This extension enables users to login with an OpenID Connect (OIDC) provider. This method can be set to the only allowed method to login (SSO mode) or used as a complementary login method (like OAuth providers)
This is a Premium extension, not a free one. You can buy a license to use it in your Flarum through Extiverse
¶ Why premium
Mostly for three reasons:
- You can connect to any auth system, written in any language, as long as they are compliant with the OpenID Connect specs. My other SSO extension, which is free, allows you to connect to any auth system written in PHP.
- It requires only configuration in the admin panel and zero code. The SSO extension requires integration with your auth system through plugins in addition to extension configuration.
- If you want to use your auth system for other services/apps, OIDC is more reliable than my other SSO extension, since it adopts to an SSO standard other apps use.
¶ Screenshots
Button in login modal:
Buttons in user settings (non-SSO mode):
¶ Requirements
¶ Implemented OpenID Connect features
The extension relies on maicol07/oidc-client-php, a heavenly modified fork of JuliusPC/OpenID-Connect-PHP. You can see a list of OIDC drafts and documents that have been implemented. However, the following features aren’t already implemented in the extension at the time of writing (v1.0) and they can’t be set/used:
- OpenID Connect Dynamic Client Registration 1.0
- RFC 7009: OAuth 2.0 Token Revocation
- RFC 7662: OAuth 2.0 Token Introspection
- Draft: OAuth 2.0 Authorization Server Issuer Identifier in Authorization Response
¶ How does it work?
The extension uses the authorization code flow variant of OpenID Connect. I suggest checking these resources to learn more about OIDC flow here:
- OpenID Connect website
- Explanation on the different OIDC flows
- Illustrated flow example
- Video about OIDC flow
¶ Will it work on WordPress and other CMS?
Yes, as long as you’re using a plugin that provides OpenID Connect features. For WordPress, you can try this one (not tested): https://wordpress.org/plugins/miniorange-oauth-20-server/
¶ Do you want to disable standard signup and login?
Use this extension: Third Party Login Only
This way, you can only login/signup through OIDC.
Don’t enable the “Replace Sign In and Sign Up button with FoF Passport login (oAuth)” option in the Third Party Login Only since it doesn’t work with this extension. Instead, you can achieve the same result with the “SSO Mode” (see Configuration below)
¶ Installation
- Be sure to check Extiverse instructions in your subscriptions page on how to install a premium extension via composer.json
- Install by executing the command below and activate the extension in Flarum Administration area.
composer require maicol07/flarum-oidc-client:*
¶ ⚠️ PHP versions support/drop notice
PHP versions will be supported until its EOL.
If Flarum core changes PHP version before the official EOL, I’ll update too the version accordingly to what they have chosen.
¶ Upgrading
Upgrade by executing the command below, like with every other extension.
composer update maicol07/flarum-oidc-client:*
¶ Configuration
Here is the explanation of all the extension settings:
- OpenID Connect provider name: The name of your OpenID Connect provider. This will be shown on buttons in the login/signup modal and user settings.
¶ Client settings
- Client ID: The client ID your provider assigned you.
- Client secret: A secret key your provider assigned you when you have registered the client (Flarum).
¶ Provider settings
- Provider URL: The provider URL. This is only used to autodiscover the provider endpoints.
¶ Provider endpoints
You don’t have to fill these endpoints if your provider supports endpoints autodiscovery and you have filled the provider URL setting above
- Authorization endpoint: URL where the extension will get the authorization code, needed to get the access token from the token endpoint
- Token URL: URL where the extension will get the access token, needed to get the access token from the userinfo endpoint
- Userinfo URL: URL where the extension will get the user infos, needed to get the access token from the token endpoint
- End session (logout) URL: URL where the extension will send the logout action to end user session in the provider
¶ Other settings
- Issuer URL: URL of the response payload issuer. This often matches the provider URL.
- Deactivate the nonce verify: Allow to skip the nonce verification. Can be useful if provider doesn’t support it.
- Linker claim: Claim that helps matching Flarum users with provider users. If you don’t know what to digit, fill it with
sub. - Account management URL: URL where the user will be redirected whenthe Manage Account button is clicked. This button shows up in the user settings only if this setting has a valid URL.
- Open account management in a new tab: Open the link of the Manage Account button in a new tab
- SSO mode: Bypass Flarum login/signup modal and redirect the user directly to the provider auth page. This also make OIDC the only option to login to Flarum.
- Logout from provider (when SSO mode is enabled): Logout from OIDC provider when logging out from Flarum. This option will work only when SSO mode is enabled.
- Remove signup button: Removes the signup button from Flarum frontend
- Sync user avatar: Sync user avatars with the ones saved in the OIDC provider
¶ Troubleshoot
- Error on signup/login:
Error: Call to undefined function GuzzleHttp\Psr7\stream_for()
Solution: The extension should install the correct version of the dependency, so this error should be handled. To know more check https://discuss.flarum.org/d/28172-cant-upload-avatar/3
¶ Contact/Help
Since this is a premium extension, you also have premium support. So I’ll help you in every error you’re facing. You can contact me using the following services:
- Discuss post, check link below
- Live chat from my personal webpage
- Telegram
- Discord (
maicol07#6156)
¶ Links
¶ Changelog
Major changes are marked with 
¶ 2.0.2 (2022-12-13)
- fix: Fix settings not working
¶ 2.0.1 (2022-12-12)
- fix: 🐛 Fix avatars sync when picture isn’t provided
- perf: Optimized code
¶ 2.0 (2021-10-18)
- The internal OpenID Connect Client, which you can find here, has got a major refactor. Due to this big change, the minimum PHP version has been bumped to PHP 8.0
- This will improve the overall performance of the extensions, powered by new PHP 8 features!
¶ 1.0.2 (2021-09-27)
- fix: 🐛 Fixed exception when not inserting provider URL
The issue was caused by a check via autodiscovery about PKCE methods
¶ 1.0.1 (2021-07-21)
- Added more metadata to composer.json
- Updated README (also on Extiverse)
¶ 1.0 (2021-07-20)
- First version