PHPackages heptacom/shopware-platform-admin-open-auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. heptacom/shopware-platform-admin-open-auth ActiveShopware-platform-plugin[Authentication & Authorization](/categories/authentication) heptacom/shopware-platform-admin-open-auth ========================================== Shopware plugin to allow OAuth providers to provide admin logins 9.0.0(5mo ago)35133.7k—4.7%13[3 PRs](https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/pulls)Apache-2.0PHPPHP >=8.2.0CI failing Since Mar 10Pushed 3mo ago3 watchersCompare [ Source](https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth)[ Packagist](https://packagist.org/packages/heptacom/shopware-platform-admin-open-auth)[ RSS](/packages/heptacom-shopware-platform-admin-open-auth/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (17)Versions (51)Used By (0) SSO login for shopware platform administration ============================================== [](#sso-login-for-shopware-platform-administration) This is part of HEPTACOM solutions for medium and large enterprise ------------------------------------------------------------------ [](#this-is-part-of-heptacom-solutions-for-medium-and-large-enterprise) ### Shopware plugin to allow external login provider in the administration [](#shopware-plugin-to-allow-external-login-provider-in-the-administration) [![Packagist Version](https://camo.githubusercontent.com/9aeaed1a6734833c7b131e00a2e580e2c85f6a884f652f1211f057577a40a8a2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6865707461636f6d2f73686f70776172652d706c6174666f726d2d61646d696e2d6f70656e2d617574683f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/9aeaed1a6734833c7b131e00a2e580e2c85f6a884f652f1211f057577a40a8a2/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6865707461636f6d2f73686f70776172652d706c6174666f726d2d61646d696e2d6f70656e2d617574683f7374796c653d666c61742d737175617265)[![PHP from Packagist](https://camo.githubusercontent.com/4f2f7a6080e061f36081e2d18907c9334a39eb33ddaf7bbd9cca943e7f77b407/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6865707461636f6d2f73686f70776172652d706c6174666f726d2d61646d696e2d6f70656e2d617574683f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/4f2f7a6080e061f36081e2d18907c9334a39eb33ddaf7bbd9cca943e7f77b407/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6865707461636f6d2f73686f70776172652d706c6174666f726d2d61646d696e2d6f70656e2d617574683f7374796c653d666c61742d737175617265)[![Software License](https://camo.githubusercontent.com/63e30264e502007cdbcb7f3482a82818af25b24400bcfb4a0d147aad52d44ba3/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6865707461636f6d2f73686f70776172652d706c6174666f726d2d61646d696e2d6f70656e2d617574683f7374796c653d666c61742d737175617265)](./LICENSE.md)[![GitHub code size in bytes](https://camo.githubusercontent.com/75cea7e40e83f81860accf5f5d40ccf0e20be991f7d2bf30e9a947d1bffe129a/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c616e6775616765732f636f64652d73697a652f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/75cea7e40e83f81860accf5f5d40ccf0e20be991f7d2bf30e9a947d1bffe129a/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c616e6775616765732f636f64652d73697a652f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)[![GitHub issues](https://camo.githubusercontent.com/5ef15f0e33887527355d097051898ff2ae898d4471c270718ecd1f466e2af42f/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732f4845505441434f4d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)](https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/issues)[![GitHub forks](https://camo.githubusercontent.com/bdc01bd91fca20a5220469ed96f0db65d7ee50dce31cbb45d1199f8d63e4ffdc/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f666f726b732f4845505441434f4d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)](https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/network)[![GitHub stars](https://camo.githubusercontent.com/355de3922ce338f559057d352cf900fbcecc20be7ef839a1e6ea42146be0d977/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f4845505441434f4d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)](https://github.com/HEPTACOM/HeptacomShopwarePlatformAdminOpenAuth/stargazers)[![GitHub watchers](https://camo.githubusercontent.com/69360613b1fd60c7c6473618c48d2aba3e922860803ff940487c47bd36cdae0d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f77617463686572732f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/69360613b1fd60c7c6473618c48d2aba3e922860803ff940487c47bd36cdae0d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f77617463686572732f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)[![Packagist](https://camo.githubusercontent.com/d53901880ab8a71c878793c822bf5fc4735b54628cfb2d83ba2be719fac2eb77/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6865707461636f6d2f73686f70776172652d706c6174666f726d2d61646d696e2d6f70656e2d617574683f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/d53901880ab8a71c878793c822bf5fc4735b54628cfb2d83ba2be719fac2eb77/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6865707461636f6d2f73686f70776172652d706c6174666f726d2d61646d696e2d6f70656e2d617574683f7374796c653d666c61742d737175617265) [![GitHub