PHPackages flownative/openidconnect-neos - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. flownative/openidconnect-neos ActiveNeos-package[Authentication & Authorization](/categories/authentication) flownative/openidconnect-neos ============================= An Open ID Connect (OIDC) setup for the Neos CMS v0.4.0(2y ago)216.0k↓28.1%3[1 PRs](https://github.com/flownative/openidconnect-neos/pulls)MITPHP Since May 3Pushed 1y ago2 watchersCompare [ Source](https://github.com/flownative/openidconnect-neos)[ Packagist](https://packagist.org/packages/flownative/openidconnect-neos)[ RSS](/packages/flownative-openidconnect-neos/feed)WikiDiscussions main Synced 1mo ago READMEChangelog (4)Dependencies (2)Versions (7)Used By (0) [![MIT license](https://camo.githubusercontent.com/4661abfe916186acde514558e7f040833cb63ba7098401a51ce339cbb2b4cf9e/687474703a2f2f696d672e736869656c64732e696f2f62616467652f6c6963656e73652d4d49542d627269676874677265656e2e737667)](http://opensource.org/licenses/MIT)[![Packagist](https://camo.githubusercontent.com/fa88e8fc7e50743ebea7e24f12d81f92ff1d08b110efebd692e3838889f16f2e/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f666c6f776e61746976652f6f70656e6964636f6e6e6563742d6e656f732e737667)](https://packagist.org/packages/flownative/openidconnect-neos)[![Maintenance level: Love](https://camo.githubusercontent.com/b24fe73a7439225808a806c9f1032014adf4933b5774648c0174cf0de1d56401/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f6d61696e74656e616e63652d2545322539392541312545322539392541312545322539392541312d6666363962342e737667)](https://www.flownative.com/en/products/open-source.html) OpenID Connect for the Neos CMS =============================== [](#openid-connect-for-the-neos-cms) This package provides an [OpenID Connect](https://openid.net/connect/) (OIDC) "bridge" for [Neos](https://www.neos.io/). It provides sane defaults for the OIDC client package, and provides a way to match Neos backend users to OIDC users. Optionally users can be created on the fly if they don't exist yet. Terms and Background -------------------- [](#terms-and-background) Before deploying OpenID Connect for your application, you should get familiar with the concepts. For a quick reminder, you should can the documentation of [Flownative.OpenIdConnect.Client](https://packagist.org/packages/flownative/openidconnect-client) Requirements ------------ [](#requirements) In order to use this plugin you need: - Neos CMS - an OIDC Identity Provider which provides auto discovery Installation ------------ [](#installation) The plugin is installed via Composer: ``` composer require flownative/openidconnect-neos ``` Configuration ------------- [](#configuration) This packages provies sane defaults for most of the configuration, suitable for Neos CMS. The OIDC provider connection must be set up. The default configuration uses these environment variables: - `OIDC_DISCOVERY_URI` - `OIDC_CLIENT_ID` - `OIDC_CLIENT_SECRET` You may of course set the values directly: ``` Flownative: OpenIdConnect: Client: services: neos: options: discoveryUri: '…' clientId: '…' clientSecret: '…' ``` And you must set up how roles are determined, see the next section. ### Roles [](#roles) #### Hard-coded roles [](#hard-coded-roles) You may configure the provider as follows: ``` Neos: Flow: security: authentication: providers: 'Neos.Neos:Backend': providerOptions: roles: - 'Neos.Neos:Editor' ``` That is the simplest way of configuring roles, but also very "static", no variation is possible. #### Roles from Identity Token [](#roles-from-identity-token) The provider can extract the roles from the identity token values. The roles provided by the token must have the same identifier as in Neos. Given that the identity token provides a claim called "", you may configure the provider as follows: ``` Neos: Flow: security: authentication: providers: 'Neos.Neos:Backend': providerOptions: rolesFromClaims: - 'https://flownative.com/roles' ``` When a user logs in and her identity token has a value "" containing an array of Flow role identifiers, the OpenID Connect provider will automatically assign these roles. Roles can be mapped in case their values don't match the required Flow role pattern (`:`) or if multiple roles should be translated to a single role: ``` Neos: Flow: security: authentication: providers: 'Neos.Neos:Backend': providerOptions: rolesFromClaims: - name: 'https://flownative.com/roles' mapping: 'role1': 'Some.Package:SomeRole1' 'role2': 'Some.Package:SomeOtherRole' 'role3': 'Some.Package:SomeRole' ``` You may specify multiple claim names which are all considered for compiling a list of roles. Check logs for hints if things are not working as expected. #### Roles from an Existing Account [](#roles-from-an-existing-account) If you use