[MGNLSSO-53] Add OAuth support to sso module Created: 15/Apr/21  Updated: 20/Jan/23

Status: Open
Project: Single Sign On
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Neutral
Reporter: Leah Staniorski Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
[ ]* New SSO module includes OAuth
[ ]* OAuth method added to documentation
Task DoR:
Empty
Date of First Response:
Epic Link: SSO support for custom IdPs
Team: AdminX

 Description   

https://docs.magnolia-cms.com/product-docs/Modules/List-of-modules/SSO-module.html

The SSO module currently supports OpenID Connect identity via pac4j. It does not currently support OAuth, although the pac4j library does support OAuth, so extending the module to support both shouldn't be too overly complicated.

Please also add documentation for this.

Since the old SSO module did support OAuth and is now deprecated, we should add support for OAuth here for clients who use/require OAuth. Old module: https://documentation.magnolia-cms.com/display/SERVICES/Single+Sign+On



 Comments   
Comment by Leah Staniorski [ 15/Apr/21 ]

From Lars:

https://www.pac4j.org/4.3.x/docs/config.html
at the very bottom
oauth2.id, oauth2.secret, oauth2.authUrl, oauth2.tokenUrl, oauth2.profileUrl, oauth2.profilePath, oauth2.profileId, oauth2.scope, oauth2.withState, oauth2.clientAuthenticationMethod
those are the parameters that you can put below the
pac4j:
in the configuration

I once made a Pac4j prototype that could use the OAuth params:

<dependency>    
<groupId>org.pac4j</groupId>    
<artifactId>pac4j-oauth</artifactId>    
<version>${pac4jVersion}</version>    
</dependency>

a generic version with Google and OAuth looked like:

# generic OAUTH2 example with a Google account, settings can be
    # different based on the provider
    # https://accounts.google.com/.well-known/openid-configuration
    oauth2.id: 124665636344040-i1nrqtmm5g58gp7hfiidf4iq9lh5ap47.apps.googleusercontent.com
    oauth2.secret: 4YSHq9V6Cm6saugBuySTmaococ9
    oauth2.authUrl: https://accounts.google.com/o/oauth2/v2/auth
    oauth2.tokenUrl: https://oauth2.googleapis.com/token
    oauth2.profileUrl: https://www.googleapis.com/oauth2/v1/userinfo
    oauth2.scope: email profile
    # set as needed
    oauth2.withState: true
    # which of the delivered properties is the user id (optional)
    oauth2.profile.Id: id
    #oauth2.clientAuthenticationMethod
    #oauth2.profilePath:
Comment by Matt Rajkovic [ 09/Nov/22 ]

We'll revisit this ticket in grooming in context of SSO 3.0.0 which already uses Pac4j.

Generated at Mon Feb 12 10:50:39 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.