Single Sign On 5.4.6

Social Sign On

Introduction

Social Sign On module will add the possibilty to login in to you ExpressionEngine site via your favorite Social Media site. (MSM Ready)

currently supported

• Google
• Facebook
• Twitter
• LinkedIn
• Apple

Documentation versions

• v5.4.6
• v5.4.5
• v5.4.4
• v5.4.3
• v5.4.2
• v5.4.1
• v5.4.0
• v5.3.1
• v5.3.0
• v5.1.1
• v5.1.0
• v5.0.1
• v4.0.2
• v4.0.1
• v4.0.0
• v3.1.0

Installation

Prerequisites

Make sure your system meets the minimum requirements:

• ExpressionEngine 3.1.x later
• PHP 7.4
• cURL

Installation Instructions

• Upload the folders to the right folder according the downloaded ZIP structure
• Install the module in Add-Ons → Modules
• Make sure you set Website Session type to Cookies only in the EEcms settings

Update instructions

• Backup the Files and the Database
• Remove the old module files (both system and themes)
• Place the new files in the right folders
• Navigatie to the module page and trigger the update proces, by clicking on the "module update" buttondule page and trigger the update proces, by clicking on the "module update" buttonoces, by clicking on the "module update" button

License

For every paid addon you need to validate your license in order to activate the module.

On a local environment, like *.dev *.local *.localhost *.test the license is valid for testing and building a new or existing sites. For every other domain, you need to have a valid license.

Process of validating

Once installed, you will asked to enter your license key. When you entered a valid license you can hit the "Save license" button. This will start validating your license and will redirect you to addons.reinos.nl to login into your account. You can also register a new account in this process.

Once logged in, you are asked to use your current account or to login with another one.

Using the current logged in account, the server will check all info related to your license and once valid, it will redirect you back to your site where you see either a success message or an error message.

License field

This module is using a license field to check if the license for the module is valid or not. On addons.reinos.nl you can check your license and add your valid domains.

In the Module CP you can enter then your license

When you enter a wrong license, the module will not work and it shows you an warning

Invalid license

Sometimes it happens that the license system says you have an invalid license. When this happens, make sure you have entered your domain url in your account, next to your license on addons.reinos.nl.

If this will not fix your license problem, please contact us on https://addons.reinos.nl/support

How it works

As already know the SSO module will allow users to login on your site via a social provider. Below a couple of cases how the module will handle the login and what it will do.

The Login process

1. The user clicks on of the social provider that are enabled.
2. The user will redirect to the social provider and will be asked for his login.
3. When the user enters the correct credentials, the user will be redirect to the EE site
4. On the main EE site, the SSO module will check if the user exists.
5. If the user does not exists:
   1. if member registration has been disabled.
      1. an error will be showed
   2. if member registration has been enabled.
      1. there will be a new member profile created for the user
      2. and a connect link will be made between the social provider and the EE site.
6. If the user exists
   1. if the setting "Allow social login to merge with non social accounts" is set to no there will be shown an error on the screen and the user will be asked to enter a new email address.
   2. if the setting "Allow social login to merge with non social accounts" is set to yes the user will be logged in on the account that already exists on the EE site.
   3. if the user has an account, that is connected to a social provider, it will always login on the existing account.

CP Overview

On the CP page you can modify a couple of things.

Default settings

• The licence key
• Report Statistics
• To what membergroup should a non existing user be assigned

Provider settings

Also you can edit your settings per provider (social site) and per site there are different settings

Google

To get the API keys follow the following steps:

1. Go to https://code.google.com/apis/console/ and create a new project.
2. Go to API Access under API Project. After that click on Create an OAuth 2.0 client ID to create a new application.
3. A pop-up named "Create Client ID" will appear, fill out any required fields such as the application name and description.
4. Click on Next.
5. On the popup set Application type to Web application and switch to advanced settings by clicking on (more options).
6. Provide this URL as the Callback URL for your application: Callback url showed on the overview page

Facebook

To get the API keys follow the following steps:

1. Go to https://developers.facebook.com/apps and create a new application by clicking "Create New App".
2. Fill out any required fields such as the application name and description.
3. Put your website domain in the Site Url field.

Twitter

To get the API keys follow the following steps:

1. Go to https://dev.twitter.com/apps and create a new application.
2. Fill out any required fields such as the application name and description.
3. Put your website domain in the Website field.
4. Provide this URL as the Callback URL for your application: Callback url showed on the overview page

LinkedIn

To get the API keys follow the following steps:

1. Go to https://www.linkedin.com/secure/developer (or https://www.linkedin.com/secure/developer?newapp=) and create a new application.
2. Fill out any required fields such as the application name and description.
3. Copy the Callback URL from the SSO control panel into the OAuto 2.0 Authorized Redirect URL field.

