Skip to content
Snippets Groups Projects
Verified Commit 0f47656d authored by Andrej Ramašeuski's avatar Andrej Ramašeuski
Browse files

Aktualizace loginoidc

parent 64585058
No related branches found
No related tags found
No related merge requests found
Showing
with 888 additions and 15 deletions
## Changelog
### 0.1.5
* Add option to bypass second factor when sign in with OIDC
### 0.1.4
* Add option to automatically create unknown users.
### 0.1.3
* Add an option to override the redirect URI.
### 0.1.2
* Fix oauth flow for [Keycloak](https://github.com/keycloak/keycloak).
* Improve FAQ.
### 0.1.1
* Lowered the required Matomo version for this plugin.
### 0.1.0
* Initial version.
......@@ -20,6 +20,7 @@ use Piwik\Piwik;
use Piwik\Plugins\UsersManager\API as UsersManagerAPI;
use Piwik\Plugins\UsersManager\Model;
use Piwik\Session\SessionInitializer;
use Piwik\Session\SessionFingerprint;
use Piwik\Url;
use Piwik\View;
......@@ -243,7 +244,7 @@ class Controller extends \Piwik\Plugin\Controller
$userModel = new Model();
$user = $userModel->getUser($matomoUserLogin);
$this->linkAccount($providerUserId, $matomoUserLogin);
$this->signinAndRedirect($user);
$this->signinAndRedirect($user, $settings);
} else {
throw new Exception(Piwik::translate("LoginOIDC_ExceptionUserNotFoundAndSignupDisabled"));
}
......@@ -258,7 +259,7 @@ class Controller extends \Piwik\Plugin\Controller
if ($settings->disableSuperuser->getValue() && Piwik::hasTheUserSuperUserAccess($user["login"])) {
throw new Exception(Piwik::translate("LoginOIDC_ExceptionSuperUserOauthDisabled"));
} else {
$this->signinAndRedirect($user);
$this->signinAndRedirect($user, $settings);
}
} else {
Url::redirectToUrl("index.php");
......@@ -304,11 +305,15 @@ class Controller extends \Piwik\Plugin\Controller
* @param array $user
* @return void
*/
private function signinAndRedirect(array $user)
private function signinAndRedirect(array $user, SystemSettings $settings)
{
$this->auth->setLogin($user["login"]);
$this->auth->setTokenAuth($user["token_auth"]);
$this->sessionInitializer->initSession($this->auth);
if ($settings->bypassTwoFa->getValue()) {
$sessionFingerprint = new SessionFingerprint();
$sessionFingerprint->setTwoFactorAuthenticationVerified();
}
Url::redirectToUrl("index.php");
}
......
This diff is collapsed.
......@@ -86,11 +86,11 @@ class LoginOIDC extends \Piwik\Plugin
user VARCHAR( 100 ) NOT NULL,
provider_user VARCHAR( 255 ) NOT NULL,
provider VARCHAR( 255 ) NOT NULL,
date_connected TIMESTAMP NOT NULL,
date_connected TIMESTAMP NOT NULL DEFAULT current_timestamp() ON UPDATE current_timestamp(),
PRIMARY KEY ( provider_user, provider ),
FOREIGN KEY ( user ) REFERENCES " . Common::prefixTable("user") . "( login ) ON DELETE CASCADE,
CONSTRAINT user_provider UNIQUE ( user, provider )
) DEFAULT CHARSET=utf8";
UNIQUE KEY user_provider ( user, provider ),
FOREIGN KEY ( user ) REFERENCES " . Common::prefixTable("user") . " ( login ) ON DELETE CASCADE
) ENGINE=InnoDB DEFAULT CHARSET=utf8";
Db::exec($sql);
} catch(Exception $e) {
// ignore error if table already exists (1050 code is for 'table already exists')
......
# Matomo LoginOIDC Plugin
## Description
Login via third party authentication services.
Easily add a "Login with Github" button your Matomo instance. You can also setup any other service to do the authentication for you.
## Installation
Install it via Matomo Marketplace.
Alternatively put the files from this repo in <MATOMO_INSTALLATION>/plugins/LoginOIDC and activate it in the settings.
