This extension equips Flarum with Single Sign On (shortly SSO). Basically, this extension will act as a bridge between Flarum and your SSO/Auth system. The extension is useful if you run Flarum on a subdomain but you want to use the login mechanism of your main website.
Workflow based on this post.
The user wants to login to your Auth system. Once his login attempt is successful, a POST request is sent to Flarum API from one of the extension plugins to retrieve the user access token (verifying his credentials). He will be created in the Flarum database (through an API request) if he isn’t signed up on Flarum.
Then, the access token is saved in a cookie to be used when the user visits Flarum (this cookie keeps the login active).
This section covers the difference between plugins and addons.
This is the standard Flarum extension, installable on Flarum following the Installation instructions. This is required since it activates the user when he is added to the database, manage his logout, changes the Login and Signup links destination, …
A plugin is a library/package that you install on your Auth system to communicate with Flarum. This allows you to login, signup, update or logout the user (these are only examples, there may be other features along these ones). Some plugins are already developed for you and needs only to add the proper settings, like the WordPress plugin.
Examples of plugins are the PHP and WordPress ones.
Addons are additional features that can be added to the plugin(s). The installation method changes with the plugin you are using. For example, with the PHP plugin you have to add an addon calling an object method, while on WordPress you need to install it through the plugins screen.
Examples of addons are the Groups and the JWT ones.
Install by executing the command below and activate the extension in Flarum Administration area.
composer require maicol07/flarum-ext-sso
Upgrade by executing the command below, like with every other extension.
composer update maicol07/flarum-ext-sso
Here is the explanation of all the extension settings:
- Signup URL: URL where the user will be redirected when the Signup button is clicked
- Login URL: URL where the user will be redirected when the Login button is clicked
- Logout URL: URL where the user will be redirected when the Logout button is clicked
- Manage account URL (available in 1.8+): URL where the user will be redirected whenthe Manage Account button is clicked. This button shows up in the user settings only if this setting has a valid URL.
- Open account management in a new tab (available in 1.8+): Open the link of the Manage Account button in a new tab
- Remove login button: Removes the login button from Flarum frontend
- Remove signup button: Removes the signup button from Flarum frontend
Default values for WordPress are:
- Signup url:
https://example.com/wp-login.php?action=register
- Login url:
https://example.com/wp-login.php?redirect_to=forum
(The redirect_to=forum
part is important as it will redirect your users back to the forum)
- Logout url:
https://example.com/wp-login.php?action=logout
- Issuer domain: The
iss
claim of your JWT. This is the domain that issues the JWT. Typically, this corresponds with the root domain.
- Signing algorithm: Algorithm used in the JWT addon to sign the token.
- Signer key: The base64 encoded signer key of your JWT. You can generate one with this tool: Cryptokey
Major changes are marked with 
Released on April 08, 2021
6c802df
Allow updating user avatar via avatarUrl
attribute
bc56ed3
New Login middleware
3e033f8
Initial compatibility with beta16
830def6
Exception when updating user and avatarUrl
is null
978e1de
Fixed issue with the Laravel Cookie helper
3cf884f
Improved subscribers and listeners handling
27b284e
Updated JWT SSO to beta16
Major changes:
- 💥 Signer key must be plain text now. It will be encoded to base64 automatically
- 💥 Login is no longer done with the login method (which is now named getToken) but will rely on the new middleware
e0df539
Updated composer.json metadata
9ea9834
release: 🔖 1.9 final changelog
- Added JWT Signing Algorithm option
- Migrated to lcobucci/jwt v4 (compatible with v3.4.2 if already installed)

Added support for Beta 15 (now the extension requires beta 15 to run)

New settings page
- Added Manage Account button in user settings
- Improved code and removed outdated one
Fixed login modal showing up when user is not logged in and clicks the Start discussion button (PR #7)
- Login modal not showing when extension is enabled but no login url is set
Added support to Beta 14 (now the extension requires beta 14 to run)
Compatibility with Json Web Tokens
Revamped docs
Beta 13 support
- Moved plugins into its own repos
- Allow installation on beta 12
Fixed settings modal not showing up
- Fix for version constaint
Critical fix to solve crash at Flarum startup
- Extension settings modal construction moved to @fof/components (thanks to @datitisev for its lib)
- Code enhancements
Added “Remove signup and login button” option in settings
- SSO won’t work if a URL isn’t set
- Fixed and changed icon
Fixed a critical issue that caused the extension not to work
- Updated sample website example
- Minor tweak to
composer.json
Added new delete
method (not fully tested, but should working almost all the times)
- Added new
getFlarumLink
method that returns flarum link set in config.php
file
Added detailed comments in every method
- Added Italian translation
Changed Curl requests with HTTP requests (Curl failed all the times with my tests)
- Minor tweaks and enhancements
- Compatibility with beta 8.1
- Added Polish language
- Removed account section from settings
- Added token lifetime to config
- Extended token lifetime