SSO via Wunderkraut Google account

[joesb]

It would be great to get WunderHub user accounts to authenticate against the user's WK Google account, so passwords and access permission are managed in one central location.

Icing on the cake: automagic Hub account creation/blocking when a person joins/leaves WK

[joesb]

Looks like OAuth is ready for D8: https://www.drupal.org/project/oauth … but not Google Auth: https://www.drupal.org/project/gauth … so we'd need to put time into the Google Auth D8 port

[joesb]

Looks like OpenID Connect (successor to OpenID) is the probably the way forward with this, though it may need some adaptation to limit it to Wunderkraut accounts.

• Google OpenID Connect documentation
• OpenID Connect contrib module (The module ships with two clients: Google and Generic.)
  • Don't know if/how it's possible to restrict the sign-ons to only wunderkraut.com accounts - maybe something in the docs?
  • D8 upgrade issue
  • Github sandbox for D8 upgrade

[joesb]

That Google OpenID Connect sandbox module looks pretty good so far. I've made some adaptations to it so there's support for the 'hosted domain' parameter in Google authentication i.e. limiting the authentication to a specific Google 'hosted domain', which for us would be 'wunderkraut.com' of course.

Pull request: sanduhrs/drupal-openid_connect#5

Only limiting problem at the moment is that I haven't yet worked out how to associate existing Drupal accounts with a Google account. Looking into that now.

[joesb]

This is now deployed.