## License
GNU General Public License v3.0
......@@ -33,6 +33,11 @@ class SystemSettings extends \Piwik\Settings\Plugin\SystemSettings
*/
public $allowSignup;
/**
* Bypass 2nd factor when login with OIDC
*/
public $bypassTwoFa;
/**
* The name of the oauth provider, which is also shown on the login screen.
*
......@@ -105,6 +110,7 @@ class SystemSettings extends \Piwik\Settings\Plugin\SystemSettings
{
$this->disableSuperuser = $this->createDisableSuperuserSetting();
$this->allowSignup = $this->createAllowSignupSetting();
$this->bypassTwoFa = $this->createBypassTwoFaSetting();
$this->authenticationName = $this->createAuthenticationNameSetting();
$this->authorizeUrl = $this->createAuthorizeUrlSetting();
$this->tokenUrl = $this->createTokenUrlSetting();
......@@ -144,6 +150,20 @@ class SystemSettings extends \Piwik\Settings\Plugin\SystemSettings
});
}
/**
* Add bypassTwoFa setting.
*
* @return SystemSetting
*/
private function createBypassTwoFaSetting() : SystemSetting
{
return $this->makeSetting("bypassTwoFa", $default = false, FieldConfig::TYPE_BOOL, function(FieldConfig $field) {
$field->title = Piwik::translate("LoginOIDC_SettingBypassTwoFa");
$field->description = Piwik::translate("LoginOIDC_SettingBypassTwoFaHelp");
$field->uiControl = FieldConfig::UI_CONTROL_CHECKBOX;
});
}
/**
* Add authentication name setting.
*
......@@ -242,7 +262,7 @@ class SystemSettings extends \Piwik\Settings\Plugin\SystemSettings
return $this->makeSetting("clientSecret", $default = "", FieldConfig::TYPE_STRING, function(FieldConfig $field) {
$field->title = Piwik::translate("LoginOIDC_SettingClientSecret");
$field->description = Piwik::translate("LoginOIDC_SettingClientSecretHelp");
$field->uiControl = FieldConfig::UI_CONTROL_TEXT;
$field->uiControl = FieldConfig::UI_CONTROL_PASSWORD;
});
}
......
## FAQ
**What is the callback url?**
http(s)://<YOUR_MATOMO_URL>/index.php?module=LoginOIDC&action=callback&provider=oidc
**Which providers can I use?**
I tested the plugin with Auth0, Github and Keycloak, which work fine.
If your provider does not seem to work, leave an issue on Github.
**How can I unlink all users?**
The easiest way is to fully uninstall the plugin and reinstall afterwards.
Otherwise you can delete data from `matomo_loginoidc_provider` in your sql database.
If you change the OAuth provider and there could be user id collisions, you should make sure to unlink all users beforehand.
**Can I setup more than one provider?**
Currently that is **not** possible.
But you can use services like Auth0, which support multiple providers.
**I get a `Can't create table` error when installing the plugin**
Most likely you are using a very old Piwik installation, which still uses MyISAM tables.
Learn here on how to update the database engine:
https://matomo.org/faq/troubleshooting/faq_25610/
**What are the settings for ...?**
- Github:
- Authorize URL: `https://github.com/login/oauth/authorize`
- Token URL: `https://github.com/login/oauth/access_token`
- Userinfo URL: `https://api.github.com/user`
- Userinfo ID: `id`
- OAuth Scopes: `<EMPTY>`
- Auth0:
- Authorize URL: `https://<USERNAME>.eu.auth0.com/authorize`
- Token URL: `https://<USERNAME>.eu.auth0.com/oauth/token`
- Userinfo URL: `https://<USERNAME>.eu.auth0.com/userinfo`
- Userinfo ID: `sub`
- OAuth Scopes: `openid`
- Keycloak:
- Authorize URL: `http(s)://<YOUR_KEYCLOAK_INSTALLATION>/auth/realms/<REALM>/protocol/openid-connect/auth`
- Token URL: `http(s)://<YOUR_KEYCLOAK_INSTALLATION>/auth/realms/<REALM>/protocol/openid-connect/token`
