OAuth
Contents
What is OAuth?
The idea behind OAuth is to get rid of the need to register separately with all the websites out there that require registration before you can use them. Instead of having to keep track of all the different accounts, you can use one login on every website that supports OAuth.
To quote the OAuth homepage:
- "An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications."
OAuth is a free and open protocol. It is not owned by any corporation.
OAuth in Geeklog
OAuth support in Geeklog differs slightly from the Remote Authentication support, but only in that it requires a separate login prompt.
To activate OAuth support there are several steps.
First you must go to the Configuration Admin panel:
- Configuration > Geeklog > Users and Submissions > Users > User Login Method[OAuth]
Set this option to "true". Just below this configuration option you will find the other OAuth settings. Currently Geeklog supports logging in via Facebook, LinkedIn, Twitter, Yahoo, and Google via OAuth. For each of these login methods you will find an option to enable it and two text boxes for you to enter an Application Id and Application Secret Key (see below to find out how to get an Id and Secret Key). Each of these items needs to be filled out before the login button for it will be enabled. Once you have filled out the required information remember to then save the configuration changes.
Other requirements needed to enable Geeklogs OAuth Login process is you must have the PHP extension OpenSSL loaded on your web server.
The Geeklog User Submission Queue must also be set to false in the Geeklog Configuration. Currently a new remote user cannot be added to the submission queue for approval later on.
When you log out, you will see one or more new login buttons in your site's User Functions block, below the normal login options:
The first time any user clicks on one of the OAuth login buttons they will be redirected to the website offering the OAuth login (Facebook, LinkedIn or Twitter). Here (if they are not currently logged into the website) they will be asked to login. Once logined they will then be asked if they wish to give permission to your Geeklog website to access some of your personal information. If the user approves the request they will then be redirected back to the Geeklog website which will then use the information to create a Geeklog user account and log them into the Geeklog website. If the user does not approve the request for information they will still be redirected back to the website but no Geeklog user account will be created.
The next time the user logs into your Geeklog website using the same OAuth login method Geeklog will check with the website providing the OAuth login to see if you are logged in the site. If not the user will be redirected to the site to login. Once they have the site will the redirect back to your Geeklog website.
When Geeklog uses OAuth to login it's users, it will never see your OAuth password - it will only get an "okay" back from the OAuth provider if you authenticated successfully.
Once a user has logged in via OAuth, they are just like any other Geeklog user. They can be added to groups, change their profile, do whatever else you allow your users to do on your site. And yes, OAuth users can also be banned.
Users that log in through OAuth are automatically added to the "Remote Users" group.
Limitations
- Currently, OAuth 1.0, 1.0a and 2.0 is supported (depends on what the OAuth provider supports).
OAuth Login Methods
General review...
Please note:
- To use Facebook Login your website must use SSL.
- Use Strict Mode for Redirect URIs on the Facebook Web App defaults to Strict and cannot be changed for new login apps created in the Facebook developer portal. This means you must specify the exact Valid OAuth Redirect URIs used by Geeklog. For example: https://www.yoursitehere.com/users.php?oauth_login=facebook
- You may need to also submit the Login for Facebook review before location / user photo can be retrieved. You have to include a screencast showing how you login and use the Facebook data.
Access Facebook 'Create an Application' page, and input form.
Please go to Facebook Apps page https://developers.facebook.com/apps
Access LinkedIn 'List of Applications' page, and click 'Add New Application'.
https://www.linkedin.com/secure/developer
Access 'Applications Using Twitter' page and click 'Register a new application'.
https://dev.twitter.com/apps/new
Application Type: Select 'Browser'
Callback URL: Input URL same as Website
Default Access type: Select 'Read & Write'
Use Twitter for login: Check
Redirection URL: http://www.yoursitehere.com/users.php?oauth_login=twitter
Microsoft Live
Allows users to login with their Hotmail, Live or Outlook email accounts Please go to Microsoft Live Connect Developer Center page https://manage.dev.live.com/AddApplication.aspx
Note: Google will shutdown Google+ on April 2, 2019. As of Geeklog v2.2.1 we will move from the Google+ OAuth scope to the Google OAuth scope. Because of this change you may need to update your Google API key
Google APIs console page http://code.google.com/apis/console in the API access tab
Redirection URL: http://www.yoursitehere.com/users.php?oauth_login=google
Yahoo
Yahoo Apps page https://developer.apps.yahoo.com/wsregapp/
GitHub
GitHub Developer page https://developer.github.com/v3/oauth/
Create a new GitHub Application: https://github.com/settings/applications/new
Redirection URL (Authorization callback URL): http://www.yoursitehere.com/users.php?oauth_login=github