The sso connector is disabled by default for flexibility reasons. But it's quite easy to enable it. Use our helper command, which guides you through the installation process:
$ bin/console members:oauth:setup
If you don't want to use it, you need to check several steps which we're going to explain to you right now:
You need an additional Class for the SSO Identity. Every provider (e.g. Google or Facebook) creates an SsoIdentity
entity, which gets appended to a user object.
If you're using all the default Members Classes, you can simply re-run the command:
$ bin/console members:install:class -o
By adding the -o
argument, this command will install the SsoIdentity
. Already installed classes will be skipped.
If you want to use a different name, just create the class and import it from src/MembersBundle/Resources/install/classes/class_SsoIdentity_export.json
.
Read more about changing the default class name here.
Important! This step is only required if you're updating an existing installation! If you have installed Members from scratch via the class installer, this field is already available!
Add this to your var/classes/definition_YOUR_USER_CLASS_NAME.php
(right after the group
section):
{
"fieldtype": "manyToManyObjectRelation",
"width": "",
"height": "",
"maxItems": "",
"queryColumnType": "text",
"phpdocType": "array",
"relationType": true,
"visibleFields": "key",
"optimizedAdminLoading": false,
"visibleFieldDefinitions": [],
"lazyLoading": true,
"classes": [
{
"classes": "SsoIdentity"
}
],
"pathFormatterClass": "",
"name": "ssoIdentities",
"title": "SSO Identities",
"tooltip": "",
"mandatory": false,
"noteditable": false,
"index": false,
"locked": false,
"style": "",
"permissions": null,
"datatype": "data",
"invisible": false,
"visibleGridView": false,
"visibleSearch": false
}
You need to change the parent class of your existing user class to \MembersBundle\Adapter\User\AbstractSsoAwareUser
.
Install the KnpUOAuth2ClientBundle:
$ composer require knpuniversity/oauth2-client-bundle:^2.0
You also need to add some providers. There is a list of all available provider. In this example, we're going to install the google client:
$ composer require league/oauth2-google:^3.0
Otherwise, the oauth connection won't work.
If you have any hints to allow processing an oauth connection within
strict
mode, please tell us.
framework:
session:
cookie_samesite: 'lax'
Read more about the activation_type
here.
members:
oauth:
enabled: true
activation_type: 'complete_profile' # choose between "complete_profile" and "instant"
Every provider comes with its own configuration. In this example, we're going to setup the google client:
Attention: Always use the members_user_security_oauth_check
route in redirect_route
.
There is also a full list of all configurations
knpu_oauth2_client:
clients:
google:
type: google
client_id: 'YOUR_CLIENT_ID'
client_secret: 'YOUR_CLIENT_SECRET'
redirect_route: members_user_security_oauth_check
redirect_params: {}
If you need a special scope definition, you can add them in the Members configuration.
Just add your client (google
in your example) to the scopes
node. Value needs to be an array
.
If there is no configured scope, the oauth2 client will trigger
getDefaultScopes()
(see documentation. Default scope values vary from client to client.
members:
oauth:
scopes:
google: ['email']
Finally, checkout the registration type for SSO here.