-
-
Notifications
You must be signed in to change notification settings - Fork 812
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dev/core#2141 - Add "oauth-client" extension (hidden) #18914
Conversation
…e OAuth client secrets'
Depends on OAuthProvider and permissions ('manage OAuth client' and 'manage OAuth client secrets')
If you are developing on a local HTTP system with virtual hosts, then many OAuth2 services won't recognize it as a local/dev URL. The "local-redir.sh" script runs a stub service that will be accepted as a local/dev "Redirect URL".
Suppose you have a downstream app/module -- such as the Civi-IMAP app/module. It needs to store a notation which says "this thing in our data" (e.g. `civicrm_mail_settings`) "corresponds to that token in the OAuth data". It can put a tag on the token (`tag=civicrm_mail_settings:123`) and use that for lookup ``` $tag = `OAuthSysToken.refresh +w tag=civicrm_mail_settings:123` ``` The advantage of this is that it's simple, flexible, and doesn't require new schema. Of course, it's not end-all/be-all. It's OK for 1:1 relationship. But if you want 1:M or M:M, then you'll have to model that as something else. But for basic usage, tags are simple and moderately flexible.
Overview -------- For certain types of mail accounts -- such as Google Mail and Microsoft Exchange Online -- the setup process may require interaction with a remote web-service. If you have OAuth2 enabled for one of these services, then this will create an option for "Add Mail Account". Before ------ There is no setup procedure. After ----- * Navigate to "Administer => CiviMail => Mail Accounts". * Below the table, there is a select2 box for "Add Mail Account". * If "Microsoft Exchange Online" is configured, then it will appear in the dropdown. Choose it. * It redirects to MS to get authorization from the user (OAuth2 Authorization Code). * The user comes back. * We initialize a new mail account (`MailSettings` / `civicrm_mail_settings`) * We accept the code and save the token (`OAuthSysToken`) with the account. * We redirect to the account configuration form. Technical Details ----------------- The new mail account will have some details, such as `server`, `protocol`, and `username` pre-filled. This uses a template -- see e.g. `providers/ms-exchange.dist.json` (`mailSettingsTemplate`).
If you're an admin setting up an email return-channel, then you may not intend to use your normal email account. It makes sense to always prompt for the preferred account.
(Standard links)
|
This code is entirely within the oauth extension. As discussed on chat the final review point for this is where we unhide this. We have discussed the appropriateness for core & general approach previously and that is generally agreed. So the bar for this checkpoint is - nothing alarming or unexpected in there & suitable test cover. I'm comfortable with those so merging. For the next save-point the bar is that the documentation is sorted & we get some r-run confirmation - preferably on live sites - that would be the point we unhide it |
Overview
This adds the
oauth-client
extension for connecting to OAuth2-based web-services. It includes data-storage, APIs, and UIs for working with client-credentials and persistent tokens. It implements key elements from the design in https://lab.civicrm.org/dev/core/-/issues/2141.(NOTE: This PR only adds the extension. The hard pre-requisites for
oauth-client
have already been merged intocivicrm-core
. However, there are some open PRs with soft-requirements that improve debugging. For a full branch with all recommended patches, see #18863.)Use-case: Add an IMAP-OAuth client
oauth-client
.cv en oauth_client
civicrm/admin/oath
).gmail
orms-exchange
).civicrm/admin/mailSettings
)civicrm/admin/oath
).gmail
orms-exchange
).Technical Details
manage OAuth client
: Provides access to register clients and request tokens.manage OAuth client secrets
: Provides raw access to sensitive tokens which are otherwise invisible.gmail
,ms-exchange
, etc) are defined inext/oauth-client/providers/*.json
. The list can be manipulated viahook_civicrm_oauthProviders
. It is consumed via APIv4'sOAuthProvider.get
.civicrm_oauth_client
(OAuthClient
).civicrm_mail_settings
(MailSettings
) and a linked record incivicrm_oauth_systoken
(OAuthSysToken
).Comments
cv
, it may not accept the dash inoauth-client
, but it will accept an underscoreoauth_client
.r-doc
s.