Opauth - 简介
Opauth is a multi-provider authentication framework that offers support for authentication against OAuth or OpenID providers. By using Opauth in your application, you can allow your users to use their existing credentials from one of the major web applications using OAuth, instead of having to create a new set of credentials, and a new password to remember. Web applications that support OAuth include Facebook, Twitter, Google, Instagram, Paypal, LinkedIn, Vimeo, Foursquare and Flickr.
Besides using the OAuth service from one of these OAuth providers, Opauth also provides single-sign-on. When a user is already logged-in on the website of one of these services (for example, Facebook), and they come to your website and indicate they want to login using their Facebook account, Opauth will detect they are already logged in, and will not prompt the user for any credentials. Instead, the user is logged into your application transparently.
整合
Auth 套件为 Opauth 函式庫提供一个包裝类別,它让你可以很容易地在应用程序中使用, 并为 Simpleauth 和 Ormauth 驅动組提供無縫整合。
The complete integration means that when a user visits your application for the first time and chooses an OAuth provider as the means to login, the Opauth integration class will transparently create a local user account, and logs the user in using that local account. This means that all functionality of the Auth driver set you have selected (such as group assignments or ACL's) will also work for users logging in through Opauth.
You can also enable multiple provider support. This allows a user to link additional OAuth providers to an existing account, whether it is an account transparently created, or an account created manually. So whether they want to use their Facebook, Twitter or Google credentials, your application sees the same user account, and ACL's can be applied without having to worry about a user being in your system multiple times, which would be more difficult to manage.
安装與配置
如果这是你第一次接觸 Auth 套件,首先檢查在 Simpleauth 和 Ormauth 的段落, 做出你要使用哪一个的選擇,并根據指示安装。 一旦你完成了,回到这裡并繼續閱讀。
为了能使用 Opauth,首先你需要透過 composer 安装 Opauth 函式庫。 添加到你的 FuelPHP 安装根目录 composer.json 档案中:
"require": {
"php": ">=5.3.3",
"monolog/monolog": "1.5.*",
"opauth/opauth": "0.4.*",
"fuelphp/upload": "2.0"
},除了 Opauth 本身的函式庫,你也需要安装每一个你想要在你应用程序中支援的 OAuth 提供者的策略套件。 檢查 Packagist 網站來看哪些是现成可用的 composer 套件。 比方說,你想使用 Facebook、Google 和 Github。你的 composer.json 應該看起來像这樣:
"require": {
"php": ">=5.3.3",
"monolog/monolog": "1.5.*",
"opauth/opauth": "0.4.*",
"opauth/facebook": "dev-master",
"opauth/google": "dev-master",
"opauth/github": "dev-master",
"fuelphp/upload": "2.0"
},在此之後,运行 composer 來让全部安装:
$ cd /data/www/myfuelwebsite
$ php composer.phar updateOpauth requires a database table in which the relation between the OAuth credentials and the local user account is stored. This table is automatically created for you when you have installed either Simpleauth or Ormauth.
配置
The Opauth wrapper class is configured through a configuration file, not suprisingly called opauth.php. A default file is provided in the Auth package. You should copy this file to your app/config folder before making any changes.
以下配置設定值可以被定義:
| 參数 | 类型 | 預設 | 描述 |
|---|---|---|---|
| link_multiple_providers | 布林 | |
Whether or not you want to support linking multiple OAuth providers to a single local account. If it is set to false and a provider is already linked, the user will get an error message when a second provider is used, and the login will be rejected. |
| auto_registration | 布林 | |
If true, a login via a provider will automatically create a dummy local user account with a random password, if a nickname and an email address is present. |
| default_group | 整数 | |
Group ID to assign to new local user accounts transparently created when a user uses an OAuth provider for the first time. By default this is the ID of the Simpleauth 'users' group. |
| debug | 布林 | |
If true it enables the display of debugging messages within the Opauth library and Strategy classes. Do not enable this on production sites! |
| security_salt | 字串 | |
A random string of characters which is used to salt the signing key of the authentication response. You are required to define one, make sure it is sufficiently long and completely random! |
| security_iteration | 整数 | |
Number of iterations to use when generating the signing hash. The higher the number, the more secure your signing key is, but also the slower the login process is. This seems to be an acceptable default. |
| security_timeout | 字串 | |
Time limit allowed for an auth response to be considered valid. Starting from auth response generation (ie. the time when callback is first requested) to the time when auth response is received and attempts validation. Use any value compatible with strtotime(). |
| Strategy | 陣列 | |
The list of strategies supported by your application, which will include per stategy at your application ID and application secret (as assigned to you by the OAuth provider), and any other optional configuration items. It is possible to define multiple strategies for the same provider. See this page for more information. |
當談及回呼時,注意 OpAuth Auth 驅动中的不同。例如, Facebook 不要求你定義一个回呼(重導向)URL,Twitter 要求一个 http://example.com/<controller>/callback/ 的形式, 而 Google 像这樣:http://example.com/<controller>/<method>/google/oauth2callback ("method" 是在你控制器中實例化 Auth_Opauth 驅动的方法名稱。)
You should only use auto_registration = 'true' if you don't care about local account, and you don't want to
link accounts. It's there for simple "login using
Pay very close attention to the value of default_group. For Ormauth, group id's are not fixed as they are autoincrement in your database table. You don't want to define the wrong one, and ending up giving every OAuth user administrator access!!!