Single Sign On

optiroot

@wuethrich I have the same problem as @mTrax, infact everything is set-up fine, and the Key is correct in both config.php and database...
But when I open the URL to do the login, then I get redirected to the Forum but I'm not authenticated. It is like if the redirect happened without anything sent...

Actually I didn't have the chance to try as I'm busy, but could headers from Chrome Dev tools be useful to check if the data has been sent?

optiroot

Okay, my bad. It works perfectly. Just one thing to point out (I guess the same problem is for @mTrax): if you just set up the extension and then login using the same email address of the "First Admin" of Flarum, the system will be a bit crazy. But it's enough log out, clear cookies and login back to your website and Flarum will automatically link your account with the Admin Account in Flarum.

For users this doesn't happen - because their accounts are still not existing in Flarum, and they get created on-the-fly when logging in.

Sorry, now everything works perfectly. This extension is great. Thank you, @wuethrich.

wuethrich

optiroot Oh yes there is a problem with existing users. Thanks for pointing that out ?

akhil_ck

optiroot hi can you able to help me bit to implement sso.
1) mainwebsite.com
2)flarum website

what all things i have to do if i want logged in user from mainwebsite can also login directtly to flarum website.
i have a menu item called forum so when user click it it will go to forum.

optiroot

wuethrich no problem! One question: in my website users are allowed to change both username and email. I didn't try, but of course I think that if they do, their Flarum account will not be the same as before but will be created a new one. Is possible to pass to the sso, the user ID too? Would be great

EDIT: I found in https://github.com/wuethrich44/flarum-ext-sso/blob/master/sample-website/Forum.php#L97 that "userId" is hardcoded to 1. Editing this would have any effect? I have the doubt that it is to use the token as the administrator... if so, I don't know...

optiroot

Did some tests with this Single Sign On and has enough problems...

For example, if in the main website the user can change the email or username, when logging in, will not login, but instead a new account will be created (and this is right, because email or username are different).

But at the same time, even if you edit in the database the values to the new one (the new email or username the user actually has), the user can't login anyway. This is because the password is generated with a token from the first username and email...

This is a big problem - and at the same time I think there should be a column in the users DB which refers to an external ID (a bit like how Zendesk's JWT auth works). This way even if the user change email and username, he will be "recognized" by the "external ID" and probably the token could be generated using this ID and the random string (using other methods, maybe). But the column isn't present by itself in Flarum at all. I never did a Flarum extension, but how can you add a DB column? And at the moment I can't find any Flarum documentation about Listeners and APIs (internal, not REST). It seems apidocs.flarum.org is offline

I'd like to help you (pulling on GitHub or something other) but I need some documentation about Flarum

Other than this, I think that on my main website I could do something like this (even if it is really strange... it should be done in Flarum's side, as it should be kept simple).

I think I will:
- Create a new table in my main database, in which I have "internal_id", "flarum_id"
- When the user tries to login, the website creates a token (with some encryption, I still don't know) based on the internal user_id and will store in DB the "internal_id".
- Now will make a request to register the user on Flarum. Flarum will answer with the user ID. This will be taken by the main website and saved in the DB as "flarum_id". Flarum will create the password using the token generated by the internal_id

Of course now the user can login, as username/email and password are right and if the user changes email or username on the main website, we will can send a REST API request to Flarum to make it change email or username of the user, checking in the previously mentioned DB table that the userID of which data must be changed corresponds to "flarum_id". In fact, in this way, the password will always be the same (as it is generated by the internal id) and the email or username will change because the REST API id the trick. So the user will can login without problems. It is just to be setup on the other website rather then Flarum..
But if there is any better method let me know. I just think that password must not be generated by something that could change (like username and email).

I know too (reading other posts... I don't remember which) that there is a kind of problem about usernames as if they get changed the mentions and other things could broke; so maybe we should allow just the change of email.

But the thing I want to know is this: when the user makes the login in the main website using SSO, which data gets send to Flarum to login? Username or email?

adrienfr44

optiroot For me the biggest problem at present is the non-distinction between "username" et "displayname" in core flarum

wuethrich

optiroot I see your point and there should definitely be an improvement. Unfortunately, it's not possible to change a username because Flarum uses the username for identification (see this line). Therefore, your suggestion with the table in the main database will not work.

As far as I know it should be possible to change the email but this change won't synchronize to the Flarum DB. So I think you can implement something like a change email function in the WP plugin but it's currently not possible to change the username because Flarum doesn't give you this possibility.

optiroot

adrienfr44 Right. I tested changing an user's username and the main problem is that if the user has been mentioned, when clicking on the link will bring you to the old username, because the mention is written and saved based on the actual username... weird (but at the same time right); that's why we really need Display Names... in this way users will be tagged in that way and when clicking on the mention will be brought to the actual username page. In fact, I think could be enough adding a column in the users table mentioning their Display Name, and the @ searching while tagging will be based on the Display Name. The tag is saved someway in the DB according with the userID. This way the link is generated based on the userID (not on Display Name: different people could have the same Display Name and could run the system crazy).

But, I think this is more a meta discussion rather than this ext.

optiroot

wuethrich I see... really big problem. The Flarum user system (or maybe just username) must be rebuilt to give more flexibility. Even because Display Names are pretty important in some communities (more in my case - I run a Social Network).

