starred/cypht

Fork 0

mirror of https://github.com/cypht-org/cypht.git synced 2026-04-25 04:56:03 +03:00

[GH-ISSUE #786] Authenticate users via OpenID Connect (oidc) #480

New issue

Open

opened 2026-02-25 21:35:08 +03:00 by kerem · 4 comments

kerem commented

2026-02-25 21:35:08 +03:00

Owner

Originally created by @CyberFoxar on GitHub (Oct 8, 2023).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/786

🚀 Feature

OpenID Connect is a well known protocol to authenticate users across multiple applications. It is the basis for a lot of self-hosted / self-deployed solutions. The typical deployment has the administrator deploy an authentication server (typically using keycloak server) that is responsible for keeping track of users.

Keycloak handles the authentication part of the process, presenting users with a login form when thy try to access an app, authenticating them, then redirecting them to the app they wanted to access. If you've been in any moderately big company, you've certainly met some variance of this.

Design, Layout, Architecture

I suggest to create a "module" that would propose au new "auth_type", oidc_auth. Ideally, it would not disable the normal auth flow, but it might be technically impractical to do so.

Here's a proposed "flow":

When the module is active, a user is presented with the choice to authenticate with oidc. They might also be directly redirected, especially if it is the only way to authenticate.

When clicking the button, they are redirected to the oidc provider's portal (in this case, a very garish, custom keycloak landing page, we are very proud of it, it also makes noise when you type :3)

The users continue with the authentication flow on their side, and finally...

They get added to a db, or at least the webmail !

Depending on the implementation, of course. But ideally we should have ability to set some users as admin, maybe trough roles in keycloak, and the ability to save per-user preferences within cypht.

Additional notes

Upon asking on the gitter @marclaporte told me it has been done before-ish. It seems the tiki CMS rolled out its own way of doing it with cypht, and it might be used as a starting point.

There is also the option of using the lesser-implemented SAML authentication, but this issue focuses on OIDC.

Originally created by @CyberFoxar on GitHub (Oct 8, 2023). Original GitHub issue: https://github.com/cypht-org/cypht/issues/786 ## 🚀 Feature OpenID Connect is a well known protocol to authenticate users across multiple applications. It is the basis for a lot of self-hosted / self-deployed solutions. The typical deployment has the administrator deploy an authentication server (typically using [keycloak server](https://www.keycloak.org/docs/latest/securing_apps/)) that is responsible for keeping track of users. Keycloak handles the authentication part of the process, presenting users with a login form when thy try to access an app, authenticating them, then redirecting them to the app they wanted to access. If you've been in any moderately big company, you've certainly met some variance of this. ### Design, Layout, Architecture I suggest to create a "module" that would propose au new "auth_type", `oidc_auth`. Ideally, it would _not_ disable the normal auth flow, but it might be technically impractical to do so. Here's a proposed "flow": ![image](https://github.com/cypht-org/cypht/assets/1347036/81cfe177-6bdd-4dd5-86ba-46c6ab4b9db7) When the module is active, a user is presented with the choice to authenticate with oidc. They might also be directly redirected, especially if it is the only way to authenticate. When clicking the button, they are redirected to the oidc provider's portal (in this case, a _very_ garish, custom keycloak landing page, we are very proud of it, it also makes noise when you type :3) ![image](https://github.com/cypht-org/cypht/assets/1347036/c8182d74-e1b4-4155-baf5-30c6a6740c78) The users continue with the authentication flow on their side, and finally... ![image](https://github.com/cypht-org/cypht/assets/1347036/ee579fdb-d7a1-4106-bb2d-02cec790ec21) They get added to a db, or at least the webmail ! Depending on the implementation, of course. But ideally we should have ability to set some users as admin, maybe trough roles in keycloak, and the ability to save per-user preferences within cypht. ### Additional notes Upon asking on the gitter @marclaporte told me it has been done before-ish. It seems the [tiki CMS](https://tiki.org/HomePage) rolled out its own way of doing it with cypht, and it might be used as a starting point. - <https://doc.tiki.org/OpenID-Connect> - <https://doc.tiki.org/Cypht> There is also the option of using the lesser-implemented SAML authentication, but this issue focuses on OIDC.

kerem added the

help wanted

strategic

labels

2026-02-25 21:35:08 +03:00

kerem commented

2026-02-25 21:35:08 +03:00

Author

Owner

@CyberFoxar commented on GitHub (Oct 8, 2023):

Of note, I will probably look into implementing it myself, but I'm strapped for time, and unfamiliar with PHP. So feel free to give it you own shot too !

If you need any details and such, I'll be around too ! Mostly on github, but I'll try to monitor the gitter too.

Especially if anyone needs help configuring and setting up keycloak. Since I've rolled my own, I might be able to give pointers or provide helping scripts.

@CyberFoxar commented on GitHub (Oct 8, 2023): Of note, I will probably look into implementing it myself, but I'm strapped for time, and unfamiliar with PHP. So feel free to give it you own shot too ! If you need any details and such, I'll be around too ! Mostly on github, but I'll try to monitor the gitter too. Especially if anyone needs help configuring and setting up keycloak. Since I've rolled my own, I might be able to give pointers or provide helping scripts.

kerem commented

2026-02-25 21:35:08 +03:00

Author

Owner

@marclaporte commented on GitHub (Oct 8, 2023):

For Tiki, we use https://packagist.org/packages/steverhoades/oauth2-openid-connect-client so I recommend this as a starting point.

@marclaporte commented on GitHub (Oct 8, 2023): For Tiki, we use https://packagist.org/packages/steverhoades/oauth2-openid-connect-client so I recommend this as a starting point.

kerem commented

2026-02-25 21:35:08 +03:00

Author

Owner

@marclaporte commented on GitHub (Nov 4, 2023):

Another idea to explore:

Tiki also added support for https://doc.tiki.org/Hybridauth-social-login

And it supports many providers: https://hybridauth.github.io/providers.html

Including "Keycloak OpenId Connect provider adapter."
Source: https://github.com/hybridauth/hybridauth/blob/master/src/Provider/Keycloak.php

@marclaporte commented on GitHub (Nov 4, 2023): Another idea to explore: Tiki also added support for https://doc.tiki.org/Hybridauth-social-login And it supports many providers: https://hybridauth.github.io/providers.html Including "Keycloak OpenId Connect provider adapter." Source: https://github.com/hybridauth/hybridauth/blob/master/src/Provider/Keycloak.php

kerem commented

2026-02-25 21:35:08 +03:00

Author

Owner

@marclaporte commented on GitHub (Nov 5, 2023):

@marclaporte commented on GitHub (Nov 5, 2023): See also: https://github.com/hybridauth/hybridauth/issues/1005

kerem referenced this issue

2026-02-25 21:36:23 +03:00

[PR #480] [CLOSED] Removed Hm_Ajax.abort when checkboxes are checked #839