heptacom / shopware-platform-admin-open-auth
Shopware plugin to allow OAuth providers to provide admin logins
Installs: 55 281
Dependents: 0
Suggesters: 0
Security: 0
Stars: 30
Watchers: 5
Forks: 10
Open Issues: 8
Type:shopware-platform-plugin
Requires
- php: >=8.2.0
- ext-json: *
- ext-mbstring: *
- ext-openssl: *
- ext-zlib: *
- composer/composer: ^2.7
- doctrine/dbal: ^3.8
- guzzlehttp/guzzle: ^7.5
- guzzlehttp/psr7: ^2.4
- league/oauth2-client: ^2.0
- league/oauth2-server: ^8.5
- mrjoops/oauth2-jira: ^0.2.4
- mtdowling/jmespath.php: ^2.7
- nyholm/psr7: ^1.5
- onelogin/php-saml: ^4.1.0
- psr/cache: ^3.0
- psr/http-client: ^1.0
- psr/http-message: ^2.0
- psr/log: ^3
- shopware/core: ^6.6.0
- web-token/jwt-core: ^3.2
- web-token/jwt-signature: ^3.2
- web-token/jwt-signature-algorithm-ecdsa: ^3.2
- web-token/jwt-signature-algorithm-rsa: ^3.2
Requires (Dev)
- shopware/administration: ~6.6.0
- dev-master
- dev-main
- 7.0.1-rc.1
- 7.0.0
- 7.0.0-rc1
- 6.0.3
- 6.0.2
- 6.0.2-rc.1
- 6.0.1
- 6.0.1-rc.1
- 6.0.0
- 6.0.0-rc.1
- 6.0.0-beta.3
- 6.0.0-beta.2
- 6.0.0-beta.1
- 5.0.0
- 5.0.0-beta.5
- 5.0.0-beta.4
- 5.0.0-beta.3
- 5.0.0-beta.2
- 5.0.0-beta.1
- 4.3.0
- 4.2.1
- 4.2.0
- 4.1.0
- 4.0.2
- 4.0.1
- 4.0.0
- 3.0.3
- 3.0.2
- 3.0.1
- 3.0.0
- 2.0.0
- 1.0.2
- 1.0.1
- 1.0.0
- dev-dependabot/composer/dev-ops/bin/composer-unused/symfony/validator-7.1.7
This package is auto-updated.
Last update: 2024-11-06 15:30:24 UTC
README
This is part of HEPTACOM solutions for medium and large enterprise
Shopware plugin to allow external login provider in the administration
This Shopware 6 plugin allows to add "Login with" functionality into the Shopware administration login page and password confirmation dialogs.
Features
- login to Shopware 6 administration using an external identity provider (IDP)
- various providers already preconfigured - Microsoft, Google, Okta, Keycloak, ...
- support for third-party IDPs supporting OpenID Connect
- easy setup using the provider's metadata document (
.well-known/openid-configuration
)
- easy setup using the provider's metadata document (
- support for third-party IDPs supporting SAML2
- easy setup using the provider's metadata xml
- promote users automatically to administrators
- set roles and permissions based on rules
Security
The login to the Shopware administration is a critical part. Security vulnerabilities in this part allow attackers access to the whole shop.
Therefore, we check our plugin critically for potential risks before merging pull requests.
In addition, our OpenId Connect implementation also checks the signature of JWT tokens, whenever possible. When using a pre-configured OpenID Connect provider or when providing a OIDC metadata document, the JWKS keys are automatically fetched from the IDP.
Supported providers
We support a variety of identity providers out of the box. If your identity provider is not listed below but offers OpenID Connect support, you can configure it manually using the OpenID Connect provider. In any other case feel free to create a pull request.
⚠️ supported using authorized request rule
SAML2 - Technical requirements
In case you want to use a SAML2 provider, your IdP must meet the following requirements:
- include AuthnRequest in the SAML response
- sign the returned assertions
- support HTTP-POST binding for the Assertion Consumer Service (ACS)
- return the user's email address as attribute (all other attributes are optional)
OpenID Connect - Authenticated request rule
When using an OpenID Connect based provider, you can assign roles that depend on an authenticated GET request, done with the user's access token. This way you can get any further information from the IDP, that is relevant for your specific case. For some providers a preset for retrieving the user's groups is already available.
In case you want to create more complex rules, you can build your own queries within the rule builder. The queries get the JSON, returned by the specified endpoint, as input.
Authenticated request
Your specified endpoint will be called as follows:
GET https://my-company.idp.com/api/groups Authorization: Bearer <access_token> Accept: application/json
The request must be encrypted (HTTPS) and will timeout after 5 seconds. In case of a timeout or a none successful response code, the condition will be evaluated as false
.
In case you have multiple conditions, depending on the same endpoint, the request will only be done once. The response is cached in memory for the duration of the rule evaluation.
Processing the response
You can then use a JMESPath query to validate if the input JSON matches your rule.
It is recommended that your query results in a boolean. In case it results in a different type, the condition will be validated as follows:
Changes
View the CHANGELOG file attached to this project.
Contributing
Thank you for considering contributing to this package! Be sure to sign the CLA after creating the pull request.
License
Copyright 2020 HEPTACOM GmbH
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this project except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 or see the local copy.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Trademarks and Logos
All logos, available in this project are protected under copyright. Most of them also are registered trademarks. Therefore, the usage is only permitted when corresponding trademark/branding guidelines are fulfilled. You can find an archived link to these guidelines below.
Atlassian Jira
cidaas
- https://developers.google.com/identity/branding-guidelines
- https://about.google/brand-resource-center/brand-elements/
- https://about.google/brand-resource-center/rules/
- https://about.google/brand-resource-center/brand-terms/
Keycloak
Microsoft Entra ID
Okta
OneLogin
The One Identity logo is a registered trademark of One Identity, Inc.