contributors](https://camo.githubusercontent.com/cf89eecdb0f31d40ed3ca3ea392e8da867f007ef7cc482803bc1ae7ffd9a00a7/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6e7472696275746f72732f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/cf89eecdb0f31d40ed3ca3ea392e8da867f007ef7cc482803bc1ae7ffd9a00a7/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6e7472696275746f72732f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)[![GitHub commit activity](https://camo.githubusercontent.com/199af05414dd8dad036cd8b8c301509c477da63acad3469fe58d437b4db0c553/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6d6d69742d61637469766974792f792f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265)](https://camo.githubusercontent.com/199af05414dd8dad036cd8b8c301509c477da63acad3469fe58d437b4db0c553/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6d6d69742d61637469766974792f792f6865707461636f6d2f4865707461636f6d53686f7077617265506c6174666f726d41646d696e4f70656e417574683f7374796c653d666c61742d737175617265) This Shopware 6 plugin allows to add "Login with" functionality into the Shopware administration login page and password confirmation dialogs. Features -------- [](#features) - login to Shopware 6 administration using an external identity provider (IDP) - various providers already preconfigured - Microsoft, Google, Okta, Keycloak, ... - support for third-party IDPs supporting OpenID Connect - easy setup using the provider's metadata document (`.well-known/openid-configuration`) - support for third-party IDPs supporting SAML2 - easy setup using the provider's metadata xml - promote users automatically to administrators - set roles and permissions based on rules - disable the password login and automatically redirect users to the identity provider Security -------- [](#security) The login to the Shopware administration is a critical part. Security vulnerabilities in this part allow attackers access to the whole shop. Therefore, we check our plugin critically for potential risks before merging pull requests. In addition, our OpenId Connect implementation also checks the signature of JWT tokens, whenever possible. When using a pre-configured OpenID Connect provider or when providing a OIDC metadata document, the JWKS keys are automatically fetched from the IDP. Supported providers ------------------- [](#supported-providers) We support a variety of identity providers out of the box. If your identity provider is not listed below but offers OpenID Connect support, you can configure it manually using the OpenID Connect provider. In any other case feel free to create a pull request. Providersupports language syncsupports timezone syncsupports role assignment by roles/groupsmore infoAtlassian Jira [![Atlassian Jira](./src/Resources/app/administration/static/logo/jira_logo.svg)](./src/Resources/app/administration/static/logo/jira_logo.svg)❌✅❌Read more [here](https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/#enabling-oauth-2-0--3lo-).cidaas [![cidaas](./src/Resources/app/administration/static/logo/cidaas_logo.svg)](./src/Resources/app/administration/static/logo/cidaas_logo.svg)❌❌⚠️Read more [here](https://docs.cidaas.com/create-application/createapplication.html).Google Cloud [![Google Cloud](./src/Resources/app/administration/static/logo/google_logo.svg)](./src/Resources/app/administration/static/logo/google_logo.svg)✅❌⚠️Read more [here](https://developers.google.com/identity/protocols/oauth2/openid-connect).JumpClouddepends on configurationdepends on configuration✅Read more [here](https://support.jumpcloud.com/support/s/article/single-sign-on-sso-with-saml-20-connector1).