OAuth Sign In Support | Plugin for YOURLS
You may want to refer my tutorial to run YOURLS with Docker
- Meet the prerequisite
- Get the generated grabled password in browser
- Register user in array
$yourls_user_passwords
in config file/user/config.php
This plugins is written because my lab is using GitLab as a SSO provider.
However, there's no plugin for (generic) OAuth sign in (except one for Google Auth only) which make me start to write one by myself.
Of course, such a plugin should support not only GitLab but various SSO providers. That's why I choose thephpleague/oauth2-client
as the vendor of this plugin, which is continually updated and easy to use (important).
Actually, this plugin use
omines/oauth2-gitlab
as the vendor, which is based on the former one.
YOURLS 1.7.4
(or 1.7.x?)- Using official docker images:
yourls:1.7.4-fpm-alpine
,mysql:8.0.18
, andnginx:1.17.5-alpine
- Using official docker images:
omines/oauth2-gitlab 3.1.2
(or 3.x?)- Using composer (in Alpine) to require
- It's based on league/oauth2-client:^2.2
GitLab 11+
(or 8.17+?)
Before start cloning or using this plugin, you have to make sure omines/oauth2-gitlab
is installed using following command:
$ composer require omines/oauth2-gitlab:^3.1.2 # run in container
In case you're using official docker image
1.7.4-fpm-alpine
, you'd like to run$ apk add composer
in the container first.
- Clone files (at least
plugin.php
andconfig_provider.php
) toYOURLS_ROOT/user/plugins/yourls-oauth_sign_in
$ # apk add git # install as needed
$ cd /var/www/html/user/plugins/ # path in docker
$ git clone https://github.com/LouisSung/yourls-oauth_sign_in
- You should able to sign in using
existing user & password
(in user/config.php)... - Visit
https://YOURLS_SITE/admin/plugins.php
to active plugin namedSign in with OAuth
- Sign out and get your
new username & password
in browser developer tools (DevTools, Web Inspector, etc.) - Register the account(s) by editing array
$yourls_user_passwords
in/user/config.php
- ฅ• ω •ฅ, you should able to sign in with GitLab by clicking
button
onhttps://YOURLS_SITE/admin/index.php
- Make sure you're using HTTPS to prevent potential eavesdroppers!
- The principle of this plugin is NOT to bypass the original log in mechanism, but to get auto generated password instead!
- First, the OAuth part is done by
thephpleague
andomines
(thanks again), so this plugin don't claim it - Once the response is got, we're able to get
user info
includingid
,username
,email
, etc. (the others may not have corresponding wrapper in their implementations) - User should define their own account mapping
garbled password generating function
usingid
,username
, andemail
(which are rarely changed) - Once the account is got (by mapping one of the user info) and password is calculated (by predefined function), we're ready to sign in
- Now, it's time for JavaScript to take place
- The password generation is done by PHP on the
server side
(which should be safe) - The generated password is passed to browser via HTTP response (which should also be safe if using HTTPS...)
- jQuery is used to help on
fill in the account & password form
andsubmit the form automatically
for you (where user can modify front-end code and do dangerous things :p) - Once the account & password is submit, it use the original authentication method, which don't claim by us either
- You can treat this plugin as a wrapper that bridges the
OAuth response
andoriginal Auth process
!
- The password generation is done by PHP on the
- First, the OAuth part is done by
- To make things happened, you should check the
grabled password
and register before user can really sign in! - Once the registration procedure is done, user can easily sign in by clicking button and SSO :D
- When your start runing this plugin, your
https://YOURLS_SITE/admin/index.php
should look like screenshot above - Toggle
$WARNING_PRINT_PASSWORD_IN_BROWSER
astrue
inplugin.php
at line #L30 - !! REMEMBER to toggle value back to
false
, or just remove wholeif statement
(delete line #L65-L78 & #L94)
- Refer #L56-L63, I use
username
as account and64 digits garbled
as password$account = $user->getUsername(); [$PRIME_16DIGITS, $INITIALIZATION_VECTOR] = ['2355457523880889', '7897466719774591']; $tmp_pass = str_repeat(substr(strrev($account), -8).substr($account, -8). substr(number_format($user->getID()*floatval($PRIME_16DIGITS), 1, '%', '&'), -16), 4); $password = substr(openssl_encrypt($tmp_pass, 'AES-256-CTR', $account, 0, $INITIALIZATION_VECTOR), 7, 64);
- For example, when
username == 'yourls'
andid == 17
get:$account = 'yourls' $tmp_pass = 'slruoyyourls77&905&975&112%0slruoyyourls77&905&975&112%0slruoyyourls77&905&975&112%0slruoyyourls77&905&975&112%0' $password = 'JS/3dllhgxuZMYDdDwPdUyuhP6s5N6XzqTNjwAZH+qa78IuIMOaWb1bAZNp9l0zf'
- For example, when
- Random seeds:
- Tow of them are major ones:
$PRIME_16DIGITS
and$INITIALIZATION_VECTOR
#L60 - Others like
part of account
,16 digits int
,%
,$
,substr
, etc. are seeds that can change
- Tow of them are major ones:
This project is licensed under the following 3 licenses, YOURLS, MIT, and EPL
- YOURLS: aka
Do whatever the hell you want with it
- MIT: aka
MadeInTaiwan Licence
:3 - EPL: aka
EPL Public License
, where EPL stands for EmbeddedPlatformLab (like GNU or YAML, quite cool, huh?)
Feel free to modify it to your own version as needed
Contact me if having any comments :D