- Userinfo URL: `http(s)://<YOUR_KEYCLOAK_INSTALLATION>/auth/realms/<REALM>/protocol/openid-connect/userinfo`
- Userinfo ID: `sub`
- OAuth Scopes: `openid`
- Gitlab (self-hosted Community Edition 12.6.2)
- Authorize URL: `http(s)://<YOUR_GIT_DOMAIN>/oauth/authorize`
- Token URL: `http(s)://<YOUR_GIT_DOMAIN>/oauth/token`
- Userinfo URL: `http(s)://<YOUR_GIT_DOMAIN>/oauth/userinfo`
- Userinfo ID: `sub`
- OAuth Scopes: `openid email`
- [Unikname Connect](https://unikname.com)
- Name: `Connect with your private @unikname`
- Authorize URL: `https://connect.unikname.com/oidc/authorize`
- Token URL: `https://connect.unikname.com/oidc/accessToken`
- Userinfo URL: `https://connect.unikname.com/oidc/profile`
- Userinfo ID: `sub`
- OAuth Scopes: `openid email`
- Microsoft Azure AD
- Authorize URL: `https://login.microsoftonline.com/{tenant_id}/oauth2/authorize`
- Token URL: `https://login.microsoftonline.com/{tenant_id}/oauth2/token`
- Userinfo URL: `https://login.microsoftonline.com/{tenant_id}/openid/userinfo`
- Userinfo ID: `sub`
- OAuth Scopes: `openid`
- Redirect URI Override\*: `http(s)://<YOUR_MATOMO_INSTALLATION>/oidc/callback`
\*because Microsoft Azure AD does not allow query parameters in the redirect URI we also have to edit our nginx configuration to work around this limitation:
```nginx
server {
# ...
rewrite ^/oidc/callback /index.php?module=LoginOIDC&action=callback&provider=oidc redirect;
# ...
}
```
......@@ -19,9 +19,9 @@
"SettingClientSecret": "Client Secret",
"SettingClientSecretHelp": "",
"SettingScope": "OAuth Scopes",
"SettingScopeHelp": "z.B. openid",
"SettingScopeHelp": "z.B. 'openid' oder 'openid email'",
"SettingRedirectUriOverride": "Benutzerdefinierte Redirect URI",
"SettingRedirectUriOverrideHelp": "In manchen Fällen ist es nützlich, die Redirect URI, die an den Provider übergeben wird, zu überschreiben. Bei Unklarheit sollte dieses Feld freigelassen werden.",
"SettingRedirectUriOverrideHelp": "In manchen Fällen ist es nützlich, die Redirect URI, die an den OpenID Connect Provider übergeben wird, zu überschreiben. Bei Unklarheit sollte dieses Feld freigelassen werden.",
"OpenIDConnect": "OpenID Connect",
"OIDCIntro": "Dies erlaubt es Dir, Dich über einen externen Service bei Matomo einzuloggen.",
"AccountLinked": "Dein Account ist zur Zeit verknüpft (Entfernte Benutzer-ID: %1$s).",
......
......@@ -4,6 +4,8 @@
"SettingDisableSuperuserHelp": "",
"SettingAllowSignup": "Create new users when users try to log in with unknown OIDC accounts.",
"SettingAllowSignupHelp": "",
"SettingBypassTwoFa": "Disable second factor when sign in with OIDC",
"SettingBypassTwoFaHelp": "",
"SettingAuthenticationName": "Name",
"SettingAuthenticationNameHelp": "Name of the authentication source which will be displayed on the login screen.",
"SettingAuthorizeUrl": "Authorize URL",
......@@ -19,9 +21,9 @@
"SettingClientSecret": "Client Secret",
"SettingClientSecretHelp": "",
"SettingScope": "OAuth Scopes",
"SettingScopeHelp": "e.g. openid",
"SettingScopeHelp": "e.g. 'openid' or 'openid email'",
"SettingRedirectUriOverride": "Redirect URI override",
"SettingRedirectUriOverrideHelp": "In some cases it might be useful to manipulate the redirect uri which is given to the provider. If you are unsure, just leave this field empty.",
"SettingRedirectUriOverrideHelp": "In some cases it might be useful to manipulate the redirect uri which is given to the OpenID Connect provider. If you are unsure, just leave this field empty.",
