This is an authentication plugin for LimeSurvey enabling Single Sign-On with any identity provider using the OAuth2 protocol.
It uses the league/oauth2-client
library
and can be configured for any identity provider that supports OAuth2 with the
authorization code grant flow and supports automatic creation of new users.
For the current version git clone
this repository
into <limesurvey_root>/plugins/AuthOAuth2/
and run composer install
in it to download all dependencies.
cd ./plugins/
git clone https://github.com/SondagesPro/limesurvey-oauth2.git AuthOAuth2
cd AuthOAuth2
composer install
Before activating the plugin open its configuration from the plugin manager or create your own configuration in application/config/config.php
file
With your identity provider create a new app for LimeSurvey and paste the Redirect URI shown in the LimeSurvey configuration there. Fill in the Client ID, Client Secret, Authorize URL, Scopes and Access Token URL into the plugin configuration according to the documentation of your identity provider.
The User Details URL should point to an API endpoint that provides a JSON object with details on the current user using the retrieved access token. The details should include a unique username, the e-mail address and a display name. Further below you can specify the keys of the JSON object containing these details.
With the Identifier Attribute you can configure whether users should be matched using the username or the e-mail with existing users in the LimeSurvey database. If Create new users is enabled new LimeSurvey users will automatically be created if they can not be found in the database. You can configure permissions and (starting with LimeSurvey 4.x) user roles that will be automatically assigned to all created users.
If Use as default login is enabled instead of showing the LimeSurvey login form users will be redirected to the configured OAuth2 identity provider and logged in automatically on success. Otherwise the user has to select OAuth2 as authentication method manually.
Below the Use as default login checkbox a URL is shown with which the default login form can always be accessed to login using the internal database even when automatic redirection is enabled.
You can find a configuration example for Azure Active Directory here.
You can find a configuration example for Keycloak here.
You can set default configuration by array in config part of LimeSurvey config file.
The config are set at AuthOAuth2Settings
key with array of settings by name. For fixed config part you use an array with settings name in fixed
array. If you want to hide some element from gui, you can use hidden
array.
For example :
// Update default LimeSurvey config here
'AuthOAuth2Settings' => [
'fixed' => [
'client_id' => 'MyOAuth2-clientID',
'client_secret' => 'MyOAuth2-secret',
'authorize_url' => 'https://accounts.example.com/auth',
'access_token_url' => 'https://oauth2.example.com/token',
'resource_owner_details_url' => 'https://accounts.example.com/userdetails',
'is_default' => true,
],
'hidden' => ['client_id','client_secret'],
'scopes' => 'profile,email',
'scope_separator' => ',',
'identifier_attribute' => 'username',
'username_key' => 'dn',
'email_key' => 'email',
'display_name_key' => 'givenName',
],
This plugin was tested with
- A recent version v6.4.3 (PHP 8.1)
- the latest stable release v5.2.5
- the latest LTS release v3.27.28
and should work with all version 3.x or newer. Configuring user roles for new users is only supported starting with LimeSurvey 4.x.
The minimum required PHP version is 8.1.