dev/core#2141 - Add "oauth-client" extension (hidden) #18914
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…e OAuth client secrets'
Depends on OAuthProvider and permissions ('manage OAuth client' and 'manage OAuth client secrets')
If you are developing on a local HTTP system with virtual hosts, then many OAuth2 services won't recognize it as a local/dev URL. The "local-redir.sh" script runs a stub service that will be accepted as a local/dev "Redirect URL".
Suppose you have a downstream app/module -- such as the Civi-IMAP app/module. It needs to store a notation which says "this thing in our data" (e.g. `civicrm_mail_settings`) "corresponds to that token in the OAuth data". It can put a tag on the token (`tag=civicrm_mail_settings:123`) and use that for lookup ``` $tag = `OAuthSysToken.refresh +w tag=civicrm_mail_settings:123` ``` The advantage of this is that it's simple, flexible, and doesn't require new schema. Of course, it's not end-all/be-all. It's OK for 1:1 relationship. But if you want 1:M or M:M, then you'll have to model that as something else. But for basic usage, tags are simple and moderately flexible.
Overview -------- For certain types of mail accounts -- such as Google Mail and Microsoft Exchange Online -- the setup process may require interaction with a remote web-service. If you have OAuth2 enabled for one of these services, then this will create an option for "Add Mail Account". Before ------ There is no setup procedure. After ----- * Navigate to "Administer => CiviMail => Mail Accounts". * Below the table, there is a select2 box for "Add Mail Account". * If "Microsoft Exchange Online" is configured, then it will appear in the dropdown. Choose it. * It redirects to MS to get authorization from the user (OAuth2 Authorization Code). * The user comes back. * We initialize a new mail account (`MailSettings` / `civicrm_mail_settings`) * We accept the code and save the token (`OAuthSysToken`) with the account. * We redirect to the account configuration form. Technical Details ----------------- The new mail account will have some details, such as `server`, `protocol`, and `username` pre-filled. This uses a template -- see e.g. `providers/ms-exchange.dist.json` (`mailSettingsTemplate`).
If you're an admin setting up an email return-channel, then you may not intend to use your normal email account. It makes sense to always prompt for the preferred account.
|
(Standard links)
|
|
This code is entirely within the oauth extension. As discussed on chat the final review point for this is where we unhide this. We have discussed the appropriateness for core & general approach previously and that is generally agreed. So the bar for this checkpoint is - nothing alarming or unexpected in there & suitable test cover. I'm comfortable with those so merging. For the next save-point the bar is that the documentation is sorted & we get some r-run confirmation - preferably on live sites - that would be the point we unhide it |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This adds the
oauth-clientextension for connecting to OAuth2-based web-services. It includes data-storage, APIs, and UIs for working with client-credentials and persistent tokens. It implements key elements from the design in https://lab.civicrm.org/dev/core/-/issues/2141.(NOTE: This PR only adds the extension. The hard pre-requisites for
oauth-clienthave already been merged intocivicrm-core. However, there are some open PRs with soft-requirements that improve debugging. For a full branch with all recommended patches, see #18863.)Use-case: Add an IMAP-OAuth client
oauth-client.cv en oauth_clientcivicrm/admin/oath).gmailorms-exchange).civicrm/admin/mailSettings)civicrm/admin/oath).gmailorms-exchange).Technical Details
manage OAuth client: Provides access to register clients and request tokens.manage OAuth client secrets: Provides raw access to sensitive tokens which are otherwise invisible.gmail,ms-exchange, etc) are defined inext/oauth-client/providers/*.json. The list can be manipulated viahook_civicrm_oauthProviders. It is consumed via APIv4'sOAuthProvider.get.civicrm_oauth_client(OAuthClient).civicrm_mail_settings(MailSettings) and a linked record incivicrm_oauth_systoken(OAuthSysToken).Comments
cv, it may not accept the dash inoauth-client, but it will accept an underscoreoauth_client.r-docs.