Our little helpers: Automatic backend logins with OAuth 2.0

In the TYPO3 environment, rights management is definitely a challenge. Most customers have different groups of employees who should all have different access rights in the backend. In addition, our developers also need to be able to take a look at the backend - they usually need administrative access in order to configure extensions, troubleshoot or - more generally - manage the installation. If development systems also come into play, the whole thing quickly becomes complex and requires extensive support.

... Because, since GDPR came into force, you have to think twice who is allowed to have backend access in the first place. Many agencies, and we are in no way different in this regard, have therefore given the entire development team access to all TYPO3 installations, regardless of whether the respective colleague is actually working on the project or not. According to the current legal situation, however, this would have to be questioned. It would be ideal if only those employees were given access who are actively working on the project. TYPO3 would therefore have to know which developers are working on the project and create the corresponding backend accounts - ideally automatically. In addition, it must close accounts as soon as the colleague is definitely no longer working on the project.

Now, MFC has been using GitLab as a Git-based source code management system for some time. All projects are managed via this system and developers have access to their respective projects accordingly.

Since version 7.7, GitLab can work as an OAuth 2.0 identity provider. OAuth is a protocol that allows applications to delegate accounts and permissions management to other applications. The average user knows it, for example, from the "Login with Facebook" or "Login with Twitter" buttons that are ubiquitous on the Internet. All these services use OAuth to save the user from having to register again separately.

There are quite a few extensions in the TYPO3 Extension Repository (TER) now that integrate OAuth. However, almost all of them do this first for frontend logins, i.e. for page visitors. In the backend area, obviously no one has yet come up with the idea of offering generic OAuth-based logins. The reason for this is that it is not enough to just "let the user in" (authentication). You also have to define what permissions the user has (authorization). For this reason, a backend login via Facebook, Twitter, etc., although technically possible, does not make sense.

Combined with services such as GitHub, BitBucket or GitLab, however, things look different. This is because the permissions can simply be linked to what the respective user is allowed to do in a software project hosted there. So if you use one of these services for your source code management, you can elegantly manage backend access for developers.

For this reason, on the occasion of this year's TYPO3 Developer Days 2018, we took the opportunity to create a corresponding interface in TYPO3. Together with my colleagues Christian Hellmund and Simon Schmidt, I created a generic OAuth 2.0 connection to the TYPO3 backend. In the first step we integrated GitLab - mainly to cover our own needs. But the extension is designed in a way that other OAuth 2.0 compatible services can be connected as well.

The setup of the extension in TYPO3 and GitLab is done in only a few steps:
It is installed into the TYPO3 installation via composer req mfc/oauth2 - at least version 8 LTS is required. Afterward, the next step leads to the extension configuration inside the backend. Depending on the project authorization in GitLab, the administrator can assign the GitLab users to different user groups. From a configurable authorization level, the extension automatically sets the admin flag. Administrators who only want to log in via OAuth and prefer to control the access permissions themselves can use the configuration flag to ensure that existing backend permissions remain in place.