定制 heptacom/shopware-platform-admin-open-auth 二次开发

按需修改功能、优化性能、对接业务系统,提供一站式技术支持

邮箱:yvsm@zunyunkeji.com | QQ:316430983 | 微信:yvsm316

heptacom/shopware-platform-admin-open-auth

Composer 安装命令:

composer require heptacom/shopware-platform-admin-open-auth

包简介

Shopware plugin to allow OAuth providers to provide admin logins

README 文档

README

This is part of HEPTACOM solutions for medium and large enterprise

Shopware plugin to allow external login provider in the administration

Packagist Version PHP from Packagist Software License GitHub code size in bytes GitHub issues GitHub forks GitHub stars GitHub watchers Packagist

GitHub contributors GitHub commit activity

This Shopware 6 plugin allows to add "Login with" functionality into the Shopware administration login page and password confirmation dialogs.

Features

  • login to Shopware 6 administration using an external identity provider (IDP)
  • various providers already preconfigured - Microsoft, Google, Okta, Keycloak, ...
  • support for third-party IDPs supporting OpenID Connect
    • easy setup using the provider's metadata document (.well-known/openid-configuration)
  • support for third-party IDPs supporting SAML2
    • easy setup using the provider's metadata xml
  • promote users automatically to administrators
  • set roles and permissions based on rules
  • disable the password login and automatically redirect users to the identity provider

Security

The login to the Shopware administration is a critical part. Security vulnerabilities in this part allow attackers access to the whole shop.

Therefore, we check our plugin critically for potential risks before merging pull requests.

In addition, our OpenId Connect implementation also checks the signature of JWT tokens, whenever possible. When using a pre-configured OpenID Connect provider or when providing a OIDC metadata document, the JWKS keys are automatically fetched from the IDP.

Supported providers

We support a variety of identity providers out of the box. If your identity provider is not listed below but offers OpenID Connect support, you can configure it manually using the OpenID Connect provider. In any other case feel free to create a pull request.

Provider supports language sync supports timezone sync supports role assignment by roles/groups more info
Atlassian Jira
Atlassian Jira
Read more here.
cidaas
cidaas
⚠️ Read more here.
Google Cloud
Google Cloud
⚠️ Read more here.
JumpCloud depends on configuration depends on configuration Read more here.
Keycloack
Keycloak
depends on configuration ⚠️ Read more here.
Microsoft Entra ID
Microsoft Logo
Read more here.
Okta
Okta
⚠️ Read more here.
OneLogin
OneLogin
⚠️ Read more here.
OpenID Connect
OpenID Connect
depends on configuration depends on configuration ⚠️ Try any OpenID Connect provider, that we did not explicitly prepare an optimized configuration for.
SAML2
SAML2
depends on configuration depends on configuration Try any SAML2 provider, that we did not explicitly prepare an optimized configuration for.

⚠️ supported using authorized request rule

SAML2 - Technical requirements

In case you want to use a SAML2 provider, your IdP must meet the following requirements:

  • include AuthnRequest in the SAML response
  • sign the returned assertions
  • support HTTP-POST binding for the Assertion Consumer Service (ACS)
  • return the user's email address as attribute (all other attributes are optional)

OpenID Connect - Authenticated request rule

When using an OpenID Connect based provider, you can assign roles that depend on an authenticated GET request, done with the user's access token. This way you can get any further information from the IDP, that is relevant for your specific case. For some providers a preset for retrieving the user's groups is already available.

In case you want to create more complex rules, you can build your own queries within the rule builder. The queries get the JSON, returned by the specified endpoint, as input.

Authenticated request

Your specified endpoint will be called as follows:

GET https://my-company.idp.com/api/groups
Authorization: Bearer <access_token>
Accept: application/json

The request must be encrypted (HTTPS) and will timeout after 5 seconds. In case of a timeout or a none successful response code, the condition will be evaluated as false.

In case you have multiple conditions, depending on the same endpoint, the request will only be done once. The response is cached in memory for the duration of the rule evaluation.

Processing the response

You can then use a JMESPath query to validate if the input JSON matches your rule.

It is recommended that your query results in a boolean. In case it results in a different type, the condition will be validated as follows:

Output type Output value Validation result
boolean true true
boolean false false
string empty false
string non-empty true
number 0 false
number 1 (or grater) true
array empty false
array non-empty true
object empty false
object non-empty true
null null false

Pagination

In case of larger responses, you might need to paginate through the results. When using an OData compatible endpoint, you can use the "Authenticated OData request" instead. If the validation result on the current result page is false, the next page will be automatically requested.

OpenID Connect - ID Token rule

Most OpenID Connect based providers issue an identity token while authentication. Depending on your use-case, this token might contain data that is relevant for the permission assignment.

You can use the ID Token for rules by running a JMESPath query on the payload. For details on the JMESPath query evaluation, see the authenticated request rule documentation.

Adding your own rule actions

In most scenarios you only need to assign roles based on rules. However, for some use cases you might want to add your own actions. As a plugin developer you can simply add your own rule actions. The rules will evaluate while the login process synchronously and the appropriate action will be executed.

