Oliverde8's blue Website

2dd7c2aefb5d6589f101b8f2d34d15fa8d361ea7.jpeg

Akeneo 1.7 - OAuth

One of the wonders of Symfony is how easy it can be to add new features to existing systems. We are going to add OAuth support to Akeneo PIM which is a Symfony based php application. 

In order to do this wer are going to use the awsome HWIOAuthBundle

Prerequisites

  • Have basic SF knowledge(and thefore composer...)
  • Have a working Akeneo 1.7 accessible from akeneo.local.com 

Let's get going 

Firs of all let's us install the hwiOAuthBundle, 

composer require hwi/oauth-bundle

We shall now enable it in the `AppKernel`

new HWI\Bundle\OAuthBundle\HWIOAuthBundle(),

We have just done the easiest part. Before starting configuring our symfony let's configure ourself a google oauth `client_id` and `client_secret`

Creating a google OAuth account

At this point you may chose to create any other oauth account, I happened to have OAuth credentials for google. In order to make this guide as complete as possible chosed to incomporate the full descriptions..

Open the google developper console : https://console.developers.google.com and login with you google account. 

If you don't have any projects create a new project.

Now swtich to the Identifiers section of your project and click on the "create identifiers" button and finally "OAuth Client Id". 

Here we need to configure the oauth redirect urls allowed. Let's put 

http://akeneo.local.com/admin/oauth/login/check-google
http://akeneo.local.com/app_dev.php/admin/oauth/login/check-google

I have added both prod & developpment urls so that I can use both without having to think about it. I also used as path `oauth/login/check-google`.  Use this for now once you have finished reading the guide you may change your routes to change the path. 

Note your `client_id` and `client_secret` we will need it later. 

Configure Akeneo

Config.yml

Now we can start the interesting part, Let's modify the config.yml file and add the fallowing configurations

hwi_oauth:
    firewall_names: [main]
    resource_owners:
        google:
            type:                google
            client_id:           .....apps.googleusercontent.com
            client_secret:       ........
            scope:               "email profile"

We can add more then one resource, to have facebook, and github authentificaiton as well. Check the hwiOAuthBundle documentation. 

routing.yml

Now let's also add new routes in the routing.yml file

hwi_oauth_redirect:
    resource: "@HWIOAuthBundle/Resources/config/routing/redirect.xml"
    prefix:   /oauth/connect

hwi_oauth_connect:
    resource: "@HWIOAuthBundle/Resources/config/routing/connect.xml"
    prefix:   /oauth/connect

hwi_oauth_login:
    resource: "@HWIOAuthBundle/Resources/config/routing/login.xml"
    prefix:   /oauth/login

I have prefixed all routes with `oauth/` just to make it clear when configuring the firewalls later. We need a last route, this is the route google is going to redirect us to. 

google_auth_login:
    path: /admin/oauth/login/check-google

User provider service. 

We will need a service to provide oauth users. Basically what this service does is use the OAuth response data to find and load a user from somewhere. In our case it's from the Akeneo database. 

HWIOAuthBundle comes with a EntityUserProvider that we may use to do this; for that we simply need to create a new service. 

Let's create the service in one of our bundles `services.yml` file.

my_acme_bundle.hwi_oauth.user.provider.entity
    parent: hwi_oauth.user.provider.entity
    arguments: 
        _1 : 'PimEnterprise\Bundle\UserBundle\Entity\User'
        _2 : 
            google: username

The third paramter `_2` basically tells the system that if trying to login with google oauth it should try to match the google id with the Akeneo username.

security.yml

This is the trickier part. For this article I will not remove the native Akeneo login page. I will just add some new pages allowing login throught google oauth. 

Add a new oauth firewall so that the oauth urls can be accessible by anonymous users. 

oauth:
    pattern:                        ^/oauth/*
    provider:                       chain_provider
    anonymous:                      true

This basically allows the `hwi_oauth_redirect`, `hwi_oauth_connect`, `hwi_oauth_login` pages to be accessible by anyone that has not logged in.

Let's now add an oauth configuraiton to the akeneo main firewall. 

    oauth:
        resource_owners:
            google:             "/admin/oauth/login/check-google"
        login_path:        /oauth/login
        use_forward:       false
        failure_path:      /oauth/login
        oauth_user_provider:
            service: my_acme_bundle.hwi_oauth.user.provider.entity

Basically your are done.

Let's try to login

When you open akeneo.local.com you will be redirected to akeneo.local.com/oauth/login

This is super ugly page that you will need check later by overiding the templates to match the akeneo style. 

If you try and login here by clicking on the google you will end up with a message `User ... not found`. Well that's normal, what you see there is your google uid/login. Which of course doesen't match any existing user in akeneo. 

For the purpose of testing let's now go to akeneo.local.com/user/login, and login using our akeneo logins and create a user with that particular username. Once that is done we should be able to login using our google account. 

There is multiple choices here about how we wish to integrate OAuth in Akeneo. It all depends upon your needs. 

Creating users automatically

One of the choices you may wish to make is to automatically create users. You will need to write your own the EntityUserProvider in order to do that. In your EntityUserProvider `loadUserByOAuthUserResponse` will need to handle the creation of the user. 

This can be used for entreprise networks where you control the people that have access to Akeneo. If you akeneo is public you should not create accounts in this fashion. 

Allowing multiple OAuth, 

Another choice that you could take is to allow your users to connect both from github oauth and google oauth. 

In order to allow this you are going to need to extends the Akeneo user in order to store on the User entity :

  • Google UID
  • Githhub ID

Then again you will simply need to reconfigure the UserEntityProvider

my_acme_bundle.hwi_oauth.user.provider.entity
    parent: hwi_oauth.user.provider.entity
    arguments: 
        _1 : 'Acme\Bundle\UserBundle\Entity\User'
       _2 : 
            google: google_uid
            github: github_uid

You can of course couple this and create users automatically by writing your own UserEntityProvider ontop. 

Conclusion 

With the HWIOAuth bundle you can put in place OAuth very quickly into Akeneo, you then only need to work out the login process you need. 

It might be interesting in the future to have a bundle wrapping up the different users cases to simplify it even more. But as it is it's already quite fast to have OAuth.