PHP and WordPress Single Sign On (SSO) with optional JWT Addon

ctml

Ah ok, I think I recall running into an issue with installing the plugin and it was complaining about the package so I ended up forcing it somehow. I probably had it install the other versino. I've uninstalled everything and reinstalled, but this is the issue once I hit the sso plugin.

$composer require maicol07/flarum-sso-plugin
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Using version ^1.2 for maicol07/flarum-sso-plugin
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for maicol07/flarum-sso-plugin ^1.2 -> satisfiable by maicol07/flarum-sso-plugin[1.2].
    - maicol07/flarum-sso-plugin 1.2 requires flagrow/flarum-api-client 0.2.x-dev -> satisfiable by flagrow/flarum-api-client[0.2.x-dev] but these conflict with your requirements or minimum-stability.


Installation failed, reverting ./composer.json to its original content.

In my composer.json

    "minimum-stability": "beta",
    "prefer-stable": true

maicol07

ctml do you have flagrow/flarum-api-client in your composer.json?

Try to set minimum stability to Dev if you don't have it

ctml

No it was not in the composer.json. Changing to dev helped, but it looks like it is not installing your version still.

$ grep -i flarum-api-client composer.json
$ 
$ vi composer.json <- change to dev
$ composer require maicol07/flarum-sso-plugin
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Using version ^1.2 for maicol07/flarum-sso-plugin
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 4 installs, 0 updates, 0 removals
  - Installing flagrow/flarum-api-client (dev-master 08c300c): Cloning 08c300c469 from cache
  - Installing delight-im/http (v2.0.0): Loading from cache
  - Installing delight-im/cookie (v3.4.0): Loading from cache
  - Installing maicol07/flarum-sso-plugin (1.2): Loading from cache
Writing lock file
Generating autoload files
Carbon 1 is deprecated, see how to migrate to Carbon 2.
https://carbon.nesbot.com/docs/#api-carbon-2
    You can run './vendor/bin/upgrade-carbon' to get help in updating carbon and other frameworks and libraries that depend on it.
53 packages you are using are looking for funding.

And then when I check the api ext src.

vendor/flagrow/flarum-api-client/src/Flarum.php

    public function __construct($host, array $authorization = [])
    {
        $this->rest = new Guzzle([
            'base_uri' => "$host/api/",
            'headers' => $this->requestHeaders($authorization)
        ]);

        $this->fluent = new Fluent($this);

        static::$cache = new Cache(new ArrayStore);
    }

maicol07

ctml it seems that composer grabs the flagrow version...
Maybe try to add the following code to your composer.json:

"repositories": [
		{
			"type": "vcs",
			"url": "https://github.com/maicol07/flarum-api-client"
		}
	]

ctml

Thanks that worked! Getting very close now, I think I am on the home stretch 🙂 I've created a api token in the database manually and linked it to the admin account, however the token returns a 401 in the logs when performing sign on. The api_keys table entry consists of the key (40 char alpha numeric string generated from the tool in your docs), the id (1), and the user_id (also 1), and nothing more. In the instantiation of the object the password is set as a random string, nothing specific.

I am not sure if it was expected behaviour, but the login using the local admin no longer works, there are some login modal errors. That was when I did not have the login url set in the extension settings, I added that so it goes directly to my sites login page now. But I wasn't sure if that was indicative of another issue or expected.

"POST /api/token HTTP/1.1" 401 67 "-" "Flagrow Api Client"

 * @param string $url Flarum URL <- community.domain.com
 * @param string $root_domain Main site or SSO system domain <- domain.com
 * @param string $api_key Random key from the api_keys table of your Flarum forum <- generated api key as described above
 * @param string $password_token Random token to create passwords -> randomly entered string
 * @param int $lifetime How many days should the login be valid -> 30 days
 * @param bool $insecure Insecure mode (use only if you don't have an SSL certificate) -> true as I am testing locally
 * @param bool $set_groups_admins Set groups for admins. Set to false if you don't want to set groups to admins -> true, although I am not sure what this does yet

maicol07

ctml your method is correct. Do you get any errors in the request response?

ctml

Fairly generic, this ClientException is thrown from getToken

[message:protected] => Client error: `POST https://community.localhost:8080/api/token` resulted in a `401 Unauthorized` response:
{"errors":[{"status":"401","code":"not_authenticated"}]}

maicol07

ctml have you passed to the login method your username and password?
That error indicates that you are trying to login with incorrect credentials

ctml

maicol07

I thought you did not need to pass credentials, as the sso plugin would create the user / password if they were not registered in flarums DB? Really all I am passing is the admin API key / random string as I have no users yet,

