authserver
/
oauth-account
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
This repo is archived. You can view files and clone it, but cannot push or open issues/pull-requests.
12 Commits
1 Branch
2 Tags
150 KiB
Tag: Branch: Tree: 1544c09bdd
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1544c09bdd'
${ noResults }
oauth-account/readme.md

95 lines
4.6 KiB
Raw Blame History

# Authserver: OAuth account plugin
This [Authserver](https://github.com/vierbergenlars/authserver) plugin that provides external authentication with OAuth services.
All services supported by the [HWIOAuthBundle](https://github.com/hwi/HWIOAuthBundle/blob/master/Resources/doc/2-configuring_resource_owners.md) can be used,
including custom providers that are not available in the HWIOAuthBundle.
## Installation
`./plugin.sh install vierbergenlars/authserver-oauth-account-bundle`
For more details, see the [Authserver plugin documentation](https://github.com/vierbergenlars/authserver/blob/master/documentation/plugins.md).
## Configuration
You can configure the bundle in the authserver `app/config/parameters.yml` file.
Add a new array key under `oauth.resource_owners` for each OAuth service that you want to support.
The name of a service is arbitrary and is not used to derive the type of service.
For each service, the `config` and the `service_name` properties are required.
```
oauth:
resource_owners:
# Prototype
name:
config: [] # Required, HWIOauthBundle resource owner configuration
service_name: ~ # Required
icon: null
trust_email_verification: false
login_button:
label: null
style: default
icon: null
connect_button:
label: null
style: default
icon: null
```
`config` is passed straight through to HWIOAuthBundle, and is used there as resource owner configuration.
Constraints on this configuration are handled and processed by the HWIOAuthBundle, so errors in this configuration result
in a message with the wrong error path specified.
`service_name` is the friendly name of the service that will be shown to users in the interface.
`icon` is the [FontAwesome](http://fontawesome.io/icons/) icon name to use for the service. If left blank, no icon will be shown.
`trust_email_verification` determines whether email addresses provided by the OAuth provider will be automatically marked as verified when they are used during registration. If true, no verification email will be sent, and the email address will be marked als verified on registration. If false, a verification email will be sent to the user before the email address is considered verified.
`login_button` and `connect_button` can be used to further tweak the looks of the login button and the connect button on the user profile.
`label` specifies the text shown on the button. (Defaults to `$service_name Login` and `Connect with $service_name`)
`style` specifies the bootstrap style to use for the button (class name `btn-$style` is used). Without custom css, its value must be one of `default`, `primary`, `success`, `info`, `warning`, `danger`.
`icon` is the FontAwesome icon name to use for the service. It defaults to the icon provided on the service name.
### Registration
When a logged-out user logs in with an external account that is not linked to an existing account,
they will be redirected to the registration page.
Since the user already has a means to log in, the registration form will not ask to set an account password.
However, the user is still able to set their password afterwards from their profile page.
#### Prefilling email addresses during registration
If there is a property mapped to `email` available when logging in to register a new account,
the email address is automatically filled in into the form.
When `trust_email_verification` is enabled on a resource owner and the user does not modify the prefilled email address,
it will immediately be marked as verified.
Email rules and registration rules still apply to the email address when provided by the resource owner.
If the email rules configuration rejects the email address, or the registration rules do not allow the mail address to self-register,
the email address received from the resource owner will not be filled in the form.
### Example
```
oauth:
resource_owners:
fb:
config:
type: facebook
client_id: xxxxxxxxxxxx
client_secret: xxxxxxxxxxx
scope: email
infos_url: "https://graph.facebook.com/me?fields=id,name,email,picture.type(square)"
paths:
email: email
profilepicture: picture.data.url
trust_email_verification: true
service_name: 'Facebook'
icon: facebook-official
```