authserver
/
oauth-account
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.
14 Commits
1 Branch
2 Tags
150 KiB
Tag: Branch: Tree: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
oauth-account/readme.md

114 lines
5.8 KiB
Raw Permalink Blame History

# Authserver: OAuth account plugin
This [Authserver](https://github.com/vierbergenlars/authserver) plugin that provides external authentication with OAuth services.
All services supported by the [HWIOAuthBundle](https://github.com/hwi/HWIOAuthBundle/blob/master/Resources/doc/2-configuring_resource_owners.md) can be used,
including custom providers that are not available in the HWIOAuthBundle.
## Installation
`./plugin.sh install vierbergenlars/authserver-oauth-account-bundle`
For more details, see the [Authserver plugin documentation](https://github.com/vierbergenlars/authserver/blob/master/documentation/plugins.md).
## Configuration
You can configure the bundle in the authserver `app/config/parameters.yml` file.
Add a new array key under `oauth.resource_owners` for each OAuth service that you want to support.
The name of a service is arbitrary and is not used to derive the type of service.
For each service, the `config` and the `service_name` properties are required.
```yaml
oauth:
resource_owners:
# Prototype
name:
config: [] # Required, HWIOauthBundle resource owner configuration
service_name: ~ # Required
icon: null
trust_email_verification: false
login_button:
label: null
style: default
icon: null
connect_button:
label: null
style: default
icon: null
```
`config` is passed straight through to HWIOAuthBundle, and is used there as resource owner configuration.
Constraints on this configuration are handled and processed by the HWIOAuthBundle, so errors in this configuration result
in a message with the wrong error path specified.
`service_name` is the friendly name of the service that will be shown to users in the interface.
`icon` is the [FontAwesome](http://fontawesome.io/icons/) icon name to use for the service. If left blank, no icon will be shown.
`trust_email_verification` determines whether email addresses provided by the OAuth provider will be automatically marked as verified when they are used during registration. If true, no verification email will be sent, and the email address will be marked als verified on registration. If false, a verification email will be sent to the user before the email address is considered verified.
`login_button` and `connect_button` can be used to further tweak the looks of the login button and the connect button on the user profile.
`label` specifies the text shown on the button. (Defaults to `$service_name Login` and `Connect with $service_name`)
`style` specifies the bootstrap style to use for the button (class name `btn-$style` is used). Without custom css, its value must be one of `default`, `primary`, `success`, `info`, `warning`, `danger`.
`icon` is the FontAwesome icon name to use for the service. It defaults to the icon provided on the service name.
### Registration
Registration with an OAuth account is disabled by default and has to be enabled separately.
```yaml
oauth:
registration:
enabled: false
display_name: prefill # One of "prefill"; "blank"; "force"
email: prefill # One of "prefill"; "blank"; "force"
password: hidden # One of "blank"; "hidden"; "force-disable"
```
When enabled, and a logged-out user logs in with an external account that is not linked to an existing account,
they will be redirected to the registration page.
The Name and Email field are prefilled with information received from the external account provider, but are editable by the user. (`prefill`)
It is also possible not to prefill the information (`blank`) or to force this information to be filled from the provider (`force`).
The Password fields are hidden by default (`hidden`). Since the user already has a means to log in, the registration form will not ask to set an account password.
The user is still able to set their password afterwards from their profile page.
To require a password to be set anyways, use `blank`. To completely disable password authentication, including the ability to set a password from the profile page, use `force-disable`.
The password state is saved on the account in the `Password enabled` field and can be edited by administrators.
#### Prefilling email addresses during registration
An email address can only be prefilled when it is available from the external account provider, else it will be left blank.
If there is a property mapped to `email` available when logging in to register a new account,
the email address is automatically filled in into the form.
When `trust_email_verification` is enabled on a resource owner and the user does not modify the prefilled email address,
it will immediately be marked as verified.
Email rules and registration rules still apply to the email address when provided by the resource owner.
If the email rules configuration rejects the email address, or the registration rules do not allow the mail address to self-register,
the email address received from the resource owner will not be filled in the form.
### Example
```yaml
oauth:
resource_owners:
fb:
config:
type: facebook
client_id: xxxxxxxxxxxx
client_secret: xxxxxxxxxxx
scope: email
infos_url: "https://graph.facebook.com/me?fields=id,name,email,picture.type(square)"
paths:
email: email
profilepicture: picture.data.url
trust_email_verification: true
service_name: 'Facebook'
icon: facebook-official
registration: true
```