$forum = new \Maicol07\SSO\Flarum('https://community.' . $_SERVER['HTTP_HOST'], 'https://' . $_SERVER['HTTP_HOST'], 'APIKEY', 'RANDOMSTRING', 14, true, true);
$forum->login($_SESSION['user'], $_SESSION['email']);

maicol07

ctml the extension creates a user with the username of the SSO system and an hash created from the password as a password.
You need these details to login the user

ctml

maicol07

The comments for the login method show to pass the plain text password if they were already signed up not using this extension. In my case I have no registered users, everything will be done through this plugin which is why I have omitted the password from the login call. The code for the plugin appears to create the password if not provided. The user is never created after calling login so I think the 401 is for attempting to fetch the user token, which if it is using the admin api key is not expected, but my api key is entered exactly as it is from the database.

/**
	 * Logs the user in Flarum. Generally, you should use this method when an user successfully log into
	 * your SSO system (or main website). If user is already signed up in Flarum database (not signed up with this
	 * extension) you need to pass plain user password as third parameter (for example Flarum admin)
	 * You can also set groups to your users with an array
	 *
	 * @param string $username
	 * @param string $email
	 * @param string|null $password
	 * @param array|null $groups
	 *
	 * @return string
	 */
        public function login(string $username, string $email, string $password = null, $groups = null)
	{
		if (empty($password)) {
			$password = $this->createPassword($username);
		}
		$token = $this->getToken($username, $password);
		// Backward compatibility: search for existing user
		try {
			$user = $this->api->users($username)->request();
			if (empty($token)) {
				$password = $this->createPassword($username);
				$token = $this->getToken($username, $password);
			}
		} catch (ClientException $e) {
			if ($e->getCode() == 404 and $e->getResponse()->getReasonPhrase() == "Not Found") {
				$signed_up = $this->signup($username, $password, $email, $groups);
				if (!$signed_up) {
					return false;
				}
				$token = $this->getToken($username, $password);
			} else {
				throw $e;
			}
		}

		$this->setGroups($username, $groups);

		return $this->setCookie($token, time() + $this->getLifetimeSeconds());
	}

maicol07

ctml I may have forgotten to update the doc 😅 that was for an older version of the plugin.
The access token requires the master token and user's username/password

luceos

maicol07 why don't you pr the changes to the api client back to the flagrow one? Seems overly unnecessary to use a fork with identical namespace in another fully functional package 🙂

ctml

maicol07

I'm testing with postman, and I realize this is not the SSO plugin but rather flarums api itself but I am getting the 401 unauthenticated using the master token I created.

POST /api/token
Headers:

Token: <api_keys_table_token>
userId: 1 <- tried with and without this field

{
    "errors": [
        {
            "status": "401",
            "code": "not_authenticated"
        }
    ]
}

maicol07

luceos I thought it was "abandoned" or no more actively developed/mantained...
I was thinking to change the namespace in the next version and maintain the API client

luceos

maicol07 that would be a great idea, thanks for clarifying 👍️ Once you publish your version feel free to ping me so I can mark the flagrow one abandoned and replaced with yours 😉

maicol07

ctml you need to set an Authorization header to your master token and your JSON body to:

{
  "identification" : "myusername",
  "password" : "mypassword",
  "lifetime" : "3600"
}

You can change 3600 to another value if you want

ctml

maicol07

I see that now, thanks. Looks like the 401 is expected for the token since the user doesn't exist, after the 401 the signup is attempted. Unfortunately I now see that the signup fails because my website usernames allows periods, but flarum does not.

/api/users` resulted in a `422 Unprocessable Entity` response:
{"errors":[{"status":"422","code":"validation_error","detail":"The username may only contain letters, numbers, and dashe (truncated...)

I cannot change my usernames, so I'll have to figure out of there is anyway around this limitation of flarum.

maicol07

ctml you should edit that in Flarum core files, but that is not a good way to do it. It can be better to replace all the usernames dots and special characters with a - when registering the user (or maybe removing them completely).
A change in the next betas is the best choice, but I don't know if developers want.

ctml

Thanks, you're a gentleman and a scholar! I appreciate all the quick replies over the past 24h, it is all working now. Although I don't love substituting dashes, it has nothing to do with the SSO and is a limitation of flarum, there is another thread about supported characters in usernames so I will carry on over there 🙂 Very excited to start using it now that I can integrate all my users.

« Previous Page Next Page »