{"id":27161006,"url":"https://github.com/flownative/openidconnect-neos","last_synced_at":"2025-04-09T00:08:36.537Z","repository":{"id":40991778,"uuid":"488257646","full_name":"flownative/openidconnect-neos","owner":"flownative","description":"This package provides an OpenID Connect (OIDC) \"bridge\" for Neos","archived":false,"fork":false,"pushed_at":"2024-05-03T15:37:00.000Z","size":23,"stargazers_count":1,"open_issues_count":3,"forks_count":3,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-08-09T13:43:25.292Z","etag":null,"topics":["hacktoberfest","neoscms","oidc"],"latest_commit_sha":null,"homepage":"","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flownative.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-05-03T15:10:19.000Z","updated_at":"2024-05-03T15:36:37.000Z","dependencies_parsed_at":"2022-09-09T07:00:58.087Z","dependency_job_id":"5d5e35c4-ec38-47c7-8f97-e3d78874e426","html_url":"https://github.com/flownative/openidconnect-neos","commit_stats":{"total_commits":4,"total_committers":2,"mean_commits":2.0,"dds":0.25,"last_synced_commit":"fe8ad695c6b5e6592afd8a628480a99c72d4fdeb"},"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flownative%2Fopenidconnect-neos","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flownative%2Fopenidconnect-neos/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flownative%2Fopenidconnect-neos/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flownative%2Fopenidconnect-neos/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flownative","download_url":"https://codeload.github.com/flownative/openidconnect-neos/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247947857,"owners_count":21023066,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","neoscms","oidc"],"created_at":"2025-04-09T00:08:36.075Z","updated_at":"2025-04-09T00:08:36.532Z","avatar_url":"https://github.com/flownative.png","language":"PHP","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![MIT license](http://img.shields.io/badge/license-MIT-brightgreen.svg)](http://opensource.org/licenses/MIT)\n[![Packagist](https://img.shields.io/packagist/v/flownative/openidconnect-neos.svg)](https://packagist.org/packages/flownative/openidconnect-neos)\n[![Maintenance level: Love](https://img.shields.io/badge/maintenance-%E2%99%A1%E2%99%A1%E2%99%A1-ff69b4.svg)](https://www.flownative.com/en/products/open-source.html)\n\n# OpenID Connect for the Neos CMS\n\nThis package provides an [OpenID Connect](https://openid.net/connect/) (OIDC)\n\"bridge\" for [Neos](https://www.neos.io/).\n\nIt provides sane defaults for the OIDC client package, and provides a way to\nmatch Neos backend users to OIDC users. Optionally users can be created on the\nfly if they don't exist yet.\n\n## Terms and Background\n\nBefore deploying OpenID Connect for your application, you should get familiar\nwith the concepts. For a quick reminder, you should can the documentation of\n[Flownative.OpenIdConnect.Client](https://packagist.org/packages/flownative/openidconnect-client)\n\n## Requirements\n\nIn order to use this plugin you need:\n\n- Neos CMS\n- an OIDC Identity Provider which provides auto discovery\n\n## Installation\n\nThe plugin is installed via Composer:\n\n```bash\ncomposer require flownative/openidconnect-neos\n```\n\n## Configuration\n\nThis packages provies sane defaults for most of the configuration, suitable for\nNeos CMS.\n\nThe OIDC provider connection must be set up. The default configuration uses\nthese environment variables:\n\n- `OIDC_DISCOVERY_URI`\n- `OIDC_CLIENT_ID`\n- `OIDC_CLIENT_SECRET`\n\nYou may of course set the values directly:\n\n```yaml\nFlownative:\n OpenIdConnect:\n Client:\n services:\n neos:\n options:\n discoveryUri: '…'\n clientId: '…'\n clientSecret: '…'\n```\n\nAnd you must set up how roles are determined, see the next section.\n\n### Roles\n\n#### Hard-coded roles\n\nYou may configure the provider as follows:\n\n```yaml\nNeos:\n Flow:\n security:\n authentication:\n providers:\n 'Neos.Neos:Backend':\n providerOptions:\n roles:\n - 'Neos.Neos:Editor'\n```\n\nThat is the simplest way of configuring roles, but also very \"static\", no variation is\npossible.\n\n#### Roles from Identity Token\n\nThe provider can extract the roles from the identity token values. The roles\nprovided by the token must have the same identifier as in Neos.