This extension equips Flarum with Single Sign On (shortly SSO). Basically, this extension will act as a bridge between Flarum and your SSO/Auth system. The extension is useful if you run Flarum on a subdomain but you want to use the login mechanism of your main website.
If you have an OpenID Connect provider/auth system you can use my OpenID Connect Client Extension, that requires zero coding from your side. You only have to configure it and you’re ready to go!
Workflow based on this post.
The user wants to login to your Auth system. Once his login attempt is successful, a POST request is sent to Flarum API from one of the extension plugins to retrieve the user access token (verifying his credentials). He will be created in the Flarum database (through an API request) if he isn’t signed up on Flarum.
Then, the access token is saved in a cookie to be used when the user visits Flarum (this cookie keeps the login active).
This section covers the difference between plugins and addons.
This is the standard Flarum extension, installable on Flarum following the Installation instructions. This is required since it activates the user when he is added to the database, manage his logout, changes the Login and Signup links destination, …
A plugin is a library/package that you install on your Auth system to communicate with Flarum. This allows you to login, signup, update or logout the user (these are only examples, there may be other features along these ones). Some plugins are already developed for you and needs only to add the proper settings, like the WordPress plugin.
Examples of plugins are the PHP and WordPress ones. You can find them in the “Plugins” section in the left sidebar.
Addons are additional features that can be added to the plugin(s). The installation method changes with the plugin you are using. For example, with the PHP plugin you have to add an addon calling an object method, while on WordPress you need to install it through the plugins screen.
Examples of addons are the Groups and the JWT ones.
Install by executing the command below and activate the extension in Flarum Administration area.
composer require maicol07/flarum-ext-sso
You’ll also need a plugin to get it work with your auth system. You can choose one from the “Plugins” section in the left sidebar.
PHP versions will be supported until its EOL.
If Flarum core changes PHP version before the official EOL, I’ll update too the version accordingly to what they have chosen.
Upgrade by executing the command below, like with every other extension.
composer update maicol07/flarum-ext-sso
Here is the explanation of all the extension settings:
Signup URL: URL where the user will be redirected when the Signup button is clicked
Login URL: URL where the user will be redirected when the Login button is clicked
Logout URL: URL where the user will be redirected when the Logout button is clicked
Manage account URL (available in 1.8+): URL where the user will be redirected whenthe Manage Account button is clicked. This button shows up in the user settings only if this setting has a valid URL.
Open account management in a new tab (available in 1.8+): Open the link of the Manage Account button in a new tab
Remove login button: Removes the login button from Flarum frontend
Remove signup button: Removes the signup button from Flarum frontend
Cookies name prefix: Prefix of the token cookie. Set by default to “flarum”
Provider mode: Enable this option to use the provider mode (SSO between Flarum instances).
Allows other Flarum instances to login an user of this Flarum instance.
This will disable the standard SSO feature with other websites.
Default values for WordPress are:
redirect_to=forumpart is important as it will redirect your users back to the forum)
issclaim of your JWT. This is the domain that issues the JWT. Typically, this corresponds with the root domain.
This addon requires the
lcobucci/jwt:>=4.1 package added (and installed) to Flarum
composer.json to work.
Sponsored by @kuaza from https://sorucevap.com
You can enable provider mode to register Flarum instances as clients and login users with your provider Flarum account.
To do so, you must obtain an API key and a password token for each Flarum client you want to add (check in the PHP plugin options how to obtain them).
Then you have to enable the “Provider mode” in the main flarum instance you want to be the provider and register clients with their parameters:
In the client Flarum you have to set it up normally, but you have to set the Cookie prefix setting this way: if the client name is filled in provider, then the cookie prefix is the client name, otherwise it will be equal to the value of the URL field of the client.
Beware that using a client name that contains spaces or special characters might cause problems when an user tries to login!
Major changes are marked with
Released on November 16, 2022
de71fb1Re-added missing Logout URL setting
Released on October 26, 2022
8ea8f8f ✨ Fix login redirects in embeded mode
Released on October 21, 2022
aa58e2b🐛 logout middleware redirect
Released on October 02, 2022
2d7f772 ✨ Added provider mode
Sponsored by @kuaza from https://sorucevap.com
a15b3e9 ✨ Added settings page
d10faf5Fix method deprecation
4674f1b Removed build action
Already included in frontend
bdf9671 💚 Fix JS build action
699ec7f Disable TS checks
d771657 Added backend action
ff8df07 Improved changelog generation
990e838Updated JS to TS, CI and config to latest update
dc62612deps: ⬆️ Upgraded dependencies
ea3861bdeps: ⬆️ Updated dependencies
9a233fbdeps: ⬆️ Updated dependencies
bec87c5deps: Added bundlewatch
Released on October 21, 2021
5b7afa3 Unblock other extensions routes
It was impossible for other extensions, loaded after SSO to register new routes
ecc0676 Signup button points to logout URL
Released on August 09, 2021
fd9bc60✨ Added Typescript config to get Flarum typing definitions
8b70076code_tools: ✨ Added Prettier instead of ESLint
6fbd7f9⚡ Better frontend settings helper
3e24b49New Discussion button opening the Login modal
f9cb9f4🐛 Wrong app namespace
3dce5dcReformatted build action
edbd507♻️ Removed old Webpack config
f17a9a5♻️ Removed ESLint comments
3233f94Trigger changelog workflow when JS build has finished
f244d0fUpdated build action
b8e32e2👷 Added Flarum Bot to automatically compile JS
646203c👷 Added conditional commit messages to changelog action
086bdea👷 Updated changelog generation
4145636deps: ⬆️ Upgraded Flarum Webpack config
3e99300meta: Updated extension icon colors for better contrast
Released on June 12, 2021
b74c90c⚡ Use dot notation to set array value
5e84bf4📝 Fixed PHPDocs
8f3d699Allow to run changelog action manually to set the next version
5cb1154Add git credentials
a10765eAdd missing commit
c009c2eAdd missing token to push back changes
8ab1c6fPush CHANGELOG.md back to repo
b705c4fEnsure changelog is saved to file
ec11208Fix changelog action branch
801fc90Missing checkout action
69b9e7eAdded more author metadata to
fcd76e6Added flarum version support badge
5de2a76deps: Moved JWT package to suggestions
7a4ce8clocale: Delete pl.yml (#11)
Released on May 22, 2021
Released on April 08, 2021
6c802dfAllow updating user avatar via
bc56ed3New Login middleware
3e033f8Initial compatibility with beta16
830def6Exception when updating user and
978e1deFixed issue with the Laravel Cookie helper
3cf884fImproved subscribers and listeners handling
27b284eUpdated JWT SSO to beta16
deletemethod (not fully tested, but should working almost all the times)
getFlarumLinkmethod that returns flarum link set in