From 0afea78d0a7dfa7d4b8b7ae05252bc56c397ac29 Mon Sep 17 00:00:00 2001 From: Tinko Vialard <41490684+TinQ0@users.noreply.github.com> Date: Sat, 8 Jun 2024 18:46:59 +0200 Subject: [PATCH 1/5] docs: add info about additional arguments for providers to README --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a0e4bd7..aa6eefa 100755 --- a/README.md +++ b/README.md @@ -80,15 +80,19 @@ return [ The `thathoff.oauth.providers` array is a list of all configured OAuth Providers with a unique key for each entry. Each array entry is used as the configuration option to a new OAauth Provider Class instance so all options which are documented for the selected OAuth Provider class are available. +For example adding `'hostedDomain' => 'example.com'` in your google provider options will restrict users to an `@example.com` google account, as documented [here](https://github.com/thephpleague/oauth2-google). + + Additionally the two properties `name` and `class` are supported to supply a display name for the login screen and the Provider class to use when you don’t want to use the `GenericProvider`. ```php //... 'providers' => [ 'google' => [ - 'class' => "League\OAuth2\Client\Provider\Google", // use special google class from league/oauth2-google + 'class' => "League\OAuth2\Client\Provider\Google", // Use special google class from league/oauth2-google 'clientId' => 'somerandomstring.apps.googleusercontent.com', 'clientSecret' => 'clientsecret', + 'hostedDomain' => 'example.com' // Restrict users to an `@example.com` google account (optional) 'icon' => 'users' // Pick any default Kirby icon for the login button (optional) ], 'custom' => [ From 2c416226dcda6e73a43292e5beacb5c9cbf0a44b Mon Sep 17 00:00:00 2001 From: Olivier Date: Wed, 29 Jan 2025 10:04:37 +0100 Subject: [PATCH 2/5] feat: add scope option support for OIDC providers config --- README.md | 9 +++++---- lib/Provider.php | 8 ++++++++ plugin/options.php | 3 ++- 3 files changed, 15 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index aa6eefa..ab87c59 100755 --- a/README.md +++ b/README.md @@ -100,18 +100,19 @@ Additionally the two properties `name` and `class` are supported to supply a dis 'name' => 'My Custom Provider' // The name is optional 'clientId' => 'demoapp', // The client ID assigned to you by the provider 'clientSecret' => 'demopass', // The client password assigned to you by the provider - 'redirectUri' => 'https://example.com/your-redirect-url/', + 'redirectUri' => 'https://kirby.example.com/your-redirect-url/', 'urlAuthorize' => 'https://example.com/oauth2/lockdin/authorize', 'urlAccessToken' => 'https://example.com/oauth2/lockdin/token', 'urlResourceOwnerDetails' => 'https://example.com/oauth2/lockdin/resource', - 'icon' => 'users' // Pick any default Kirby icon for the login button (optional) + 'icon' => 'users', // Pick any default Kirby icon for the login button (optional) + 'scope' => 'openid email profile' //specify the scope passed form the OIDC provider to kirby ], ``` ### Redirect URL -OAuth providers require you to supply a **redirect URL** when configuring an application. -Please use `https://example.com/oauth/login/PROVIDER_ID` where example.com is your domain and PROVIDER_ID is the key +OAuth providers require you to supply a **redirect URL** of your kirby instance when configuring an application. +Please use `https://kirby.example.com/oauth/login/PROVIDER_ID` where kirby.example.com is your domain and PROVIDER_ID is the key of the config option in config.php (in the previous config example `google` or `custom`). If you have installed Kirby in a subdirectory, remember to include the subdirectory in the URL. diff --git a/lib/Provider.php b/lib/Provider.php index fdd512c..7eda99a 100644 --- a/lib/Provider.php +++ b/lib/Provider.php @@ -9,6 +9,7 @@ class Provider private $provider = null; private $state = null; private $icon = null; + private $scope = null; private $getAuthorizationUrlOptions = null; public $data = []; @@ -25,6 +26,9 @@ public function __construct($id, array $config) $this->state = !empty($config['state']) ? $config['state'] : null; unset($config['state']); + $this->scope = !empty($config['scope']) ? $config['scope'] : null; + unset($config['scope']); + $class = "League\OAuth2\Client\Provider\GenericProvider"; if (!empty($config['class']) && class_exists($config['class'])) { $class = $config['class']; @@ -50,6 +54,10 @@ public function getAuthorizationUrl($options = null) $options['state'] = $this->state; } + if (!isset($options['scope']) && $this->scope) { + $options['scope'] = $this->scope; + } + return $this->__call("getAuthorizationUrl", [$options]); } diff --git a/plugin/options.php b/plugin/options.php index ded1a69..5ec3170 100644 --- a/plugin/options.php +++ b/plugin/options.php @@ -7,5 +7,6 @@ 'emailWhitelist' => null, 'onlyOauth' => null, 'onlyExistingUsers' => null, - 'allowEveryone' => null + 'allowEveryone' => null, + 'scope'=> null ]; From 37659661c569343f2d66987cdce6f00646264fc8 Mon Sep 17 00:00:00 2001 From: Luke Thienemann Date: Fri, 8 Mar 2024 11:51:33 +0100 Subject: [PATCH 3/5] feat: add plugin hooks before and after the kirby user gets logged in --- README.md | 27 +++++++++++++++++++++++++++ lib/Controller.php | 45 +++++++++++++++++++++++++++++++++------------ 2 files changed, 60 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index ab87c59..95800d7 100755 --- a/README.md +++ b/README.md @@ -129,3 +129,30 @@ By default only whitelisted users are allowed to login into the Kirby panel. **Default Role:** Newly created users get the role defined with `defaultRole` when they first login. The default is `admin`. Please note that when the user has ben created already the role will not be updated. You can set this role to `nobody` if you want to manually whitelist users by changing the role in the Kirby panel. **Only Existing User:** By setting `onlyExistingUsers` to true only created uses are able to login with an OAuth provider, no new users are created. + +### Use Hooks + +Before and after the KirbyUser gets created or logged in a hook is triggered. + +```php +/** + * @var \League\OAuth2\Client\Provider\ResourceOwnerInterface $oauthUser + * @var Kirby\Cms\User $user + */ + +'hooks' => [ + 'thathoff.oauth.user-create:before' => function ($oauthUser) { + // return null|true to use the plugins user-creation + // return a Kirby\Cms\User to overwrite the plugin user creation + }, + 'thathoff.oauth.user-create:after' => function ($oauthUser, $user) { + + }, + 'thathoff.oauth.login:before' => function ($oauthUser, $user) { + + }, + 'thathoff.oauth.login:after' => function ($oauthUser, $user) { + + } +] +``` diff --git a/lib/Controller.php b/lib/Controller.php index faf0ea7..af573fa 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -2,6 +2,7 @@ namespace Thathoff\Oauth; +use Kirby\Cms\User; use Kirby\Http\Header; use Kirby\Http\Uri; use League\OAuth2\Client\Provider\ResourceOwnerInterface; @@ -147,26 +148,46 @@ private function loginUser(ResourceOwnerInterface $oauthUser) } if (!$kirbyUser = $this->kirby->user($email)) { - $onlyExistingUsers = $this->kirby->option('thathoff.oauth.onlyExistingUsers', false); - if ($onlyExistingUsers) { - $this->error("User missing and creating users is disabled!"); + $createResult = $this->kirby->apply('thathoff.oauth.user-create:before', ['oauthUser' => $oauthUser, 'result' => null], 'result'); + $kirbyUser = null; + + if ($createResult instanceof User) { + $kirbyUser = $createResult; } - if (!$this->checkWhiteLists($email)) { - $this->error("Access denied for $email."); + if ($createResult === true || $createResult === null) { + + $onlyExistingUsers = $this->kirby->option('thathoff.oauth.onlyExistingUsers', false); + + if ($onlyExistingUsers) { + $this->error("User missing and creating users is disabled!"); + } + + if (!