\n\nGiven that the identity token provides a claim called \"https://flownative.com/roles\",\nyou may configure the provider as follows:\n\n```yaml\nNeos:\n Flow:\n security:\n authentication:\n providers:\n 'Neos.Neos:Backend':\n providerOptions:\n rolesFromClaims:\n - 'https://flownative.com/roles'\n```\n\nWhen a user logs in and her identity token has a value \"https://flownative.com/roles\"\ncontaining an array of Flow role identifiers, the OpenID Connect provider will\nautomatically assign these roles.\n\nRoles can be mapped in case their values don't match the required Flow role\npattern (`\u003cPackage-Key\u003e:\u003cRole\u003e`) or if multiple roles should be translated to a\nsingle role:\n\n```yaml\nNeos:\n Flow:\n security:\n authentication:\n providers:\n 'Neos.Neos:Backend':\n providerOptions:\n rolesFromClaims:\n -\n name: 'https://flownative.com/roles'\n mapping:\n 'role1': 'Some.Package:SomeRole1'\n 'role2': 'Some.Package:SomeOtherRole'\n 'role3': 'Some.Package:SomeRole'\n```\n\nYou may specify multiple claim names which are all considered for\ncompiling a list of roles.\n\nCheck logs for hints if things are not working as expected.\n\n#### Roles from an Existing Account\n\nIf you use locally created Neos users (accounts with the same username which is\nprovided by the identity token), the roles of that (persisted) account can be\nused:\n\n```yaml\nNeos:\n Flow:\n security:\n authentication:\n providers:\n 'Neos.Neos:Backend':\n providerOptions:\n addRolesFromExistingAccount: true\n```\n\nYou may mix \"rolesFromClaims\" with \"addRolesFromExistingAccount\". In that case\nroles from claims and existing accounts will be merged.\n\nAgain, check the logs for hints if things are not working as expected.\n\n#### Roles for Auto-Created Neos Users\n\nIn case auto-creation of users is enabled, the roles on the new user can be set\nby configuration:\n\n```yaml\nFlownative:\n OpenIdConnect:\n Neos:\n autoCreateUser: true\n rolesForAutoCreatedUser:\n - 'Neos.Neos:Editor'\n```\n\nNote that you still must use (at least) one of the options to assign roles,\nnamely \"rolesFromClaims\" and \"addRolesFromExistingAccount\".\n\n### Optional settings\n\nYou can set the JWT cookie name if you need to use a different name.\n\n```yaml\nNeos:\n Flow:\n security:\n authentication:\n providers:\n 'Neos.Neos:Backend':\n providerOptions:\n jwtCookieName: 'flownative_oidc_jwt'\n```\n\nIf your OpenID Connect provider does not return a `username`, you can map\nit like this:\n\n```yaml\nFlownative:\n OpenIdConnect:\n Neos:\n identityValueMapping:\n 'username': 'email'\n```\n\nSo far this assumes you locally create Neos users with the same username as the\nOIDC provider returns. You can enable auto-creation of Neos users like this:\n\n```yaml\nFlownative:\n OpenIdConnect:\n Neos:\n autoCreateUser: true\n identityValueMapping:\n 'firstname': 'https://flownative.com/given_name'\n 'lastname': 'https://flownative.com/family_name'\n```\n\nThe mapping of `firstname` and `lastname` is needed in case those are not\nreturned with those names by your OIDC provider. They are used for the created\nusers. If the identity token contains first name and last name in a single\nproperty, you can use the \"name\" mapping:\n\n```yaml\nFlownative:\n OpenIdConnect:\n Neos:\n autoCreateUser: true\n identityValueMapping:\n 'name': 'https://flownative.com/given_name_and_family_name'\n```\n\n## Debugging\n\n- Check the security and system log for messages, there is probably something\n helpful there.\n- Use `./flow configuration:show --path Flownative.OpenIdConnect` to check the\n settings and look for things you might need to adjust.\n- Repeat that step with the `Neos.Flow.security` settings.\n\n## Credits and Support\n\nThis library was developed by Karsten Dambekalns / Flownative. Feel free\nto suggest new features, report bugs or provide bug fixes in our Github\nproject.\n\nThanks to Daniel Lienert / punkt.de for the initial implementation of the\n`AccountManager` class.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflownative%2Fopenidconnect-neos","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflownative%2Fopenidconnect-neos","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflownative%2Fopenidconnect-neos/lists"}