also document the basic items of what users need to use this authserver as an OAuth2...
[authserver.git] /
1# Auth Server
2This authentication server solution aims to provide a login service based on Auth2 to run on your own servers and use in your websites.
3It's written in PHP and should work with recent PHP5 as well as PHP7, and the web UI should work in modern browsers and down to IE8.
5For installing, do the follwing:
7* git clone
8* cd authserver
9* composer install
10* git clone
12After that, integrate a config similar to [vhost.authserver.conf](etc/apache/vhost.authserver.conf) to your Apache configuration,
13create a user and empty MySQL database for the authentication service,
14copy [auth_settings.json](etc/kairo/auth_settings.json) to /etc/kairo and adapt it to your needs.
16You'll have to at least put in the database name/user/password and insert one nonce into the array, generated with |openssl rand -base64 48|.
17Note: if you have a security issue that could have someone else read the settings file, add a new nonce at the end of the array. NEVER remove a nonce or existing passwords will all be invalid!
18People's password hashes will be migrated to the new nonce when they log in the next time.
19The system of having a nonce saved on disk in addition to the salt that is included in the password in the database increases security by needing a hacker to get both the database and the on-disk configuration to even do offline brute-force cracking attempts.
21If you want to use Piwik with this service, either install it via composer or use a distribution-provided package and point the Apache config and settings to it.
23When using it as an OAuth2 provider for login to another site, here are the important endpoints:
24* /authorize --- authentication, call with ?response_type=code&client_id=...&state=...&scope=...&redirect_uri=... - only response_type=code is supported right now (will display HTML form to user and send JSON to redirect_uri).
25* /token --- fetch token, this is both for getting access tokens and refresh tokens (as usual).
26* /api --- API, needs to be called with a valid access token, mostly for getting email address (?email with email scope), but can also be used for adding a new OAuth2 client (?newclient with clientreg scope).
27* / (or index.php) --- You shouldn't call this from the other site, but people can access it directly and may be redirected/pointed to it in the auth flow.
29You need the "email" scope for normal login operation, so you can fetch a (verified) login email after authentication.
31There is (rudimentary) UI for adding new OAuth2 clients, which can be whitelisted for certain users only by adding their email addresses into the settings file (client_reg_email_whitelist).
7910ec9b 33Please don't use GitHub for issue tracking but - Product: KaiRo Software, Component: Authentication Service