authserver
/
oauth-account
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.
14 Commits
1 Branch
2 Tags
150 KiB
Tag: Branch: Tree: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Lars Vierbergen 75fddbbc63
Require new version of vierbergenlars/authserver-external-account-bundle 		7 years ago
Controller Move account disconnecting from oauth account to external account 7 years ago
DependencyInjection Make registration with external account (and prefilled/forced fields) configurable 7 years ago
Entity Make it possible to automatically validate email addresses when they are received from an authentication provider. 7 years ago
EventListener Make registration with external account (and prefilled/forced fields) configurable 7 years ago
ExternalAccount Move account disconnecting from oauth account to external account 7 years ago
ResourceOwner Add parameter to trust or not trust the verification of email addresses from an external service. 7 years ago
Resources Make registration with external account (and prefilled/forced fields) configurable 7 years ago
Routing Initial commit 7 years ago
Security/Core/User Make registration with external account (and prefilled/forced fields) configurable 7 years ago
.gitignore Install bundle as authserver plugin 7 years ago
AuthserverOAuthAccountBundle.php Initial commit 7 years ago
LICENSE.md Move more logic to ExternalAccountBundle for a more centralized view 7 years ago
composer.json Require new version of vierbergenlars/authserver-external-account-bundle 7 years ago
readme.md Add documentation about registration features 7 years ago

readme.md

Authserver: OAuth account plugin

This Authserver plugin that provides external authentication with OAuth services. All services supported by the HWIOAuthBundle can be used, including custom providers that are not available in the HWIOAuthBundle.

Installation

./plugin.sh install vierbergenlars/authserver-oauth-account-bundle

For more details, see the Authserver plugin documentation.

Configuration

You can configure the bundle in the authserver app/config/parameters.yml file.

Add a new array key under oauth.resource_owners for each OAuth service that you want to support. The name of a service is arbitrary and is not used to derive the type of service.

For each service, the config and the service_name properties are required.

oauth:
    resource_owners:

        # Prototype
        name:
            config:               [] # Required, HWIOauthBundle resource owner configuration
            service_name:         ~ # Required
            icon:                 null
            trust_email_verification: false
            login_button:
                label:                null
                style:                default
                icon:                 null
            connect_button:
                label:                null
                style:                default
                icon:                 null

config is passed straight through to HWIOAuthBundle, and is used there as resource owner configuration. Constraints on this configuration are handled and processed by the HWIOAuthBundle, so errors in this configuration result in a message with the wrong error path specified.

service_name is the friendly name of the service that will be shown to users in the interface.

icon is the FontAwesome icon name to use for the service. If left blank, no icon will be shown.

trust_email_verification determines whether email addresses provided by the OAuth provider will be automatically marked as verified when they are used during registration. If true, no verification email will be sent, and the email address will be marked als verified on registration. If false, a verification email will be sent to the user before the email address is considered verified.

login_button and connect_button can be used to further tweak the looks of the login button and the connect button on the user profile. label specifies the text shown on the button. (Defaults to $service_name Login and Connect with $service_name) style specifies the bootstrap style to use for the button (class name btn-$style is used). Without custom css, its value must be one of default, primary, success, info, warning, danger. icon is the FontAwesome icon name to use for the service. It defaults to the icon provided on the service name.

Registration

Registration with an OAuth account is disabled by default and has to be enabled separately.

oauth:
    registration:
        enabled:              false
        display_name:         prefill # One of "prefill"; "blank"; "force"
        email:                prefill # One of "prefill"; "blank"; "force"
        password:             hidden # One of "blank"; "hidden"; "force-disable"

When enabled, and a logged-out user logs in with an external account that is not linked to an existing account, they will be redirected to the registration page.

The Name and Email field are prefilled with information received from the external account provider, but are editable by the user. (prefill) It is also possible not to prefill the information (blank) or to force this information to be filled from the provider (force).

The Password fields are hidden by default (hidden). Since the user already has a means to log in, the registration form will not ask to set an account password. The user is still able to set their password afterwards from their profile page. To require a password to be set anyways, use blank. To completely disable password authentication, including the ability to set a password from the profile page, use force-disable. The password state is saved on the account in the Password enabled field and can be edited by administrators.

Prefilling email addresses during registration

An email address can only be prefilled when it is available from the external account provider, else it will be left blank. If there is a property mapped to email available when logging in to register a new account, the email address is automatically filled in into the form.

When trust_email_verification is enabled on a resource owner and the user does not modify the prefilled email address, it will immediately be marked as verified.

Email rules and registration rules still apply to the email address when provided by the resource owner. If the email rules configuration rejects the email address, or the registration rules do not allow the mail address to self-register, the email address received from the resource owner will not be filled in the form.

Example

oauth:
    resource_owners:
        fb:
            config:
                type: facebook
                client_id: xxxxxxxxxxxx
                client_secret: xxxxxxxxxxx
                scope: email
                infos_url:     "https://graph.facebook.com/me?fields=id,name,email,picture.type(square)"
                paths:
                    email:          email
                    profilepicture: picture.data.url
            trust_email_verification: true
            service_name: 'Facebook'
            icon: facebook-official
   registration: true