Using customized OAuth provider (within non-Docker environment)

[kumasa05]

@LouisSung
Can we use this plugin for standalone instance?
And we have our own Oauth server for validation, Are we able to modify the config as per our need?

In our case the authentication will be taken part on 3rd party and once we got successful authentication we will receive access token, user ID, token expiration etc..

[sathish1981]

I too have the same question as @kumasa05 .
Could it be customized for internal authentication as standalone installation?

I mean we have a different service running for authentication and I can get the web service details for request and upon validation it will return a valid token with user info.

Need help on the integration mostly. Please let me know ur thoughts.

[LouisSung]

HI, I'd like to explain how this plugin works and you can check if it meats your usage or have a further discussion.

Can we use this plugin for standalone instance?

• What do you mean standalone instance? This plugin is designed for self-hosted YUORLS instance (e.g., using Docker in my tutorial)
  • And I think that's exactly what you want :D

---

• The timing diagram of the communication between user, YOURLS, and GitLab and auth flow are shown below

  • Note that you can use another OAuth server by changing the OAuth part as your own one

    • What I did was just copy and paste the provided example by omines/oauth2-gitlab

  • Timing Diagram
    
  • Auth Flow
    

• This is the video to show how the process works

  • Note that this plugin is NOT designed to bypass the built-in login process; instead, it bridges the OAuth process and YOURLS built-in auth process

  • Better resolution video (4.5MB...) is available @Here

    

[sathish1981]

@LouisSung
Thank you for the awesome explanation. Sorry I am not a pro in OAuth or PHP.

I mean to say standalone as non docker instance(Installed in EC2 Linux). Also in your instruction, I am not clear with where you want to place the https://github.com/thephpleague/oauth2-client module? Can you provide exact path?

Also as per your flow, instead of GitHub we have internal authentication system which supports OAuth authentication. So as you said, simply providing our internal server details to the config will connect to that server, Once the authentication was successful they will redirect to https://short.me/admin#?token="Random alpha numeric string"

Is the return string format is enough to set the login successful by using your plugin?

(Sorry if the question looks silly.. As I said I am not really proficient :)

[LouisSung]

Hi, it was my first time using PHP when writing this plugin, so I'm not familiar with it either LOL

---

I mean to say standalone as non docker instance(Installed in EC2 Linux)

• Yeah, I think so.
  • Because to use plugins in YOURLS is to simply put the plugin.php file into a folder (no matter how to deploy your YOURLS instance)
    • E.g., /var/www/html/user/plugins/A_PLUGIN_FOLDER/plugin.php if using Docker

---

Also in your instruction, I am not clear with where you want to place the https://github.com/thephpleague/oauth2-client module?

• It was not handle by me but by Composer, the dependency manager for PHP (like apt, apk, pip, npm, etc.)
• I did it by running $ composer require omines/oauth2-gitlab:^3.1.2 as the prerequisite
  • You can change omines/oauth2-gitlab to the OAuth provider you want according to the thirdparty Providers docs.
  • However, GitHub seems to use this one @thephpleague/oauth2-github

    • I.e., 1. use $ composer require league/oauth2-github:^2.0.0 instead and 2. REPLACE my OAuth flow with GitHub one's

      • Be careful for my domain verifying (it's needed by us, but you can simply delete it if you don't need one :D )

---

Once the authentication was successful they will redirect to https://short.me/admin#?token="Random alpha numeric string"
Is the return string format is enough to set the login successful by using your plugin?

• That STRING is called Code and State (metadata during OAuth process) but not user info
  • However, the library (i.e., omines/oauth2-gitlab or league/oauth2-github) have already done the whole OAuth process for us!!
  • You can simply use $user->getUsername() and $user->getID() to get username and user ID

[LouisSung]

Are you using GitHub as the OAuth provider?
Maybe I can just try to write one for you LOL

[sathish1981]

Seriously your comments looks motivating :) Long live Bro 👍

My Requirement:

1. When people access https://short.me/admin for login, it will redirect to internal authentication service (It is not git hub or any external service.. its a custom one created as internal project)
2. Once they got validated from that portal.. it will again redirect from there to our portal with access token like it will carry a custom token.
3. We need to extract that token and check with one more web service to get the username and expiry details.
4. Once the username got extracted need to set the username in the admin interface and let the application flow with that details.
5. We are using authentication manager plus plugin as well, so we need to check the groups to provide proper permission.

This is my current need. So to implement this I am looking for your plugin.
Is it make sense? Am I explaining good?

[LouisSung]

Hi, I've pushed a new version for GitHub OAuth. And it still works for YOURLS:1.7.6

Although you're not using GitHub as OAuth provider, it still helps on knowing how to change my code to use different providers.

1. Change prerequisite
2. Change provider
3. Add header (just copy & paste the provided example and remove the exit())
4. Use getNickname() (GitHub) instead of getUsername() (GitLab)
5. I remove email validation @Here and @Here because user can set email as invisible on GitHub

Note that

1. changing $PRIME_16DIGITS and $INITIALIZATION_VECTOR as your own ones is recommended but not necessary
2. Put the clientId and clientSecret in the separated file
3. You can change SCOPE as needed (refer README by thephpleague/oauth2-github)

---

FYI

1. Register a new application
   
2. Put ID and Secret into config
   

[LouisSung]

3. We need to extract that token and check with one more web service to get the username and expiry details.

• Yes, and I think the getId() can help you on getting the user ID.
  • However, seems like you have to implement your own getName() or use the toArray() with some preprocessing if you'd like to use thephpleague/oauth2-client
• You can choose another fields you'd like
  • However, the ID, Username, or Email are recommended to be used as the account or to generate password since they are rarely change (i.e., username and email) or unchangeable (i.e., ID)

---

4. Once the username got extracted need to set the username in the admin interface and let the application flow with that details.