To change the email is pretty simple, it is enough to do a REST API request and that's all... the main problem is the username.

I think, since this is not a fault of your ext, maybe it is better to post on meta. When I have some spare time will create a post there with some ideas and explain the problem here.
Thank you, anyway; your extension is great even because doesn't use any of the other "complicated" methods like oAuth or SAML. It's pretty genious.

wuethrich

querty I just released a new version of the extension. Now everytime a login model is opened you will get redirect to the login page.

riyaskp

I installed your extension with composer .
"composer require wuethrich44/flarum-ext-sso".

Then I went to admin panel and install the extension and now the site showing this error message.
"Something went wrong while trying to load the full version of this site."

luceos

riyaskp run php flarum cache:clear then clear your browser cache. In case you use cloudlfare disable it or flush its cache.

DoubleWorld

无法启用插件，因为它引起了一个致命错误（fatal error）
Warning: require(/www/wwwroot/.com/wp-content/plugins/flarum-sso/config.php): failed to open stream: No such file or directory in /www/wwwroot/.com/wp-content/plugins/flarum-sso/Forum.php on line 11

Fatal error: require(): Failed opening required '/www/wwwroot/.com/wp-content/plugins/flarum-sso/config.php' (include_path='.:/www/server/php/70/lib/php') in /www/wwwroot/.com/wp-content/plugins/flarum-sso/Forum.php on line 11

wuethrich

DoubleWorld Your problem is the missing config.php. This is not well documented but you should copy the config.php.dist to config.php and change the settings according to your needs. After that everything should work fine.

RirouIsout

I have problem :

Warning: require(/home/web12638/web/wp-content/plugins/sample-website/config.php): failed to open stream: No such file or directory in /home/web12638/web/wp-content/plugins/sample-website/Forum.php on line 11

zinsser

Great extension! Keep up the good work!

Some notes from my end as of beta7 + ext-sso July 9th release:

You can disable signup in admin panel in the permissions tab.
With this extension enabled, any user registered will automatically be activated.
Fresh Flarum beta7 install => go to http://your.flarum.site/ and configure admin/MySQL => install extension with composer require => go to admin panel and enable the extension => admin panel crashed

Fresh Flarum beta7 install => install extension with composer require => go to http://your.flarum.site/ and configure admin/MySQL => go to admin panel => bravo! extension setting page pops up, the extension is automatically enabled and everything works as expected

Feature request/Future work/My demands or whatever

My existing user system has an avatar system and I want to use that directly. I'm not sure whether it should be part of this extension, but since it's related to sso I'll just put it here:
- Supply url as avatar src to Flarum. As of beta7 Flarum only accept url at register time and it will download and cache the avatar. After that, updating the url or re-caching is not possible without hacking into core files.
  
  Directly using url is also not possible.
- Disable avatar upload/delete. This is trivial in the front end. It can be done by overriding the AvatarEditor model. I don't know this should be in a separate extension or bundled with this sso extension, since disabling avatar upload without sso doesn't make sense anyway. I'm working on it right now so I'd like to see what do you think @wuethrich
  
  However, the API will still be opened and operational. This means that users can still upload/delete with API and break the sso setting. Is there any way to disable this or set permission to prevent users from modifying the avatar?
In sample-website, add an API path option. Currently flarum_url is used for both redirection and API requests. As SSO is normally implemented with multiple machines talking to each other over some kind of private network, it makes more sense that such API requests bypass reverse proxy/load balancer and go directly to the Flarum server. For example: "flarum_url" => "myFlarum.foo.bar", "api_url" => "localhost:8080", and use api_url in sendPostRequest method. I'll submit a pull request on GitHub unless you think this is overdone to be added to sample-website. (It's just a sample-website, but Forum.php and config.php act more like a tiny library tho)

wuethrich

zinsser Fresh Flarum beta7 install => go to http://your.flarum.site/ and configure admin/MySQL => install extension with composer require => go to admin panel and enable the extension => admin panel crashed

I've just tested the extension with beta7 and I hadn't this issue. Could you provide a error message or something to track this problem down?

zinsser My existing user system has an avatar system and I want to use that directly.

I don't use an avatar system in my setup so I won't develop anything in this direction. However, it sounds like a nice feature so I would be very happy if you provide a PR.

zinsser add an API path option

I would like to keep the sample-website as simple as possible so I don't think we should include this in the extension. If someone really need this it is added quickly.

pgshow

Here are two problem.
1.When i only logout at wordpress, flarum still logged on.
2.When i logout at flarum, url will redirect to "flarum_url/logout?token=xxx" first, and then redirect to "/wp-login.php?action=logout", at the page of wordpress, if i refuse to logout, the flarum have been logout.

wuethrich

pgshow Yes this sucks but I can't do anything about that because that's how the Wordpress logout works. But if you are coming up with an idea let me know...

DKornyukhov

Hey @wuethrich and the rest! Congrats on the awesome extension! I've been reading this discussion and would like to get a few clarifications. We have a WordPress community where users can create accounts and Flarum installed on a subdomain.

My question is:

If we install this extension and WP plugin on our main site does it mean our existing forum users won't be able to sign in (because they already exist in Flarum's database)?

wuethrich

DKornyukhov Existing Flarum users can't login with Wordpress because the account already exists and I cannot set a password. You could write some custom logic which overrides the current password but it doesn't work out of the box.

« Previous Page Next Page »