Apple

To get the API keys follow the following steps:

1. Sign in to https://developer.apple.com/account/resources
2. Create a new Identifier of type APP IDs and enable "Sign In with Apple".
3. Create an other Identifier of type Serivces IDs and enable "Sign In with Apple". Configure it so it will use the Primary App ID created in step 2. Also, add your domain and redirect/callback URL e.g. https://your-domain/sso_route/auth/Apple This is your Identifier ID.
4. Create a new Key with "Sign in with Apple" checked and your identifier attached via the config button. Download the key and safe it somewhere safe.

Resources

• https://developer.okta.com/blog/2019/06/04/what-the-heck-is-sign-in-with-apple
• https://developer.apple.com/sign-in-with-apple/get-started
• https://sarunw.com/posts/sign-in-with-apple-2

Email template

To customise the email template, you can alter the template in the Template Manager -> System Templates -> Email and look for SSO.

Has Connected Providers Tag

With the has_connected_providers tag you can check if the user has any provider connected to his account.

The tag

{exp:reinos_sso:has_connected_providers}

Example

{exp:reinos_sso:has_connected_providers}
    The user has a provider connected
{/exp:reinos_sso:has_connected_providers}

Login Tag

With the login_links tag you can add the provider to your website

The tag

{exp:reinos_sso:login_links}

Tag Parameters

Below are the Tag Parameters. Those parameters can be used in the tag described above, Default to the current_url.

return

the return url where the user will be redirected after logged in

return=""

no_email_return

Give a return url for when the email is unavailable from the social channel. Default to the return param

no_email_return=""

new_member_return

the return url for when the user is new. Default to the return param

new_member_return=""

Variables

Below are the variables. Those variables can be used in the tag described above

provider_link

The login link to a provider

{exp:reinos_sso:login_links}
    {provider_link}
{/exp:reinos_sso:login_links}

provider_name

The Provider name

{exp:reinos_sso:login_links}
    {provider_name}
{/exp:reinos_sso:login_links}

Login Tag

With the linked_providers tag you can connect multiple providers to your account

The tag

{exp:reinos_sso:linked_providers}

Tag Parameters

Below are the Tag Parameters. Those parameters can be used in the tag described above, Default to the current_url.

return

the return url where the user will be redirected after logged in

return=""

Variables

Below are the variables. Those variables can be used in the tag described above

provider_connect_link

The connect link to a provider

{exp:reinos_sso:linked_providers}
    {provider_connect_link}
{/exp:reinos_sso:linked_providers}

provider_disconnect_link

The disconnect link to a provider

{exp:reinos_sso:linked_providers}
    {provider_disconnect_link}
{/exp:reinos_sso:linked_providers}

provider_name

The Provider name

{exp:reinos_sso:linked_providers}
    {provider_name}
{/exp:reinos_sso:linked_providers}

provider_is_connected

Variable to check if a user is connected

{exp:reinos_sso:linked_providers}
    {if provider_is_connected}
        <a href="{provider_disconnect_link}">Disconnect from {provider_name}</a>
    {if:else}
        <a href="{provider_connect_link}">Link with {provider_name}</a>
    {/if}
{/exp:reinos_sso:linked_providers}

Error message tag

With the login_error tag you can print the login error on your screen

The tag

{exp:reinos_sso:login_error}

With the email_error tag you can print the email error on your screen (if you collect a email if needed)

The tag

{exp:reinos_sso:email_error}

Update password

When a user that has been logged in with the SSO module want to change their password, it will give the user an error about the current given password.or No matching hash algorithm. This because the SSO module will not copy your Social Provider password to EE (doh, we don't know that ofc! ;-) ).

Because we cannot control the way how a password is saved or updated, we need to take a different path.

By adding the tag {exp:reinos_sso:update_password} directly under the {exp:member:edit_profile} tag, we will bypass the current password for SSO users that did not set a password.

Hooks

sso_callback

(Added in v.3.0.0)
This hook is triggered when the user hits the callback url

if (ee()->extensions->active_hook('sso_callback') === TRUE)
{
   ee()->extensions->call('sso_callback');
}

sso_login

(Added in v.3.0.0) This hook is triggered when a user is logged in via a social provider

if (ee()->extensions->active_hook('sso_login') === TRUE)
{
   ee()->extensions->call('sso_login', $memberObject, $isNewUser);
}

sso_connect

(Added in v.3.0.0) This hook is triggered when a user connect an existing account to the current logged in account

if (ee()->extensions->active_hook('sso_connect') === TRUE)
{
   ee()->extensions->call('sso_connect', $providerName);
}

Changelog

5.4.6 (07-13-2024)

• Updated: vendors to fix Apple Sign In Issues
• Bugfix: PHP 8.x dynamic variables creation

5.4.5 (15-10-2023)

• Bugfix: issue where option disable new members was not working
• Updated: PHP 8.2 support

5.4.4 (23-08-2023)

