Prerequisites
phpBB 3.x
Linux + PHP 5.6 or 7.1 system,
Warning ! the operation of OIDC requires a client application installed on a secure server (https:// protocol).
Register on the OAuthSD server
The application receiving the extension must be registered on the OAuthSD server [1]. The procedure is described here: Link a client application to the OAuthSD server.
By following this procedure:
you will register as an author on the server,
you will register your application. Registration is done here: Register a client application.
You should :
- Configure the return address (Redirect URI) in the following form: https://mon_application.com/ucp.php?mode=login&login=external&oauth_service=oauthsd
- Enter scopes "openid sli".
Note the values of "Client id" (which will correspond to "Key" in phpBB) and "Secret Client".
Installation and configuration on phpBB
1. The OIDC client for phpBB installs like any phpBB extension:
download the OIDC client extension for phpBB (can also be found on GitHub),
decompress the archive,
install the code in /ext/bdegoy/oauthsd,
in phpBB, install the extension "DnC OIDC client for OAuthSD" (section Customize -> Extension Manager).
2. Install the OAuthSD Service for Lusitanian / PHPoAuthLib:
phpBB uses the Lusitanian/PHPoAuthLib library to implement SSO with OIDC. We must complete this library with the Oauthsd service. The OAuthSD Service is included in .../oauthsd-phpbb/OAuth/OAuth2/Service/Oauthsd.php and should be copied to .../vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/ folder.
3. In phpBB, section Client Communication -> Authentication, select the Oauth authentication method:
Enter the parameters for OAuthSD:
then press the "Submit" button.
If everything went well, an "OAuthSD" button should appear on the Login page:
Notes:
The button "OAuthSD" does not appear wherever the connection is possible or desirable. For example, we would expect to see the button on the login page to Administration Control Panel, but that’s not the case. It depends on phpBB [2], Not on the extension.
phpBB: Attempt to connect with an unknown forum account
If we try to connect with a login (a "Username" in the phpBB vocabulary) that is not registered on the forum, phpBB reports the error:
it is proposed to:
Link the account to an existing account: Enter the Username and Password and then press "Login" [3].
create a new account: Press the "Register" button.
Notes:
Only the login (User Name) must be identical on both sides, the password is specific to each system.
One could think of another solution: register the phpBB account on the authentication server. But that would go against the principle of single sign-on (SSO): if a user has an account on OAuthSD, it is to be able to connect to different systems with the same identifiers.
Roadmap
set the URL of the OIDC server so that you can choose the authentication server. This should lead to a universal OpenID Connect client.
try to act on phpBB to better integrate authentication. For example inserting the authentication button on the ACL login page.
In conclusion ...
This registration of a PhpBB application shows that OAuthSD is an authentication server that is just as accessible as the major platforms. But with OAuthSD we offer you a lot more: the way to protect your data and protect visitors to your sites using a server on your property.
Note that this use of OpenID Connect reduces the point of view to SSO. OpenID Connect is so much more than SSO, which is only a minor aspect.
OpenID Connect offers:
the protection of passwords,
secure exchanges between applications distributed in the cloud,
and, with OAuthSD, the Single Login Identification, SLI
etc.
See
https://area51.phpbb.com/docs/dev/3.2.x/extensions/tutorial_authentication.html
On GitHub
https://github.com/bdegoy/oauthsd-phpbb
Issues (Bug reports or feature request) :
https://github.com/bdegoy/oauthsd-phpbb/issues