$this->checkWhiteLists($email)) { + $this->error("Access denied for $email."); + } + + $this->kirby->impersonate('kirby'); + $kirbyUser = $this->kirby->users()->create([ + 'name' => $name, + 'password' => bin2hex(random_bytes(32)), + 'email' => $email, + 'role' => $this->kirby->option('thathoff.oauth.defaultRole', 'admin'), + ]); } - $this->kirby->impersonate('kirby'); - $kirbyUser = $this->kirby->users()->create([ - 'name' => $name, - 'password' => bin2hex(random_bytes(32)), - 'email' => $email, - 'role' => $this->kirby->option('thathoff.oauth.defaultRole', 'admin'), - ]); + $this->kirby->trigger('thathoff.oauth.user-create:after', ['oauthUser' => $oauthUser, 'user' => $kirbyUser]); + + if(!$kirbyUser) { + $this->error("User cannot be created."); + } } + $this->kirby->trigger('thathoff.oauth.login:before', ['oauthUser' => $oauthUser, 'user' => $kirbyUser]); $kirbyUser->loginPasswordless(); + $this->kirby->trigger('thathoff.oauth.login:after', ['oauthUser' => $oauthUser, 'user' => $kirbyUser,]); + $this->goToPanel(); } From 7e2243843ed27a9efff4927c3eb05a1d86c5c14b Mon Sep 17 00:00:00 2001 From: Markus Denhoff Date: Wed, 29 Jan 2025 16:48:22 +0100 Subject: [PATCH 4/5] build: bump composer version to 3.2.0 --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index a62fb9f..b86b2fb 100755 --- a/composer.json +++ b/composer.json @@ -4,7 +4,7 @@ "homepage": "https://github.com/thathoff/kirby-oauth", "type": "kirby-plugin", "license": "MIT", - "version": "3.1.0", + "version": "3.2.0", "authors": [ { "name": "Markus Denhoff", From d61806cabdd1c73709fdc35c83b46072e6ddb00f Mon Sep 17 00:00:00 2001 From: Markus Denhoff Date: Thu, 30 Jan 2025 08:35:54 +0100 Subject: [PATCH 5/5] docs: fix some typos in README --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 95800d7..ecae183 100755 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Kirby OAuth 2.0 Plugin -![Screnshot of Kirby’s Login Screen with OAuth](/.github/screenshot.png?raw=true) +![Screenshot of Kirby’s Login Screen with OAuth](/.github/screenshot.png?raw=true) This plugin is an plugin to provide [OAuth 2.0](http://oauth.net/2/) support for panel authentication in [Kirby](https://getkirby.com). It uses the [PHP League’s OAuth 2 Client](https://oauth2-client.thephpleague.com/), so all [official](https://oauth2-client.thephpleague.com/providers/league/) and [third-party providers](https://oauth2-client.thephpleague.com/providers/thirdparty/) are supported. It’s even possible to [implement your own](https://oauth2-client.thephpleague.com/providers/implementing/). @@ -17,7 +17,8 @@ This plugin is an plugin to provide [OAuth 2.0](http://oauth.net/2/) support for Because of secondary dependencies for providers, **installation via composer is the only currently supported method**. ### Install the Plugin -``` + +```sh composer require thathoff/kirby-oauth ``` @@ -27,7 +28,7 @@ The Plugin uses [PHP League’s OAuth 2 Client](https://oauth2-client.thephpleag For example to install support for Google run: -``` +```sh composer require league/oauth2-google ``` @@ -78,11 +79,10 @@ return [ ### Provider Options -The `thathoff.oauth.providers` array is a list of all configured OAuth Providers with a unique key for each entry. Each array entry is used as the configuration option to a new OAauth Provider Class instance so all options which are documented for the selected OAuth Provider class are available. +The `thathoff.oauth.providers` array is a list of all configured OAuth Providers with a unique key for each entry. Each array entry is used as the configuration option to a new OAuth Provider Class instance so all options which are documented for the selected OAuth Provider class are available. For example adding `'hostedDomain' => 'example.com'` in your google provider options will restrict users to an `@example.com` google account, as documented [here](https://github.com/thephpleague/oauth2-google). - Additionally the two properties `name` and `class` are supported to supply a display name for the login screen and the Provider class to use when you don’t want to use the `GenericProvider`. ```php