"OpenIDConnect": "OpenID Connect",
"OIDCIntro": "This allows you to sign in using an external authentication service.",
"AccountLinked": "Your account is currently linked (Remote User ID: %1$s).",
......
{
"LoginOIDC": {
"SettingDisableSuperuser": "Désactiver la connexion externe des Super Utilisateurs.",
"SettingDisableSuperuserHelp": "",
"SettingAllowSignup": "Créer une nouveau compte utilisateur quand les utilisateurs tentent de se connecter avec un compte OIDC inconnu.",
"SettingAllowSignupHelp": "",
"SettingBypassTwoFa": "Désactiver le 2è facteur lors d'une connexion avec OIDC",
"SettingBypassTwoFaHelp": "",
"SettingAuthenticationName": "Nom",
"SettingAuthenticationNameHelp": "Nom de la source d'authentification qui va s'afficher sur l'écran de connexion.",
"SettingAuthorizeUrl": "URL Authorize",
"SettingAuthorizeUrlHelp": "ex. https://<USERNAME>.eu.auth0.com/authorize",
"SettingTokenUrl": "URL Token",
"SettingTokenUrlHelp": "ex. https://<USERNAME>.eu.auth0.com/oauth/token",
"SettingUserinfoUrl": "URL Userinfo",
"SettingUserinfoUrlHelp": "ex. https://<USERNAME>.eu.auth0.com/userinfo",
"SettingUserinfoId": "ID Userinfo",
"SettingUserinfoIdHelp": "Nom du champ de l'identifiant unique utilisateur dans la réponse 'userinfo'. Habituellement, pour les services de connexion OpenID Connect comme Auth0, il s'agit de 'sub'. Github fourni l'identifiant utilisateur avec 'id'.",
"SettingClientId": "Client ID",
"SettingClientIdHelp": "",
"SettingClientSecret": "Client Secret",
"SettingClientSecretHelp": "",
"SettingScope": "Scopes OAuth",
"SettingScopeHelp": "ex. 'openid' ou 'openid email'",
"SettingRedirectUriOverride": "Redéfinition de l'URI de redirection",
"SettingRedirectUriOverrideHelp": "Dans certains cas, il peut être pratique de redéfinir l'URI de redirection qui est transmise au fournisseur OpenID Connect. Si vous êtes n'êtes pas sûr, laissez ce champ vide.",
"OpenIDConnect": "OpenID Connect",
"OIDCIntro": "Ceci vous permet de vous connecter à Matomo en utilisant un service d'authentification externe.",
"AccountLinked": "Votre compte est actuellement lié (Identifiant du compte utilisateur distant : %1$s).",
"AccountNotLinked": "Votre compte n'est actuellement pas lié.",
"Link": "Lier ce compte",
"Unlink": "Délier ce compte",
"ExceptionNotConfigured": "LoginOIDC n'a pas encore été configuré.",
"ExceptionStateMismatch": "Erreur d'état OAuth.",
"ExceptionUnknownProvider": "Fournisseur OAuth inconnu.",
"ExceptionInvalidResponse": "Réponse inattendue du service OAuth.",
"ExceptionUserNotFoundAndSignupDisabled": "Utilisateur non trouvé. Les nouvelles inscriptions via OAuth sont désactivées.",
"ExceptionUserNotFoundAndNoEmail": "Utilisateur non trouvé. L'utilisateur n'a pas pu être créé car le service OAuth n'a pas renvoyé d'adresse e-mail.",
"ExceptionSuperUserOauthDisabled": "La connexion OAuth pour les Supers Utilisateurs est désactivée."
}
}
{
"name": "LoginOIDC",
"version": "0.1.4",
"version": "0.1.5",
"description": "Adds support for integrating external authentication services",
"keywords": ["authentication", "login", "oauth", "openid", "connect", "sso"],
"license": "GPL v3+",
......
LoginOIDC/screenshots/LoginOIDC_Admin_Settings.png

48 KiB

LoginOIDC/screenshots/LoginOIDC_Github_Authorize_Consent.png

31.4 KiB

LoginOIDC/screenshots/LoginOIDC_Sign_In.png

7.87 KiB

LoginOIDC/screenshots/LoginOIDC_User_Settings_Link.png

7.84 KiB

LoginOIDC/screenshots/LoginOIDC_User_Settings_Unlink.png

8.92 KiB

0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment