Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
OAuth2 Authentication allows users to log into your Drupal site authenticating against a remote identity provider (IDP) via OAuth2.
That is, if a user's credentials can be used to retrieve a valid access token, he/she will be logged into the site with those credentials and the token will be added to his/her session. If the user doesn't exist yet, it will be created.
In doing this, we're making the assumption that resource requesters are actually resource owners. Generally, one shouldn't make that assumption as OAuth2 is an authorization mechanism, not an authentication mechanism.
If you found this module looking for a standard way to have users log in via OAuth2, then you should probably go with OpenID Connect instead. It provides a proper identity layer on top of OAuth2. Think of it like the evolution of SAML. This module is meant for those that don't have access to an OpenID Connect server, do have access to an IDP that speaks OAuth2, and can trust the environment in which all of it operates.
If you haven't considered the security implications of using this module, and you don't control the environment in which it's running, then you shouldn't be using it. For example, you probably don't want to do this sort of thing on a mobile environment as it can't be trusted to the same extent as a Drupal site behind a corporate firewall.
If you made it this far, and are still considering using the module, then make sure you've read and understood the following articles.
It also wouldn't hurt to study the official OAuth 2.0 Threat Model and Security Considerations.
Dependencies
Notes
- When an existing local user logs in, the module will attempt to get an access token for him/her. On success, the token will be added to the user's session. On failure, the user will still be logged in, but will not get a token. Whenever a request to get a token is made, the results are reported in the log.
- Once you've got this set up, you'll have to ensure that the Web-services client module you're using supports the OAuth2 protocol (i.e. token access to resources). If you're already using one that doesn't, you'll have to add that support. Otherwise, go with one that supports this already.
Similar Modules
- OAuth2 Login
- OAuth2 Login redirects users to another Drupal site for authentication, and then sends them back logged in once they're authenticated. This module doesn't do any redirection; everything is done behind the scenes. Users logging in won't even know that they're authenticating against another system. They simply log in using the normal Drupal login process, but get an access token on top of that (if granted). Users that don't exist locally will be created during the login process.
Supporting organizations:
Technical architecture and development
Provided funding
Stewardship
Project information
Maintenance fixes only
Considered feature-complete by its maintainers.- Module categories: Integrations, Access Control
80 sites report using this module- Created by colan on , updated
Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
7.x-1.1
released 22 January 2015
released 22 January 2015
Works with Drupal: 7.x
✓ Recommended by the project’s maintainer.
Development version: 7.x-1.x-dev updated 22 Jan 2015 at 22:23 UTC
