Setup of OAuth2 sign-in

The curl and openssl PHP extensions must be loaded if you want to use this feature.

Checkup of your environement

Requirement	Value / Description
PHP_VERSION	>=5.6.0
openssl	extension loaded
curl	extension loaded
oauth2_enabled	FALSE
oauth2_provider	google
oauth2_client_id	Empty
oauth2_client_secret	Empty
curl.cainfo	Not found
openssl.cafile	Not found
openssl_get_cert_locations	Exists
default_cert_file	Found
default_cert_file_env	Not found
default_cert_dir	Found
default_cert_dir_env	Not found
default_private_dir	Not found
default_default_cert_area	Found
ini_cafile	Not found
ini_capath	Not found

Additional information

Setup Google+ API

Instruction for Google API:

Open Google Developers Console, and create or modify a project.
In the dashboard, select "Enable APIs and get credentials like keys" or a similar entry.
Google+ API must be enabled.
In the left side bar, select "Credentials".
Check that the domain that you'll use is defined into "Domain Verification tab" and add it otherwise.
Optionnally, you may customize the "OAuth consent screen".
Into "Credentials", create a new entry in "OAuth 2.0 client IDs".
In "Authorized JavaScript origins", add the root of your installation (eg "http://demo.jorani.org").
The field "Authorized redirect URIs" must be blank.
Don't forget to save and to note Client ID and Client secret.

Setup Jorani

Setup Jorani by editing application/config/config.php

Switch oauth2_enabled to TRUE.
Set oauth2_provider to google (only google is supported).
Set oauth2_client_id with the value you got from Google developers console.
Set oauth2_client_secret with the value you got from Google developers console.

Setup your PHP environment

Depending on the version you are using, PHP will try to search for a bundle of certicates to be trusted. It is a file containing a list of public keys emitted by servers and APIs. Of course, the Google API must be listed prior trying to use the Google+ API for authentication purposes.

In case your system is not up-to-date, Jorani is bundled with a list of trusted certicates into assets/keys/cacert.pem. The absolute path to this file must be known by either:

OpenSSL, if your version of PHP is greater than 5.6.
Curl, if your version of PHP is lesser than 5.6.

You should modify the PHP.ini file depending on the version of PHP, as follow for PHP 5.6+:

[openssl]
; The location of a Certificate Authority (CA) file on the local filesystem
; to use when verifying the identity of SSL/TLS peers. Most users should
; not specify a value for this directive as PHP will attempt to use the
; OS-managed cert stores in its absence. If specified, this value may still
; be overridden on a per-stream basis via the "cafile" SSL stream context
; option.
openssl.cafile=C:\wamp\www\auth\cacert.pem

; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
;openssl.capath=

Or as follow for older versions of PHP:

[curl]
; A default value for the CURLOPT_CAINFO option. This is required to be an
; absolute path.
curl.cainfo=C:\wamp\www\auth\cacert.pem

Of course, adapt the path according to your environment.

Troubleshooting

In case of error, here are some additional steps:

The HTTP/HTTPS ports may be blocked by your organization/server's security policy (or firewall).
When running SELinux, the webserver is blocked by default (it cannot open a network connection). Please consider unblocking it:
```
$ setsebool -P httpd_can_network_connect 1
```