locally created Neos users (accounts with the same username which is provided by the identity token), the roles of that (persisted) account can be used: ``` Neos: Flow: security: authentication: providers: 'Neos.Neos:Backend': providerOptions: addRolesFromExistingAccount: true ``` You may mix "rolesFromClaims" with "addRolesFromExistingAccount". In that case roles from claims and existing accounts will be merged. Again, check the logs for hints if things are not working as expected. #### Roles for Auto-Created Neos Users [](#roles-for-auto-created-neos-users) In case auto-creation of users is enabled, the roles on the new user can be set by configuration: ``` Flownative: OpenIdConnect: Neos: autoCreateUser: true rolesForAutoCreatedUser: - 'Neos.Neos:Editor' ``` Note that you still must use (at least) one of the options to assign roles, namely "rolesFromClaims" and "addRolesFromExistingAccount". ### Optional settings [](#optional-settings) You can set the JWT cookie name if you need to use a different name. ``` Neos: Flow: security: authentication: providers: 'Neos.Neos:Backend': providerOptions: jwtCookieName: 'flownative_oidc_jwt' ``` If your OpenID Connect provider does not return a `username`, you can map it like this: ``` Flownative: OpenIdConnect: Neos: identityValueMapping: 'username': 'email' ``` So far this assumes you locally create Neos users with the same username as the OIDC provider returns. You can enable auto-creation of Neos users like this: ``` Flownative: OpenIdConnect: Neos: autoCreateUser: true identityValueMapping: 'firstname': 'https://flownative.com/given_name' 'lastname': 'https://flownative.com/family_name' ``` The mapping of `firstname` and `lastname` is needed in case those are not returned with those names by your OIDC provider. They are used for the created users. If the identity token contains first name and last name in a single property, you can use the "name" mapping: ``` Flownative: OpenIdConnect: Neos: autoCreateUser: true identityValueMapping: 'name': 'https://flownative.com/given_name_and_family_name' ``` Debugging --------- [](#debugging) - Check the security and system log for messages, there is probably something helpful there. - Use `./flow configuration:show --path Flownative.OpenIdConnect` to check the settings and look for things you might need to adjust. - Repeat that step with the `Neos.Flow.security` settings. Credits and Support ------------------- [](#credits-and-support) This library was developed by Karsten Dambekalns / Flownative. Feel free to suggest new features, report bugs or provide bug fixes in our Github project. Thanks to Daniel Lienert / punkt.de for the initial implementation of the `AccountManager` class. ### Health Score 33 — LowBetter than 75% of packages Maintenance34 Infrequent updates — may be unmaintained Popularity30 Limited adoption so far Community14 Small or concentrated contributor base Maturity43 Maturing project, gaining track record Bus Factor1 Top contributor holds 53.8% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~243 days Total 4 Last Release 745d ago ### Community Maintainers ![](https://avatars.githubusercontent.com/u/10280881?v=4)[Flownative](/maintainers/flownative)[@flownative](https://github.com/flownative) --- Top Contributors [![kdambekalns](https://avatars.githubusercontent.com/u/95873?v=4)](https://github.com/kdambekalns "kdambekalns (7 commits)")[![robertlemke](https://avatars.githubusercontent.com/u/95582?v=4)](https://github.com/robertlemke "robertlemke (3 commits)")[![pKallert](https://avatars.githubusercontent.com/u/91674611?v=4)](https://github.com/pKallert "pKallert (2 commits)")[![crydotsnake](https://avatars.githubusercontent.com/u/39345336?v=4)](https://github.com/crydotsnake "crydotsnake (1 commits)") --- Tags hacktoberfestneoscmsoidc ### Embed Badge ![Health badge](/badges/flownative-openidconnect-neos/health.svg) ``` [![Health](https://phpackages.com/badges/flownative-openidconnect-neos/health.svg)](https://phpackages.com/packages/flownative-openidconnect-neos) ``` ### Alternatives [gesdinet/jwt-refresh-token-bundle Implements a refresh token system over Json Web Tokens in Symfony 70516.4M35](/packages/gesdinet-jwt-refresh-token-bundle)[illuminate/auth The Illuminate Auth package. 9327.3M1.0k](/packages/illuminate-auth)[beatswitch/lock A flexible, driver based Acl package for PHP 5.4+ 870304.7k2](/packages/beatswitch-lock)[amocrm/amocrm-api-library amoCRM API Client 182728.5k6](/packages/amocrm-amocrm-api-library)[visanduma/nova-two-factor Nova Two Factor Authentication 56621.3k](/packages/visanduma-nova-two-factor)[flowpack/neos-frontendlogin Neos plugin demonstrating a simple frontend login 22222.5k1](/packages/flowpack-neos-frontendlogin) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)