Skip to content

Incompatible alternative to UF account system. Offloads login to Open ID Connect (OAuth 2) server(s) of your choice. WIP

License

Notifications You must be signed in to change notification settings

Silic0nS0ldier/UF_OIDCAccount

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

UF_OIDCAccount

Alternative to UF account system. Offloads login to identity provider supporting OAuth 2 and Open ID Connect of your choice.

  • Evolutions of UF features
    • More readable classMapper alternative.
    $user = $container->dbModel->User::find(32);
    $newUser = new $container->dbModel->User([
        'detail1' => 'hello'
    ]);
    • Debuggable authentication system.
      The built in account system in UF uses eval to execute permission callbacks. As eval is largely sandboxed, crashes can cause irregular behaviour and cannot be logged. To resolve this issue, the 'permissions' table has a 'callback' and 'values' column.
    [
        {
            "default": "value",
            "_name": "field_name"
        },
        "value",
        {
            "_name": "field_name"
        }
    ]
    _name is used to reduce likelihood of property name conflicts.

Notes

  • identity-providers.json syntax
[
    {
        "name": "Microsoft",
        "alias": "ms",
        "icon": "local/images/microsoft-oidc-icon.png",
        "uri": {
            "base": "https://login.microsoftonline.com/{tenant}/",
            "api": [
                {
                    "name": "graph",
                    "uri": "https://graph.microsoft.com/v1.0/"
                }
            ]
        },
        "client_id": "",
        "cache_expires": 60
    }
]
  • name - Name of the service provider, for use on site.

  • alias - A PHP friendly alias that will be used to reference provider within code, database and cache. MUST be unique, and MUST never be changed once in use.

  • icon - Path to an icon representing the identity provider.

  • uri - URIs used with provider.

    • base - Base URI used by the identity provider. From this URI, configuration information is automatically downloaded and cached for later use. Man-in-the-middle attacks are covered via inspection of returned uris, not that this should be possible on a HTTPS connection. (this is me saying use HTTPS, for everyones sake)
    • api - An array of APIs that can be directly used via the authentication the identity provider supplies.
      • name - A name for use in code. As with alias, this should be PHP friendly, as it intended for use in code.
      • uri - URI for API.
  • client_id - Identifier provided by identity provider during application registration.

  • cache_expires - Optional. Specifies number of days before cached configuration data must be fetched from identity provider again.

  • JWT may need to be decoded, and have signing checked.

  • aud === client_id

  • a 'code' response_type must be used to give the server a key to access the server with, that should be exchanged with something that lasts longer immeditely

  • id_token should have a header with the 'kid', the id of the key used to encrypt, and 'alg', the algorithm used. At least if encrypted.

  • Goal is for RSA256 support only initally

About

Incompatible alternative to UF account system. Offloads login to Open ID Connect (OAuth 2) server(s) of your choice. WIP

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages