use correct table name
[authserver.git] /
1# Auth Server
2This authentication server solution aims to provide a login service based on Auth2 to run on your own servers and use in your websites.
3It's written in PHP and should work with recent PHP5 as well as PHP7, and the web UI should work in modern browsers and down to IE8.
5For installing, do the follwing:
7* git clone
8* cd authserver
9* composer install
10* git clone
12After that, integrate a config similar to [vhost.authserver.conf](etc/apache/vhost.authserver.conf) to your Apache configuration,
13create a user and empty MySQL database for the authentication service,
14copy [auth_settings.json](etc/kairo/auth_settings.json) to /etc/kairo and adapt it to your needs.
16You'll have to at least put in the database name/user/password and insert one nonce into the array, generated with |openssl rand -base64 48|.
17Note: if you have a security issue that could have someone else read the settings file, add a new nonce at the end of the array. NEVER remove a nonce or existing passwords will all be invalid!
18People's password hashes will be migrated to the new nonce when they log in the next time.
19The system of having a nonce saved on disk in addition to the salt that is included in the password in the database increases security by needing a hacker to get both the database and the on-disk configuration to even do offline brute-force cracking attempts.
21If you want to use Piwik with this service, either install it via composer or use a distribution-provided package and point the Apache config and settings to it.
23The default skin of the service is intentionally very generic. To create your own skin, copy the app/skin/default folder to a new folder next ot it (matching the skin name you put into settings) and adapt the files contained in there. Right now the SVG file is unused and you don't need it but in the future it may get used.
25When using it as an OAuth2 provider for login to another site, here are the important endpoints:
26* /authorize --- authentication, call with ?response_type=code&client_id=...&state=...&scope=...&redirect_uri=... - only response_type=code is supported right now (will display HTML form to user and send JSON to redirect_uri).
27* /token --- fetch token, this is both for getting access tokens and refresh tokens (as usual).
28* /api --- API, needs to be called with a valid access token, mostly for getting email address (?email with email scope), but can also be used for adding a new OAuth2 client (?newclient with clientreg scope).
29* / (or index.php) --- You shouldn't call this from the other site, but people can access it directly and may be redirected/pointed to it in the auth flow.
31You need the "email" scope for normal login operation, so you can fetch a (verified) login email after authentication.
33There is (rudimentary) UI for adding new OAuth2 clients, which can be whitelisted for certain users only by adding their email addresses into the settings file (client_reg_email_whitelist).
7910ec9b 35Please don't use GitHub for issue tracking but - Product: KaiRo Software, Component: Authentication Service