• Not sure about what your admin interface means
  • There's nothing to configure via YOURLS UI (except Activate and Deactivate)
  • Note that you have to add the user and its password to config.php manually as mentioned in YOURLS wiki
    • I think you have already knew it since that is the built-in auth process :D
• I highly recommend to try the GitHub OAuth process and make sure the the configs are set well, plugins work fine, and the built-in auth process is correct, then start changing it as your own OAuth server.

---

5. We are using authentication manager plus plugin as well, so we need to check the groups to provide proper permission.

• We are using joshp23/YOURLS-AuthMgrPlus too (one of my recommended plugins), and it works fine together with my plugin :D

Hope this helps

[LouisSung]

Ohh...
In case you don't know (and it's not documented either :p)

• If the user was NOT registered correctly, exception (say using GitLab as provider) well raise as shown below 🙁
  • I think you can implement some pre-checks to avoid so
  • We didn't do so because this plugin was written for internal use and just did't care about it :p
    

[sathish1981]

4. Once the username got extracted need to set the username in the admin interface and let the application flow with that details.

• Not sure about what your admin interface means

Its just our normal Yourls Admin interface.

• There's nothing to configure via YOURLS UI (except Activate and Deactivate)
• Note that you have to add the user and its password to config.php manually as mentioned in YOURLS wiki

This step is hard for me, because we are authenticating against enterprise AD directory. We cannot store any password in the configs. This is a big challenge to me and blocker :(

[LouisSung]

This step is hard for me, because we are authenticating against enterprise AD directory. We cannot store any password in the configs.

Wow

So how do you handle log in process as of now?
Or you haven’t started using YOURLS yet?

But you said the AuthMrgPlus is used.. doesn’t it require editing in config file?

I'm using the built-in auth process and for security and maintainability awareness. To introduce a new mechanism for auth is not recommended.

What my plugin do is simply get Username and ID using OAuth and generate garbled password for user.
These passwords should be registered (by modifying config file) manually

Does your policy not allow storing any password in the config file (even the auto-generated one not the real user password)?

[sathish1981]

Also we are going to this OAuth authentication to address several security issues identified in the default authentication. These are the security issues identified by me YOURLS/YOURLS#2634

But in this scenario, I have 2 risk

1. I cannot store password of a user (Against company policy)
2. Still the cookie created by default method is gonna have same value on each login.

To overcome this, either we can set the incoming token as Cookie key to set a md5 hash string. This way, each time when the user try to login, a random token will be created and we can have unique cookie values for same user.

This is just a thought.. not sure on implementation :)

[sathish1981]

This step is hard for me, because we are authenticating against enterprise AD directory. We cannot store any password in the configs.

Wow

So how do you handle log in process as of now?
Or you haven’t started using YOURLS yet?

Yes we didn't gone live yet. We got blocked in security testing as I mentioned in the other link. To overcome that, I choose this Oauth way to connect enterprise AD for more security.

But you said the AuthMrgPlus is used.. doesn’t it require editing in config file?

Yes it is, but it just require the username not the password.

I'm using the built-in auth process and for security and maintainability awareness. To introduce a new mechanism for auth is not recommended.

What my plugin do is simply get Username and ID using OAuth and generate garbled password for user.
These passwords should be registered (by modifying config file) manually

Does your policy not allow storing any password in the config file (even the auto-generated one not the real user password)?
Nope, No company will allow that. Then there is no point in having each user a separate ID and password.

[sathish1981]

Did you get a new #token or #code when you authenticated through Githup?
If you get a random string, then can you assign that string to Cookie Key, which is a constant that we will provide some random value in config.php?

If you can do the above, there is no need to store any password in config. Because authentication works based on the cookie value.

[LouisSung]

Also we are going to this OAuth authentication to address several security issues identified in the default authentication. These are the security issues identified by me YOURLS/YOURLS#2634

:o
Seems like ozh has mentioned some solutions in that issue#2634

I haven't traced the code for how YOURLS handle user validation, sessions, and cookies.
But I think YOURLS provides the mechanism (in includes/functions-auth.php) to bypass or short-circuit the original auth process using plugin.

Hmm, that's might not be this plugin designed for since I'm not familiar with these security issues and just use the traditional config.php way.
I think YOURLS may help on enhancing those part or you can introduce a new one by writing plugin to handle it

Sorry for not being able to help _(;3

[sathish1981]

@LouisSung

Yup as Ozh said, i need to have some development knowledge to accomplish that. But I am new to PHP and I am not really a developer kind. :)
You are really friendly and tried to solve my situation. Thanks a lot. 👍

[LouisSung]

You're welcome~

I learn PHP for writing this plugin. Actually, YOURLS provides lots of events hooks for plugin to handle their requirements.

The reason why I didn't touch the db part is not only I'm not familiar with those security issues, but also because during the YOULRS' evolution, some plugins get errors without keep maintaining (especially those touch the db...).
I've tried some plugins but they just mess up the whole database. That's why I decided to keep using original auth process easily.

However, in my point of view (as I mentioned before), by using the shunt_is_valid_user filter, you can implement your own auth process easily
I mean, seems like YOURLS check if user is valid by that yourls_is_valid_user() function, you can use your random cookies value mechanism to decide either true or false to return

---

• Not sure if following comment is correct...
  • Actually, if I were you, I may simply check if the username is exist in the config.php file.
  • Because if you can get username using the OAuth library, meaning that users have already passed the OAuth process and proved they were users themselves.
  • In another word, all the Auth processed are totally depend on your Auth server and you don't have to worry about YOURLS.