arckinteractive/elgg3_oauth_sso

There is no license information available for the latest version (dev-master) of this package.

Allows other sites/services to implement SSO using the Elgg as the source of truth for user info

dev-master 2021-08-04 04:24 UTC

This package is auto-updated.

Last update: 2024-12-04 11:21:57 UTC


README

Allows other sites to use the elgg server as an oauth identity manager

  1. Register a new application at /admin/applications
  2. Authorize the user by having them log in at [url]/oauth/authorize?client_id=xxxxxxxx&state=xxxxxxxx&response_type=code&scope=user where client_id is the generated id of the application, and the state is a random string to prevent CSRF attacks
  3. The user will log in if necessary and authorize the application
  4. The user will be redirected back to the redirect_uri with the original state in a query param and a code: [redirect_uri]?state=xxxxxx&code=xxxxxxxx
  5. Make a POST request to /oauth/token with body params of
    {
        client_id: xxxxxxxx,
        client_secret: xxxxxxx,
        grant_type: 'authorization_code',
        redirect_uri: 'https://xxxxxxxxxxxxx',
        code: xxxxxxxxxx
    }
  1. The result will be an access token
    {
        "access_token": "369e27dae447d3856fc538a217536b186cea1bc3",
        "expires_in": 3600,
        "token_type": "Bearer",
        "scope": "user",
        "refresh_token": "3c706473a576815c503a119626d674331becc4c8"
    }
  1. The access token in the header: Authorization: Bearer 369e27dae447d3856fc538a217536b186cea1bc3 for future OAuth api calls
  2. Retrieve the user info from the GET endpoint /oauth/api/me
    {
        "name": "Matt Beckett",
        "username": "mbeckett",
        "email": "matt@arckinteractive.com"
    }
  1. Use the refresh token to get a fresh access token if necessary, make a POST request to /oauth/token with body params of
    {
        client_id: xxxxxxxx,
        client_secret: xxxxxxx,
        grant_type: 'refresh_token',
        refresh_token: xxxxxxxxxx
    }