[Keycloack](https://www.keycloak.org/) [![Keycloak](./src/Resources/app/administration/static/logo/keycloak_logo.svg)](./src/Resources/app/administration/static/logo/keycloak_logo.svg)✅depends on configuration⚠️Read more [here](https://blogs.sap.com/2021/08/23/keyclock-as-an-openid-connect-oidc-provider./).Microsoft Entra ID [![Microsoft Logo](./src/Resources/app/administration/static/logo/microsoft_logo.svg)](./src/Resources/app/administration/static/logo/microsoft_logo.svg)❌❌✅Read more [here](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app).Okta [![Okta](./src/Resources/app/administration/static/logo/okta_logo.png)](./src/Resources/app/administration/static/logo/okta_logo.png)✅✅⚠️Read more [here](https://help.okta.com/en-us/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm).OneLogin [![OneLogin](./src/Resources/app/administration/static/logo/onelogin_logo.svg)](./src/Resources/app/administration/static/logo/onelogin_logo.svg)✅❌⚠️Read more [here](https://developers.onelogin.com/blog/how-to-use-openid-connect-authentication-with-dotnet-core#heading-menu).OpenID Connect [![OpenID Connect](./src/Resources/app/administration/static/logo/openid_logo.svg)](./src/Resources/app/administration/static/logo/openid_logo.svg)depends on configurationdepends on configuration⚠️Try any OpenID Connect provider, that we did not explicitly prepare an optimized configuration for.SAML2 [![SAML2](./src/Resources/public/static/logo/saml2_logo.svg)](./src/Resources/public/static/logo/saml2_logo.svg)depends on configurationdepends on configuration✅Try any SAML2 provider, that we did not explicitly prepare an optimized configuration for.⚠️ supported using [authorized request rule](#openid-connect---authenticated-request-rule) ### SAML2 - Technical requirements [](#saml2---technical-requirements) In case you want to use a SAML2 provider, your IdP must meet the following requirements: - include AuthnRequest in the SAML response - sign the returned assertions - support HTTP-POST binding for the Assertion Consumer Service (ACS) - return the user's email address as attribute (all other attributes are optional) ### OpenID Connect - Authenticated request rule [](#openid-connect---authenticated-request-rule) When using an OpenID Connect based provider, you can assign roles that depend on an authenticated GET request, done with the user's access token. This way you can get any further information from the IDP, that is relevant for your specific case. For some providers a preset for retrieving the user's groups is already available. In case you want to create more complex rules, you can build your own queries within the rule builder. The queries get the JSON, returned by the specified endpoint, as input. #### Authenticated request [](#authenticated-request) Your specified endpoint will be called as follows: ``` GET https://my-company.idp.com/api/groups Authorization: Bearer Accept: application/json ``` The request must be encrypted (HTTPS) and will timeout after 5 seconds. In case of a timeout or a none successful response code, the condition will be evaluated as `false`. In case you have multiple conditions, depending on the same endpoint, the request will only be done once. The response is cached in memory for the duration of the rule evaluation. #### Processing the response [](#processing-the-response) You can then use a [JMESPath](https://jmespath.org/) query to validate if the input JSON matches your rule. It is recommended that your query results in a boolean. In case it results in a different type, the condition will be validated as follows: Output typeOutput valueValidation result`boolean``true``true``boolean``false``false``string`empty`false``string`non-empty`true``number``0``false``number``1` (or grater)`true``array`empty`false``array`non-empty`true``object`empty`false``object`non-empty`true``null``null``false`#### Pagination [](#pagination) In case of larger responses, you might need to paginate through the results. When using an OData compatible endpoint, you can use the "Authenticated OData request" instead. If the validation result on the current result page is `false`, the next page will be automatically requested. ### OpenID Connect - ID Token rule [](#openid-connect---id-token-rule) Most OpenID Connect based providers issue an identity token while authentication. Depending on your use-case, this token might contain data that is relevant for the permission assignment. You can use the ID Token for rules by running a JMESPath query on the payload. For details on the JMESPath query evaluation, see the [authenticated request rule documentation](#processing-the-response). Adding your own rule actions ---------------------------- [](#adding-your-own-rule-actions) In most scenarios you only need to assign roles based on rules. However, for some use cases you might want to add your own actions. As a plugin developer you can simply add your own rule actions. The rules will evaluate while the login process synchronously and the appropriate action will be executed. ### Adding a new rule action [](#adding-a-new-rule-action) To add a new rule action, you need to create a service that implements `RuleActionInterface`. The service must be tagged with `heptacom_open_auth.rule_action`. Thereafter, your action should already be visible in the client configuration. #### Service [](#service) ```