Contrib.social

Providing an Oauth2 endpoint from drupal.org

Open on Drupal.org β†’
Created on 15 September 2017, over 7 years ago
Updated 23 February 2025, 8 days ago

For projects and continuos integration of community we need a central Drupal authentication provider.
The project https://www.drupal.org/project/oauth2_server β†’ is capable of facilitating this.
We use it in in daily practice for SSO openID Connect sytems.
This request is just to validate if a user with a d.o. entity is valid in drupal.org?

Implementation

  • Install stable versions of xautoload, oauth2_server
  • sites/all/libraries/oauth2-server-php should be https://github.com/bshaffer/oauth2-server-php/releases/tag/v1.8.0
  • Grant permission to all - use_oauth2_server
  • Create OAuth2 Server, export Feature once this is set well
  • Create client(s) as-needed
    • client-id will be visible in the URL
    • client-secret should only be know by d.o. and the implementer of the Openid client consumer. (e.a. this is a crypto secret)

Additional Notes

  • The oauth endpoints are on [drupal]/oauth2/{token|authenticate|UserInfo}.
  • Token and authentication endpoints can have short valid times, but should be long enough for slow connections.
  • `Refresh token lifetime` is mainly used for "offline access" scopes.
✨ Feature request
Status

Active

Component

Other

Created by

πŸ‡³πŸ‡±Netherlands florisg

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 8 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States jdleonard Austin, TX, USA

    Curious whether there have been any recent discussions about this now that Keycloak has been implemented.

    Thought of this again in the context of Member Platform β†’ , which could become a viable platform for any given local association / DUG / affinity group to manage and communicate with its members and offer event registration.

    As I mentioned in #21, there are numerous benefits to the Drupal community of allowing SSO against drupal.org for these groups.

  • Comment 8 days ago β†’
    kraut

    @jdleonard Good point and what we wanted it since 2017 in the European community (i.e. for local GitLabs and sites). Having Keycloak solves the original technical issue to provide OAuth2 with Drupal itself.

    But the administration/management issue is still the same as like drupal.org and drupalcode.org every community project/site/service would need a Keycloak client and probably access to the same realm of users?

    @drumm @hestenet Did you already gain experience with federated Keycloak clients you don't manage? If not what are your concerns on the different use cases like user login or profile sharing with d.o. account?

  • Comment 8 days ago β†’
    kraut
  • Comment 7 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States anoopjohn Washington D. C.

    It looks like KeyCloak supports OpenID Connect, and SAML for SSO. We really don't need any additional information from Drupal.org other than the email id saying that the email id has been authenticated through the drupal.org authentication system. For external clients - we don't even need authorization services from Drupal.org, just authentication should be enough.

    In terms of setting up a site to start using it - Drupal already has OpenID Connect and SAML support. All we need to do is to configure Drupal.org KeyCloak server to allow authentication from a set of registered client appications (domains that are allowed to redirect requests to d.o). Keycloak already allows this out of the box.

    If KeyCloak is already set up, then the next question is - is there anything that is preventing us from rolling this out for all our Camp websties to start using?

    JD has started a thread for discussing this in the event organizers channel in Drupal slack - https://drupal.slack.com/archives/C03KZ3BETNH/p1740330500636009

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024