Customers of MembershipWorks can now use OAuth 2 Single Sign On to allow members to sign in to other applications through MembershipWorks. A common use for this feature would be to enable members to sign in to a forum or Learning Management System (LMS) application through the MembershipWorks sign in.
The third-party application will need to support the industry-standard OAuth 2 Authorization Code Grant protocol. MembershipWorks will act as the authorization server and the application would be the client application.
To configure a new OAuth 2 app access in MembershipWorks:
- Go to Organization Settings > Apps
- Click on “Add App”
- Enter an App Name so you can identify what app you are using this for
- Provide the OAuth Redirect URL (this should be given to you by the third-party application)
- Enable “Disable SSO if member is past due” if you want to block members from signing in to the other application if their membership is past due
- Click Create
- Copy down the Client ID, Client Secret, Token Endpoint and User Info Endpoint. In particular the Client Secret is only available right after step 5 so make sure to copy it down carefully.
The Client ID, Client Secret, Authorization Endpoint, Token Endpoint and User Info Endpoint will all be required by the third-party application to implement SSO. The Authorization Endpoint will be the URL of the member login page on your website – ie. the page where you’ve placed the MembershipWorks “Member Sign In and Manage Account” shortcode or snippet. Note that this page should not have a memberonly shortcode/snippet as well.
Once the third-party application is setup, when members need to login to that application they will be directed to the member login page on your website. If the member is not already logged in they will be prompted to login. Once they are logged in MembershipWorks will provide the authentication token to the third-party application that will allow it to lookup the member’s info via the User Info endpoint.
The User Info endpoint is capable of providing the following information:
- account_id – member’s MembershipWorks account ID
- email – email address field
- name – account name field
- contact_name – contact name field (if applicable)
- organization_name – organization name field (if applicable)
- phone – phone field (if applicable)
- mobile – mobile field (if applicable)
- fax – fax field (if applicable)
- website – website field (if applicable)
The User Info endpoint also provides information on address, membership level, membership add-ons, membership expiration date, labels, folders and card image URLs. However these are more complex objects that may not be utilized by the third-party application. Typically most third-party applications can only utilize basic data such email and name.
Note that due to the technical nature of the task, you may need to enlist a developer to help set up and test the Oauth 2 connection between MembershipWorks and the application.
FAQs
Does Single Sign On mean that members can sign in with Google or Facebook?
At this time this is not possible. To allow members to sign in with Google or Facebook would mean Google or Facebook is the authorization server while MembershipWorks is the client. At this time MembershipWorks can only function as the OAuth 2 authorization server – ie. other applications can allow users to “sign in with MembershipWorks” but not vice versa.
Does this allow members to log into another application to access their MembershipWorks account?
At this time MembershipWorks can only function as the OAuth 2 authorization server. Therefore it is not possible to have another application authorize members to access their MembershipWorks account.
Does this relate to the MembershipWorks Login Connector Plugin?
Customers who are currently using the MembershipWorks Login Connector plugin may continue to do so. However you could use a third-party OAuth 2 Single Sign On plugin instead that may provide additional customizability to meet your specific requirements, as the MembershipWorks OAuth 2 User Info endpoint does provide access to more user data. However keep in mind that although the User Info endpoint does provide more data (such as membership level and labels), your other plugins may not have a way to utilize that data. For example, you may wish to enable access to different forum categories by labels, but your forum plugin may not have a feature that would differentiate access that way. Therefore please consult with your developer on whether the OAuth 2 Single Sign On method will better meet your needs.
How do I know if an application uses OAuth 2?
You will need to reference the documentation for that application or contact its developer. Do make sure to check whether the application supports OAuth 2 as the authorization server or the client. Many applications can either function as the authorization server or as the client, but not the other. Note that MembershipWorks will only function as the authorization server, so the third-party application would need to be the client.
Comments are closed.