Adding a new rule action

To add a new rule action, you need to create a service that implements RuleActionInterface. The service must be tagged with heptacom_open_auth.rule_action.

Thereafter, your action should already be visible in the client configuration.

Service

<?php

namespace Heptacom\MyCustomPlugin\HeptacomOpenAuth;

use Heptacom\AdminOpenAuth\Contract\OAuthRuleScope;
use Heptacom\AdminOpenAuth\Contract\RuleActionInterface;
use Heptacom\AdminOpenAuth\Database\ClientRuleEntity;

class CustomRuleAction implements RuleActionInterface
{
    public static function getName(): string
    {
        return 'heptacom_my_custom_action';
    }
    
    public function getActionConfigurationComponent(): string
    {
        return 'heptacom-my-custom-action-config';
    }
    
    public function preResolveUser(ClientRuleEntity $rule, OAuthRuleScope $ruleScope): void {
        // your business logic here
    }
    
    public function postResolveUser(ClientRuleEntity $rule, OAuthRuleScope $ruleScope): void {
        // your business logic here
    }
}

Administration Snippet

{
    "heptacom-admin-open-auth-client": {
        "actions": {
            "heptacom_my_custom_action": {
                "label": "My custom action"
            }
        }
    }
}

Adding a configurable action to the administration

Now we can already see our action in the client configuration. Although we can already add rules, we are not able to configure what action should be executed if a rule matches. To do so, we need to add a new component to the administration.

The component receives the client and the current configuration as props.

In the following example we will simply set a configurable text.

import template from './heptacom-my-custom-action-config.html.twig';

export default {
    template,

    props: {
        client: {
            type: Object,
            required: true,
        },
        actionConfig: {
            type: Object,
            required: true,
        },
    }
}
<sw-text-field
    v-model:value="actionConfig.myText"
    label="Enter a text"
    required
></sw-text-field>

Adding the business logic for an action

Now, that your action is configurable, you need to define what should happen if the rule matches. To do so, you need to implement the execute method of your action.

For this example we will only log the configured text.

<?php

namespace Heptacom\MyCustomPlugin\HeptacomOpenAuth;

use Heptacom\AdminOpenAuth\Contract\RuleActionInterface;
use Heptacom\AdminOpenAuth\Contract\OAuthRuleScope;
use Heptacom\AdminOpenAuth\Database\ClientRuleEntity;
use Psr\Log\LoggerInterface;

class CustomRuleAction implements RuleActionInterface
{
    public function __construct(
        private readonly LoggerInterface $logger
    ) {
    }
    
    // ...
    
    public function preResolveUser(ClientRuleEntity $rule, OAuthRuleScope $ruleScope): void {
        $this->logger->info(sprintf(
            'My custom action (preResolveUser) was executed with text: %s',
            $rule->getActionConfig()['myText']
        ));
    }
    
    public function postResolveUser(ClientRuleEntity $rule, OAuthRuleScope $ruleScope): void {
        $this->logger->info(sprintf(
            'My custom action (postResolveUser) was executed with text: %s',
            $rule->getActionConfig()['myText']
        ));
    }
}

Changes

View the CHANGELOG file attached to this project.

Contributing

Thank you for considering contributing to this package! Be sure to sign the CLA after creating the pull request. CLA assistant

License

Copyright 2020 HEPTACOM GmbH

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this project except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 or see the local copy.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Trademarks and Logos

All logos, available in this project are protected under copyright. Most of them also are registered trademarks. Therefore, the usage is only permitted when corresponding trademark/branding guidelines are fulfilled. You can find an archived link to these guidelines below.

Atlassian Jira

cidaas

Google

Keycloak

Microsoft Entra ID

Okta

OneLogin

The One Identity logo is a registered trademark of One Identity, Inc.

OpenID Connect

heptacom/shopware-platform-admin-open-auth 适用场景与选型建议

heptacom/shopware-platform-admin-open-auth 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 149.06k 次下载、GitHub Stars 达 35, 最近一次更新时间为 2020 年 03 月 10 日, 在 PHP 生态内属于活跃度较高的组件。

它主要适用于以下技术方向: 「ecommerce」 「oauth」 「administration」 「saml」 「shopware」 「openid-connect」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。

我们在过去多个企业项目中使用过 heptacom/shopware-platform-admin-open-auth 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。

围绕 heptacom/shopware-platform-admin-open-auth 我们能提供哪些服务?
定制开发 / 二次开发

基于 heptacom/shopware-platform-admin-open-auth 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。

BUG 修复 & 性能优化

线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。

项目外包 & 长期维护

承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。

yvsm@zunyunkeji.com QQ:316430983 微信:yvsm316 西安尊云信息科技 · 专注 PHP / Go / 分布式系统研发

统计信息

  • 总下载量: 149.06k
  • 月度下载量: 0
  • 日度下载量: 0
  • 收藏数: 35
  • 点击次数: 42
  • 依赖项目数: 0
  • 推荐数: 0

GitHub 信息

  • Stars: 35
  • Watchers: 3
  • Forks: 14
  • 开发语言: PHP

其他信息

  • 授权协议: Apache-2.0
  • 更新时间: 2020-03-10