• Bugfix: where the avatar was not saved correctly (again)
• Bugfix: where facebook avatar was correctly fetched with an access_token
• Update: min PHP version to PHP 7.4

5.4.3 (31-01-2023)

• Bugfix: where the avatar was not saved correctly

5.4.2 (18-01-2023)

• Fixed: incorrect const name

5.4.1 (04-12-2022)

• Fixed: correct version number

5.4.0 (13-11-2022)

• Added: Apple Sign in
• Added: option to disable new member registration via the SSO module

5.3.1 (17-05-2022)

• Bugfix: issue where visitor was throwing a PHP error

5.3.0 (23-04-2022)

• Added: introduce tag {exp:reinos_sso:has_connected_providers}
• Bugfix: no matching hash algorithm PHP error

5.2.1 (24-11-2021)

• Added: settings to disable the default member registration

5.2.0 (18-11-2021)

• Added: delete user from sso table when anonymized

5.1.1 (27-09-2021)

• Bugfix: EE6 issue for Zoo Visitor
• Bugfix: Visitor create 2 or none accounts for a user
• Removed: check on member registration is off due the way how SSO is working

5.1.0 (13-04-2021)

• Added: extra user logging
• Bugfix: where the avatar cannot be synced
• Bugfix: where sometimes the user catch a blank page
• Bugfix: remove linkedin scope w_member_social
• Docs: wrong tag was shown for the collect email form in the settings

5.0.1 (25-02-2021)

• Bugfix: where in some cases login was showing an empty page

5.0.0 (29-12-2020)

• Added: EE6 support

4.0.2 (08-12-2020)

• Added: obey member registration option
• Bugfix: have a default member password

4.0.1 (31-03-2020)

• Bugfix: where the slug for visitor cannot be created
• Bugfix: where the hooks where not called correctly

4.0.0 (27-01-2020)

• Updated: Hybridauth
• Refactor: License settings due the release of the EE store (*Breaking changes)
• Refactor: Rename the module with a prefix of reinos_ due the release of the EE store (**Breaking changes)

*Note: There is a change you will have to validate the license again

**Note: Because the module has been renamed with a prefix reinos_ there is an update path by simply add the new update to* your site and install it. By installing the module, you are disabling the old module that can be deleted afterward. Also note that you have to rename the module calls and hooks with a prefix reinos_

Also note that the module need to be installed twice, as the first installation will modify some files in order to safely migrate the module

See this article about the rename https://addons.reinos.nl/news/modules-renamed

3.1.0 (03-04-2019)

• Refactor: user login, so the password does not change
• Bugfix: where the avatar could not be saved

3.0.2 (18-03-2019)

• Bugfix: where existing users cannot login
• Bugfix: where the notification mail was sent because of the password change

3.0.1 (06-03-2019)

• Bugfix: where the entry url cannot be set for the Visitor module if installed

3.0.0 (19-02-2019)

• Added: possibility to enter an email if no email is fetched from the social site
• Added: {exp:sso:email_error} tag in the collect email tag
• Added: option for "Allow social logins to merge with non social accounts" Default to no for security reasons.
• Added: {exp:sso:auth_error} tag for general auth errors
• Added: {exp:sso:linked_providers} for connect multiple providers to one account
• Added: multiple developer extension hooks
• [BREAKING] Removed: {exp:sso:login_error} tag (use {exp:sso:auth_error})

2.3.0 (25-01-2019)

• Bugfix: where the selection of enabled providers was not showing correctly
• Bugfix: where the MSM was not working correctly
• Updated: hybrid to v2.12.0
• Added: no_email_return="" param that is used when there is no mail available from the social login
• Added: new_member_return="" when the user is new

2.2.0 (19-12-2018)

• Added: EE5 support
• Stopped: EE3 feature development. Only bugfixes are done into the EE3 branch.

2.1.1 (09-06-2018)

• Added: license support for MSM

2.1.0 (25-04-2018)

• Added: new license field (*Breaking changes) [EE3, EE4]
• Bugfix: PHP 7.2 issue [EE3, EE4]

*Note: you need to add your license key and license email from addons.reinos.nl in order to validate your license and add a valid domain url in your license field on addons.reinos.nl/profile/licenses or the module will not work on a live site. Also make sure you have read the license section in the documentation

2.0.0 (04-12-2017)

• Added: EE4 support
• Refactor: Module updater

1.1.1 (01-11-2017)

• Bugfix: issue with the linkedIn keys
• Update: HybridAuth

1.1.0 (25-07-2017)

• Updated: avoid reset password every time on login
• Added: send email when a user is created with a password
• Added: profile picture update for the avatar
• Small bugfixes

1.0.2 (02-03-2017)

• Update: HybridAuth

1.0.1 (30-09-2016)

• Updated: callback url & is already encoded

1.0.0 (08-09-2016)

• init release.