XF 2.3 Single sign on and more with OAuth2 in XenForo 2.3

hys_8_cover.png
We're approaching the conclusion of the 'Have you seen...?' series for XenForo 2.3. While it may seem like a bittersweet moment, we've intentionally saved one of the most exciting revelations until last. In the upcoming weeks, we might delve into a few more miscellaneous changes and improvements and provide a more developer-centric round up. However, our primary goal is to have XenForo 2.3 up and running on XenForo.com by the end of November. Beyond that milestone, we're excited to share a couple more surprises with you, which will include an overview of the latest enhancements in XenForo Resource Manager, Enhanced Search, and Media Gallery 2.3.

But, back to today, and not only is this an exciting revelation, but it also signals the implementation of our most popular suggestion of all time. Your XenForo installation will be able to act as an OAuth2 server and this opens up a whole array of advanced use cases:
  • Single sign on between your forum and another XenForo installation
  • Single sign on between your forum and another software
  • Building a different front end for your forum, such as a single page app
  • Building a native smartphone app for your forum
  • Integration between your forum and another application
  • Accessing the XenForo REST API as a specific user with a OAuth token
As ever, let's take a look at how to set this up in XenForo 2.3. In the following example we're going to configure an OAuth2 client on a primary XenForo instance and use a secondary XenForo instance to use that primary instance as a connected account provider.

You can add as many OAuth2 clients as you need and this can be done from your admin control panel under Setup > OAuth2 clients (which lists all clients you have created) and clicking "Add OAuth2 client".

And this is what it looks like all filled in:

hys_8_1.png


Most of this is self explanatory. Title, Description, Homepage URL and Image URL are used for branding any OAuth authorization page. Let's take a closer look at a couple of other inputs on ths page.

Client type​

The difference between "Public" and "Confidential" client types may not be immediately obvious but it is crucial. For the sheer majority of OAuth integrations you might have experience with in the past, you are most likely more familiar with the default option which is the "Confidential" type.

For most applications the "Confidential" type is fine. This means you're able to keep the client secret confidential - in other words, the client secret isn't stored or revealed anywhere by the client. This would be appropriate for a XenForo to XenForo connected account.

For situations where it's not safe to store a secret in the client application (like in JavaScript, single-page apps, or native apps), you should choose the 'Public' client type. When using the 'Public' type, you employ the Proof Key for Code Exchange (PKCE) authorization flow. Instead of sharing a secret, you create a random string. This random string serves as a secure way to confirm your identity during the authorization and token exchange process.

It should be noted that PKCE is required for public clients and recommended for confidential clients. A deeper dive into PKCE is beyond the scope of this post, but rest assured everything will be documented via the manual and/or developer documentation before XenForo 2.3 is released.

Authorization / Token / Revocation endpoints​

These are simply the endpoints you need to communicate with in order to authorize, retrieve a token and revoke tokens as per the OAuth 2.0 specs.

Redirect URIs​

Here you can add one or more redirect URIs. These are the approved redirect URIs that the secondary instance may use. Occasionally you might need more than one redirect URI to support different domains or different endpoints that may get called as part of the process. In this example, as we're going to be communicating from a second XenForo forum, its connected_account.php is sufficient as a redirect URI.


Once the client is created you will be able to view your credentials:

hys_8_2.png


Armed with these, we can now set up a connected account provider on the secondary XenForo instance.

hys_8_3.png


The connected account side of things is all very familiar if you've ever set up any of the existing ones before. The crucial thing is to make sure you get the target board URL correct.

But what you really want to see is the authorization process, don't you?

Via the login, registration or Account > Connected accounts page, as soon as you click the button that corresponds to your new XenForo connected account provider, you will be redirected to the authorization page:

hys_8_4.png


Clicking Authorize will complete the usual steps to authenticate you using OAuth and redirect you back:

hys_8_5.png


If you have approved any applications to access your XenForo account then you can see a list of them under Account > Applications:

hys_8_6.png


While exciting in itself, this is merely a single use case amongst many that our OAuth implementation will open up. And this is where we will leave it for this week. Next week we'll be focusing an entire 'Have you seen...?' entry on what's new for developers in XenForo 2.3. This will enable us to provide a more detailed dive into some smaller, developer-centric changes, including a closer look at some more advanced parts of OAuth such PKCE, authenticating against the REST API and refresh tokens.

If developers want us to talk about anything specific in more detail that we might have mentioned in the last few weeks, please do let us know.
 
Question regarding privacy:

Let's aassume a XenForo 2.3 is running at example.com and semi-trusted-3rdparty.com (running OAuth2 client capable software, might also be XenForo 2.3 or smth. else) would like to authenticate users via example.com.

Would example.com be able to create a client so that semi-trusted-3rdparty.com can authenticate users via example.com without gaining access to
  • userid
  • username
of the authenticated user at example.com?

What about non-public data returned in API calls, especially when thinking about public clients?
 
Manage Clients

Is there an admin interface to see how many users (and which) currently use (or have used) a specific client?
Can this list be exported (as CSV)?
Is it possible for the admin to manually revoke specific tokens?
 
Last edited:
So i don't really understand what OAuth is or how it works and I've got a couple of n00b questions. If I understood correctly, this feature would allow for the possibility of members from another XF forum to sign in to my forum using the other XF forum's log in. I'm guessing the owner/admin of the other forum and I would both need to do some configuration magic to make this happen? Also, if we set it up and a user of the other forum signs in to my forum, does it create a user account on my forum for that user? Will I be able to set user groups/permissions/etc. for users visiting from the other forum?
 
If I understood correctly, this feature would allow for the possibility of members from another XF forum to sign in to my forum using the other XF forum's log in.
I think it is geared more to enabling you to have one XF site act as the login repository for other sites, XF and other OAuth clients, that you control. Though obviously with the cooperation of another site owner, you might be able to do what you describe (people logging in to your forum with a login from someone else's forum).
I'm guessing the owner/admin of the other forum and I would both need to do some configuration magic to make this happen?
Yes, but as I said, I imagine a lot of the use cases would be people who control multiple sites wanting to use one of them as the login repository so that the admin doing the setup would control both sides.

I will leave the other questions to Xenforo to answer.
 
In fact, my question would also be, if I had to and wanted to make a connection between users with Joomla or WordPress, will I also have to be able to program an extension for these platforms? Or do you use a different approach, bridging with some type of file or configuration?
 
So i don't really understand what OAuth is or how it works and I've got a couple of n00b questions.
If you've ever logged into a website using your Google / Facebook / Twitter / Microsoft / Github account - that's OAuth.

I'm guessing the owner/admin of the other forum and I would both need to do some configuration magic to make this happen?
Yes. The "provider" (the XenForo through which users will actually log in) will have to create an OAuth client, the "consumer" (the XenForo which likes to offer login though another website) must configure a connected account provider as shown in the screenshots.

Also, if we set it up and a user of the other forum signs in to my forum, does it create a user account on my forum for that user?
Yes.

Will I be able to set user groups/permissions/etc. for users visiting from the other forum?
Yes (assuming that "users visiting from the other forum" means "users that are registered at the other forum and register / login on your forum through OAuth via the other forum).
 
...
Yes. The "provider" (the XenForo through which users will actually log in) will have to create an OAuth client, the "consumer" (the XenForo which likes to offer login though another website) must configure a connected account provider as shown in the screenshots.
...

If an XF forum creates an OAuth client, can any website "configure a connected account" or do they need a magic key? For example, if I create an OAuth client for my XF forum, can any other XF forum accept logins from my forum users or would they need to ask me for a magic key to make it work?
 
If an XF forum creates an OAuth client, can any website "configure a connected account" or do they need a magic key? For example, if I create an OAuth client for my XF forum, can any other XF forum accept logins from my forum users or would they need to ask me for a magic key to make it work?
As pictured in the first post, you they would need your client ID and client secret to make it work.
 
In fact, my question would also be, if I had to and wanted to make a connection between users with Joomla or WordPress, will I also have to be able to program an extension for these platforms?
Do you want WordPress users to be able to log into XenForo?
In this case WordPress needs an OAuth provider Plug-in like

Furthermore, XenForo needs an OAuth2 Connected Account provider class that can communicate with this endpoint.
This most likely would require custom development, at least with XenForo 2.0-2.2 - if this is still the case with XenForo 2.3 depends a bit on the used OAuth2 Client library.

Why does this need custom development, can't there be a "generic" OAuth2 client?

OAuth2 only specifies how to authorize a user, it does not specify how to actually get information about the user (ID, username, email, etc.), so this is specific to each provider.
The provider implementations XenForo offers are built for specific providers (Microsoft, Googe, Facebook, etc.) -there is (currently) no class that is fully configurable.

Or do you want XenForo users to be able to log into WordPress?
In this case WordPress needs an OAuth2 Client plugin that is either a) fully configurable regarding API URLs and returned data or b) built specifically for XenForo.
I am not that familiar with WordPress but from reading it seems like https://wordpress.org/plugins/miniorange-login-with-eve-online-google-facebook/ might be able to do that.
 
Last edited:
Kinda. There’s only one pre-installed but you can add multiple entries of type XF:Provider\XenForo to the provider table in the database if that’s needed.
 
Yeah, that's kinda what I expected.
I know that I can do this, the majority of admins most likely can't - suggestion filed.
 
Last edited:
As pictured in the first post, you they would need your client ID and client secret to make it work.
Let's say I have two separate domains and two separate XenForo licenses.
I want to use only "Resources" in one and "Forum" in the other.
But only 1 site will have membership.
When the user is a member of one site, he will be able to log in to my other site.
Will this be possible?
 
But only 1 site will have membership.
When the user is a member of one site, he will be able to log in to my other site.
Will this be possible?
Strictly speaking: No.
It is not possible (without custom development) to log into a XenForo without being a member on its database.

What you can do:
  1. Setup XenForo on Site 1 and setup na OAuth Client there for Site 2.
  2. Setup XenForo + XFRM on Site 2 and configure it to not have any Forums, make XFRM the index route.
    Also setup a connected account provider of type XenForo on Site 2 with the credentials of the client created on Site 1
With this configuration users of Site 1 can register at Site 2 without having to go through a standalone registration process (they would register with their account from Site 1).
 
Back
Top Bottom