When logging users directly using "Option 2" it seems that the cookies are not checked and authentication is performed for every request to the OIDC provider.

Don't know if this is the expected behaviour, but it does create problems with for example XHR requests.
I think this is due to https://github.com/YOURLS/YOURLS/blob/a2d0d2f626c7ee8fcd280eb91d08c61354578d04/includes/functions-auth.php#L324-L333 not checking cookies is the user is not in the local database.

Thank you so much for developing this plugin. I currently have it set up and running with my OIDC at auth0.com. Have you put any thought into creating an option to bypass the YOURLS login rather than mapping everyone individually?

It'd be nice if anyone who isn't mapped already, I could specify that they can bypass with a specific role.

Hi there,

I have several problems using yourls with the oidc plugin.
Instantly after activation of the plugin I cannot activate or deactivate any plugin anymore nor can I add a new short link, which is a bit annoying as it is the core feature of yourls ;-)

The redirect seems to be the problem as it strips off all the url args:
If I call "https://mygreatdomain/admin/plugins.php?action=deactivate&plugin=oidc&nonce=whatever" I get redirected to https://mygreatdomain/admin/plugins.php?code=XXXX&state=YYYY&session_state=ZZZZ#
And if I set a static redirection url it really seems to be completely static:
$oidc->setRedirectUrl(https://mygreatdomain/admin/); seems to point any page I'd like to load to the main admin page. This seems somehow correct but there are users out there setting the redirectUrl to the /admin/ and not having the problems I have it seems.

I also implemented the pull request #11 which is nice for not having to map users but it doesn't help me with the problems mentioned above.

Thanks,
Ben

Currently the logout redirect URI is hardcoded to the root site that YOURLS is configured for and null is passed for the ID token which is needed to logout of the YOURLS user session with the IDP. The ID token is neither stored nor passed to the logout call which results in a error on logout saying that the client_id is missing. Please note that while I am using OKTA the OIDC spec has this as a standard for IDP logout.

References

• https://d28m3l9ryqsunl.cloudfront.net/docs/reference/api/oidc/#logout
• https://sitecore.stackexchange.com/a/28607
• https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f#:~:text=of%20this%20post.-,RP%20Initiated%20Logout,-In%20this%20case

hello guys and thanks for the great effort !

I would suggest to have docker-compose.yaml which shows how to use this plugin, build it, mount it to the main app (yourls).
why not running keycloak as container

Starter docker-compose.yaml

version: '3.9'

services:
  plugin:
    image: composer:1.7
  yourls:
    # tag from: https://github.com/YOURLS/charts/blob/master/charts/yourls/Chart.yaml#L5
    image: yourls:1.8.1
  keycloak:
      image: quay.io/keycloak/keycloak:14.0.0
  db:
    image:  mysql:5.7

if i got more time, i can finish it and open PR. However, this should be good starter.
Please let me know if you need any support

I am trying to use your plugin with Azure. In Azure I must specify redirect URI so after login with M365 it will know where to redirect the user.
What the correct redirect URI should be?

As I was trying to configure this plugin I noticed that only the openid scope is sent which is required in OIDC flows. For OIDC providers like okta preffered_username only comes with the profile scope. This has prevented us from using our orgs IDP with this plugin

$oidc->addScope('my_scope'); looks like it needs to be added to the plugin
Reference

• https://developer.okta.com/docs/api/openapi/okta-oauth/guides/overview/#scope-values
• https://github.com/jumbojett/OpenID-Connect-PHP#example-4-request-client-credentials-token

the admin dashboard does not allow to Deactivate the plugin :

instead, it throws this error:
Could not auto-encrypt passwords. Error was: "preg_replace problem".

is there a way to desactive this plugin ?

Hi,
After I have logged in via openid I get redirected to the yourls login page instead of getting logged in. Attempting to click login creates a 500 error.

I configured the oidc part in the config.php with our Okta Preview (Development) server environment.

// oidc server
define( 'OIDC_BASE_URL', 'okta-preview-url' );
define( 'OIDC_CLIENT_NAME', 'client-name' );
define( 'OIDC_CLIENT_SECRET', 'client-pass' );
// Option 1: link OIDC users to local YOURLS users
//$oidc_profiles = array(
// 'YOURLS_UNAME' => 'sub attribute from OIDC provider',
//);
// Option 2, all users on OIDC platform have YOURLS accounts. uses 'preferred_username' attribute
define( 'OIDC_BYPASS_YOURLS_AUTH', true );

However, when I test it against said Okta site, it bombs out with a 400 Bad Request error:

Identity Provider: Unknown
Error Code: invalid_request
Description: The 'redirect_uri' parameter must be a Login redirect URI in the client app settings: https://wabtec-admin.oktapreview.com/admin/app/oidc_client/instance/0oaznkfjp4JQAdz3v0h7#tab-general

Is there something extra that needs to be configured on either the Okta side or the client side?

Overview

I setup the plugin with keycloak & everything is going well (login, logout,...) ,
However... except when clicking on the button which generates new shorten link :

I am getting this error on the browser console:

https://yourls.company.com/admin/?state=d27b8870a0a2301dc6ad72c373d89239&session_state=blah-blah-blah&code=BLAHBLAH

Access to XMLHttpRequest at
 'https://keycloak.company.com/auth/realms/myrealm/protocol/openid-connect/auth?response_type=code&redirect_uri=http%3A%2F%2Fyourls.company.com%2Fadmin%2Fadmin-ajax.php&client_id=yourls&nonce=ec2c2.........&state=9ab......&scope=openid' 
 (redirected from 'https://yourls.company.com/admin/admin-ajax.php?action=add&url=https%3A%2F%2FLONG-URL-THAT-IWANT-TO-SHORTEN&keyword=&nonce=8489da0f63') from origin 'https://yourls.company.com' has been blocked by CORS policy: 
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

steps to reproduce :

1. Run yourls v1.8.1

2. Installing the following plugins :

   • yourls-oidc ( this one) - active
   • authMgrPlus ( for RBAC) - active
   • YOURLS-Import-Export - not activated yet
   • yourls-keyword_charset_length - active

3. Deploy everything thru the official helm chart

4. Configure keycloak as following:
   

Expected Behavior

I would expect that all actions should be authenticated with keycloak without bugs and errors.

Actual Behavior

Actually, the API responsible for generating the shorten link (Which is the main functionality) is not working and it's thrown CORS issue

Attempts to fix :

• I tried to fix this issue based on this Q/A stackoverflow which is about setting the keycloak client settings : Web Origins:
  

Unfortunately, it does not work, and i am still getting the same issue.

Tips :

• with redhat keycloak, it's not only realm url, client id, and client secret, but also you can pass other atteributes. Is it about supporting other attributes like "enable-cors": true . REF: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.3/html/securing_applications_and_services_guide/openid_connect_3

• is this helpful also ? https://stackoverflow.com/a/60258569/747579