Akeneo 1.7 - OAuth
One of the wonders of Symfony is how easy it can be to add new features to existing systems. We are going to add OAuth support to Akeneo PIM which is a Symfony based php application.
In order to do this wer are going to use the awsome HWIOAuthBundle.
Prerequisites
- Have basic SF knowledge(and thefore composer...)
- Have a working Akeneo 1.7 accessible from akeneo.local.com
Let's get going
Firs of all let's us install the hwiOAuthBundle,
composer require hwi/oauth-bundle
We shall now enable it in the `AppKernel`
new HWI\Bundle\OAuthBundle\HWIOAuthBundle(),
We have just done the easiest part. Before starting configuring our symfony let's configure ourself a google oauth `client_id` and `client_secret`
Creating a google OAuth account
At this point you may chose to create any other oauth account, I happened to have OAuth credentials for google. In order to make this guide as complete as possible chosed to incomporate the full descriptions..
Open the google developper console : https://console.developers.google.com and login with you google account.
If you don't have any projects create a new project.
Now swtich to the Identifiers section of your project and click on the "create identifiers" button and finally "OAuth Client Id".
Here we need to configure the oauth redirect urls allowed. Let's put
http://akeneo.local.com/admin/oauth/login/check-google http://akeneo.local.com/app_dev.php/admin/oauth/login/check-google
I have added both prod & developpment urls so that I can use both without having to think about it. I also used as path `oauth/login/check-google`. Use this for now once you have finished reading the guide you may change your routes to change the path.
Note your `client_id` and `client_secret` we will need it later.
Configure Akeneo
Config.yml
Now we can start the interesting part, Let's modify the config.yml file and add the fallowing configurations
hwi_oauth: firewall_names: [main] resource_owners: google: type: google client_id: .....apps.googleusercontent.com client_secret: ........ scope: "email profile"
We can add more then one resource, to have facebook, and github authentificaiton as well. Check the hwiOAuthBundle documentation.
routing.yml
Now let's also add new routes in the routing.yml file
hwi_oauth_redirect: resource: "@HWIOAuthBundle/Resources/config/routing/redirect.xml" prefix: /oauth/connect hwi_oauth_connect: resource: "@HWIOAuthBundle/Resources/config/routing/connect.xml" prefix: /oauth/connect hwi_oauth_login: resource: "@HWIOAuthBundle/Resources/config/routing/login.xml" prefix: /oauth/login
I have prefixed all routes with `oauth/` just to make it clear when configuring the firewalls later. We need a last route, this is the route google is going to redirect us to.
google_auth_login: path: /admin/oauth/login/check-google
User provider service.
We will need a service to provide oauth users. Basically what this service does is use the OAuth response data to find and load a user from somewhere. In our case it's from the Akeneo database.
HWIOAuthBundle comes with a EntityUserProvider that we may use to do this; for that we simply need to create a new service.
Let's create the service in one of our bundles `services.yml` file.
my_acme_bundle.hwi_oauth.user.provider.entity parent: hwi_oauth.user.provider.entity arguments: _1 : 'PimEnterprise\Bundle\UserBundle\Entity\User' _2 : google: username
The third paramter `_2` basically tells the system that if trying to login with google oauth it should try to match the google id with the Akeneo username.
security.yml
This is the trickier part. For this article I will not remove the native Akeneo login page. I will just add some new pages allowing login throught google oauth.
Add a new oauth firewall so that the oauth urls can be accessible by anonymous users.
oauth: pattern: ^/oauth/* provider: chain_provider anonymous: true
This basically allows the `hwi_oauth_redirect`, `hwi_oauth_connect`, `hwi_oauth_login` pages to be accessible by anyone that has not logged in.
Let's now add an oauth configuraiton to the akeneo main firewall.
oauth: resource_owners: google: "/admin/oauth/login/check-google" login_path: /oauth/login use_forward: false failure_path: /oauth/login oauth_user_provider: service: my_acme_bundle.hwi_oauth.user.provider.entity
Basically your are done.
Let's try to login
When you open akeneo.local.com you will be redirected to akeneo.local.com/oauth/login.
This is super ugly page that you will need check later by overiding the templates to match the akeneo style.
If you try and login here by clicking on the google you will end up with a message `User ... not found`. Well that's normal, what you see there is your google uid/login. Which of course doesen't match any existing user in akeneo.
For the purpose of testing let's now go to akeneo.local.com/user/login, and login using our akeneo logins and create a user with that particular username. Once that is done we should be able to login using our google account.
There is multiple choices here about how we wish to integrate OAuth in Akeneo. It all depends upon your needs.
Creating users automatically
One of the choices you may wish to make is to automatically create users. You will need to write your own the EntityUserProvider in order to do that. In your EntityUserProvider `loadUserByOAuthUserResponse` will need to handle the creation of the user.
This can be used for entreprise networks where you control the people that have access to Akeneo. If you akeneo is public you should not create accounts in this fashion.
Allowing multiple OAuth,
Another choice that you could take is to allow your users to connect both from github oauth and google oauth.
In order to allow this you are going to need to extends the Akeneo user in order to store on the User entity :
- Google UID
- Githhub ID
Then again you will simply need to reconfigure the UserEntityProvider :
my_acme_bundle.hwi_oauth.user.provider.entity parent: hwi_oauth.user.provider.entity arguments: _1 : 'Acme\Bundle\UserBundle\Entity\User' _2 : google: google_uid github: github_uid
You can of course couple this and create users automatically by writing your own UserEntityProvider ontop.
Conclusion
With the HWIOAuth bundle you can put in place OAuth very quickly into Akeneo, you then only need to work out the login process you need.
It might be interesting in the future to have a bundle wrapping up the different users cases to simplify it even more. But as it is it's already quite fast to have OAuth.