub Sign In page. They will be greeted with the opportunity to login through the Single Sign-On or click Click here to Sign In to reveal the regular login form where they can enter their email & password and access the Advocatehub:
Do Join URL/Codes work with OAuth 2?
Yes. You can use these exactly as you would normally expect with the AdvocateHub. Read more on join URLs here
How do invites work with OAuth 2?
Important Note about Nominees and SSO
If you have a Nominee in your AdvocateHub and then this user tries to sign up to the AdvocateHub using a join URL or by navigating directly to the AdvocateHub they will experience permissions issues. Currently, the only way to 'upgrade' a Nominee to an Advocate is by sending them an invite directly from AdvocateHub, they will then need to click the link contained in the invitation to gain access to the AdvocateHub as an Advocate.
To study some other options on how you can segment your Advocates check out this article.
Things to think about if implementing OAuth 2 on an active Hub
In this case I try to access the hub and am directed to your product or platform to complete the login process. I enter firstname.lastname@example.org and my password and enter the hub successfully but now I will have a brand new account setup as the AdvocateHub did not have an email address email@example.com present, it was looking for firstname.lastname@example.org.
What can you do to prepare for this?
Can I have some Advocates use OAuth 2 SSO but others to use the traditional method of login?
Yes. With OAuth 2 you can choose to enable Dual Sign-On, this allows your Advocates to choose whether to login through Single Sign-On or using the traditional email/password method. This may be helpful if you have Employees and Customers in your program and you would like your employees to use Single Sign into login but your customer to use their email and password.
This is what will greet the Advocate when they navigate to your AdvocateHub if you have Dual Sign-On enabled:
In order to find out how you can switch between Single Sign-On and Dual Sign On have a look at our Configuring OAuth 2 article.
Where are the 'Terms and Conditions' housed when using OAuth 2?
You can set the Terms & Conditions under Settings > Advocate Program > Sign-In. Simply enter your desired Terms & Conditions and toggle 'on'.