Home > OpenID Connect OAuth Server by DnC > Develop > OpenID Connect extension for phpBB

OpenID Connect extension for phpBB

An OIDC client for phpBB. Allows phpBB to use OpenID Connect instead of traditional authentication. (Warning: not to be confused with OpenID extension!)

PhpBB application developers will be able to facilitate the integration of the forums in their other web applications by allowing users access with a single authentication configured on the OIDC server (single sign-on, SSO).

OAuthSD offers you more than just SSO. The Single Login In: once connected to an application, you will be connected seamlessly to others (provided of course that they are registered on the server).

Prerequisites

- phpBB 3.x
- Linux + PHP 5.6 or 7.1 system,
- Warning ! the operation of OIDC requires a client application installed on a secure server (https:// protocol).

Register on the OAuthSD server

The application receiving the extension must be registered on the OAuthSD server [1]. The procedure is described here: Link a client application to the OAuthSD server.

By following this procedure:

- you will register as an author on the server,

- you will register your application. Registration is done here: Register a client application.
You should :

  • Configure the return address (Redirect URI) in the following form: https://mon_application.com/ucp.php?mode=login&login=external&oauth_service=oauthsd
  • Enter scopes "openid sli".

Note the values ​​of "Client id" (which will correspond to "Key" in phpBB) and "Secret Client".

Installation and configuration on phpBB

1. The OIDC client for phpBB installs like any phpBB extension:
- download the OIDC client extension for phpBB (can also be found on GitHub),
- decompress the archive,
- install the code in /ext/bdegoy/oauthsd,
- in phpBB, install the extension "DnC OIDC client for OAuthSD" (section Customize -> Extension Manager).

2. Install the OAuthSD Service for Lusitanian / PHPoAuthLib:
phpBB uses the Lusitanian/PHPoAuthLib library to implement SSO with OIDC. We must complete this library with the Oauthsd service. The OAuthSD Service is included in .../oauthsd-phpbb/OAuth/OAuth2/Service/Oauthsd.php and should be copied to .../vendor/lusitanian/oauth/src/OAuth/OAuth2/Service/ folder.

3. In phpBB, section Client Communication -> Authentication, select the Oauth authentication method:

- Enter the parameters for OAuthSD:

- then press the "Submit" button.

If everything went well, an "OAuthSD" button should appear on the Login page:

Our prototype is visible at the URL: https://phpbb.dnc.global/.

Notes:
- The button "OAuthSD" does not appear wherever the connection is possible or desirable. For example, we would expect to see the button on the login page to Administration Control Panel, but that’s not the case. It depends on phpBB [2], Not on the extension.

phpBB: Attempt to connect with an unknown forum account

If we try to connect with a login (a "Username" in the phpBB vocabulary) that is not registered on the forum, phpBB reports the error:

it is proposed to:
- Link the account to an existing account: Enter the Username and Password and then press "Login" [3].
- create a new account: Press the "Register" button.

Notes:
- Only the login (User Name) must be identical on both sides, the password is specific to each system.
- One could think of another solution: register the phpBB account on the authentication server. But that would go against the principle of single sign-on (SSO): if a user has an account on OAuthSD, it is to be able to connect to different systems with the same identifiers.

Roadmap

- set the URL of the OIDC server so that you can choose the authentication server. This should lead to a universal OpenID Connect client.
- try to act on phpBB to better integrate authentication. For example inserting the authentication button on the ACL login page.

In conclusion ...

This registration of a PhpBB application shows that OAuthSD is an authentication server that is just as accessible as the major platforms. But with OAuthSD we offer you a lot more: the way to protect your data and protect visitors to your sites using a server on your property.

Note that this use of OpenID Connect reduces the point of view to SSO. OpenID Connect is so much more than SSO, which is only a minor aspect.

OpenID Connect offers:
- the protection of passwords,
- secure exchanges between applications distributed in the cloud,
- and, with OAuthSD, the Single Login Identification, SLI
etc.

See

https://area51.phpbb.com/docs/dev/3.2.x/extensions/tutorial_authentication.html

 On GitHub
https://github.com/bdegoy/oauthsd-phpbb
Issues (Bug reports or feature request) :
https://github.com/bdegoy/oauthsd-phpbb/issues

Footnotes

[1In the current state of development, the extension only allows the connection to this OAuthSD server, so this is only possible in a development phase. DnC offers its customers to own their own OIDC server in order to benefit from all the security offered by a private authentication system.

[2The connection using an external system is handled only in the script ucp.php (User Control Panel) but not in acp.php (Admin Control Panel).

[3If, in doing so, you link the Oauth user to a phpBB user who had already been linked, you get a SQL error of the type "Duplicate entry ’2-oauthsd’ for key ’PRIMARY’ [1062]", where "2" is the phpBB user ID. It is a bug in phpBB that should previously erase the user_id = 2 entry in the phpbb_oauth_account table. If you manually delete this entry, you can complete the operation.