The sso connector is disabled by default for flexibility reasons. But it's quite easy to enable it. Use our helper command, which guides you through the installation process:
$ bin/console members:oauth:setupIf you don't want to use it, you need to check several steps which we're going to explain to you right now:
You need an additional Class for the SSO Identity. Every provider (e.g. Google or Facebook) creates an SsoIdentity entity, which gets appended to a user object.
If you're using all the default Members Classes, you can simply re-run the command:
$ bin/console members:install:class -oBy adding the -o argument, this command will install the SsoIdentity. Already installed classes will be skipped.
If you want to use a different name, just create the class and import it from src/MembersBundle/config/install/classes/class_SsoIdentity_export.json.
Read more about changing the default class name here.
Important! This step is only required if you're updating an existing installation! If you have installed Members from scratch via the class installer, this field is already available!
Add this to your var/classes/definition_YOUR_USER_CLASS_NAME.php (right after the group section):
{
"fieldtype": "manyToManyObjectRelation",
"width": "",
"height": "",
"maxItems": "",
"queryColumnType": "text",
"phpdocType": "array",
"relationType": true,
"visibleFields": "key",
"optimizedAdminLoading": false,
"visibleFieldDefinitions": [],
"lazyLoading": true,
"classes": [
{
"classes": "SsoIdentity"
}
],
"pathFormatterClass": "",
"name": "ssoIdentities",
"title": "SSO Identities",
"tooltip": "",
"mandatory": false,
"noteditable": false,
"index": false,
"locked": false,
"style": "",
"permissions": null,
"datatype": "data",
"invisible": false,
"visibleGridView": false,
"visibleSearch": false
}
You need to change the parent class of your existing user class to \MembersBundle\Adapter\User\AbstractSsoAwareUser.
Install the KnpUOAuth2ClientBundle:
$ composer require knpuniversity/oauth2-client-bundle:^2.0You also need to add some providers. There is a list of all available provider. In this example, we're going to install the google client:
$ composer require league/oauth2-google:^3.0Otherwise, the oauth connection won't work.
If you have any hints to allow processing an oauth connection within
strictmode, please tell us.
framework:
session:
cookie_samesite: 'lax'Read more about the activation_type here.
members:
oauth:
enabled: true
activation_type: 'complete_profile' # choose between "complete_profile" and "instant"If your using a different name for your firewall than members_fe you need to configure the container parameter:
parameters:
members.firewall_name: your_fw_nameEvery provider comes with its own configuration. In this example, we're going to setup the google client:
Attention: Always use the members_user_security_oauth_check route in redirect_route.
There is also a full list of all configurations
knpu_oauth2_client:
clients:
google:
type: google
client_id: 'YOUR_CLIENT_ID'
client_secret: 'YOUR_CLIENT_SECRET'
redirect_route: members_user_security_oauth_check
redirect_params: {}If you need a special scope definition, you can add them in the Members configuration.
Just add your client (googlein your example) to the scopes node. Value needs to be an array.
If there is no configured scope, the oauth2 client will trigger
getDefaultScopes()(see documentation. Default scope values vary from client to client.
members:
oauth:
scopes:
google: ['email']Finally, checkout the registration type for SSO here.