Contrib.social

Add native support for Auth0

Open on Drupal.org →
Created on 14 December 2022, over 1 year ago
Updated 23 January 2024, 5 months ago

Auth0 is another OpenID Connect SSO service / IDP, just like Okta. (In fact, Okta bought Auth0 recently.) The Generic plugin gets us most of the way there, but not 100% because Auth0 is doing something off-spec. So let's add native support for Auth0 here.

Remaining tasks

  8. Add a general config checkbox (not specifically for the Auth0 config): Hide login method on login form, and just say "Login" if there's only one login method? This provides a better UX if users don't need to know or care about the method.

Original report

https://www.drupal.org/project/openid_connect/issues/3327237 Add native support for Auth0 Needs review

I have a few questions that are all somewhat related. I've been working with Auth0 through this module, and though the 1.2 version of this module and the "generic" client were enough to login, we needed the role mapping that was available in the now unsupported auth0 module. I also needed a way to override the button text for the block.

I created a sandbox project to add that functionality in https://www.drupal.org/sandbox/asherry/3327222

My questions are:

  1. Is it even in line with the vision of this module to have modules that extend it?
  3. When you place the OpenID connect block and it says "Login with [provider]", is it of any value to be able to override this? This module I'm creating does, but, if it's something that might be useful for any provider I could put together a patch for the core module instead.
Feature request
Status

RTBC

Version

3.0

Component

Code

Created by

🇺🇸United States asherry

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Assigned to colan
  • Status changed to Needs review over 1 year ago
  • Status changed to Active over 1 year ago
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦

    Everything that I know needs to get done is now done so feel free to review & test. I'm going to start testing it myself now.

  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago
    🇵🇹Portugal jcnventura

    Please take care of the problem described in 🐛 Auth0 users can log in without e-mail verification even when it's required Closed: duplicate in this issue.

  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦

    Fair enough if you think that's an Auth0 thing, but can we handle these separately? Do this one first, and the other as a follow-up? I'd like to get this one in, and probably won't be working on the other one due to time constraints (and the workaround).

  • Comment over 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦

    The first commit above is necessary because until now, the error description just goes in the log and users don't see it. However, what can get returned is:

    Please verify your email before logging in.

    Also, I hate it when I get a message saying that there's an error without telling me what the error is. This fixes that problem.

    From a security perspective, I don't believe we're leaking anything problematic here; it's just the reason the login is failing, which users have a right to know. And security through obscurity doesn't work anyway.

    The second commit adds docs to the Auth0 form, telling admins how to configure their Auth0 accounts to enforce e-mail verification. (It's actually trivial, and I don't think it's worth figuring out how to handle this on the Drupal side, especially if it's just for this one IDP so I'm just handling it in this issue.)

  • Comment over 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦

    Anyone know what's going on with that CI error? Testbot isn't running.

  • Comment over 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦

    This is now good to go as I believe I've tested the basic scenarios, and everything seems to be fine. Please review the code and test yourself!

    I did, however, run into 🐛 Cannot enforce IDP-only account creation Needs work , but I don't believe that's specific to this plugin (so that's why I created a separate issue).

  • Comment over 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦

    Here's the MR as a patch for Composer.

  • Comment over 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦
  • Comment about 1 year ago
    🇨🇦Canada colan Toronto 🇨🇦

    Lastest MR as a patch for Composer.

    Edit: Don't review the code here as it's the multiple-patch file from Gitlab; it'd be confusing. Look at the MR instead.

  • Status changed to RTBC 5 months ago
  • Comment 5 months ago
    🇮🇹Italy bigbabert Milano, Italy

    Hi,
    I've tested latest patch and work good!
    there is a way to anonymize username and email stored in Drupal from auth0?
    Thanks for the support

  • Comment 5 months ago
    🇵🇹Portugal jcnventura

    Anonymizing the username and email are a bit out of scope of the module.. The objective here is to allow an external ID provider to "vouch" for a user that is then created in Drupal. That Drupal user should have at least a real e-mail so that any functionality depending on that from Drupal's side can still work.

    You are of course free to create a patch to anonymize that data in your own site by hacking into the relevant lines in this plugin, but you'll have to maintain that site-specific modification on your own.

    In any case, thanks for finally marking this as "Reviewed & tested by the community"

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024