feat(admin): added OAuth settings in admin configuration

Author: thorsten

.docker/php-fpm/docker-entrypoint.sh

@@ -3,6 +3,13 @@
 # Exit on error
 set -e
 
+#=== Provide backward-compatible project root for Composer PSR-4 paths ===
+# The generated autoloader expects /var/www/phpmyfaq while the development
+# stack mounts the application at /var/www/html.
+if [ ! -e "/var/www/phpmyfaq" ]; then
+  ln -s /var/www/html /var/www/phpmyfaq
+fi
+
 #=== Set folder permissions ===
 folders="content/core/config content/core/data content/core/logs content/user/attachments content/user/images"
 

docs/configuration.md

@@ -288,14 +288,18 @@ describe('Configuration Functions', () => {
             <li class="nav-item" data-config-group="core" data-config-label="Main">
               <a href="#main" data-bs-toggle="tab"></a>
             </li>
-            <li class="nav-item" data-config-group="appearance" data-config-label="Layout">
-              <a href="#layout" data-bs-toggle="tab"></a>
-            </li>
-          </ul>
+          <li class="nav-item" data-config-group="appearance" data-config-label="Layout">
+            <a href="#layout" data-bs-toggle="tab"></a>
+          </li>
+          <li class="nav-item" data-config-group="integrations" data-config-label="OAuth 2.0">
+            <a href="#oauth2" data-bs-toggle="tab"></a>
+          </li>
+        </ul>
         </form>
         <div id="pmf-configuration-result"></div>
         <input id="pmf-language" value="en">
         <div id="main"></div>
+        <div id="oauth2"></div>
       `;
 
       (fetchConfiguration as Mock).mockResolvedValue('Configuration content');
@@ -339,6 +343,10 @@ describe('Configuration Functions', () => {
           <div class="pmf-config-item" data-config-key="mail.remoteSMTPPassword">SMTP password</div>
         </div>
         <div id="api"></div>
+        <div id="oauth2">
+          <div class="pmf-config-item" data-config-key="oauth2.enable">Enable OAuth 2.0 authorization server</div>
+          <div class="pmf-config-item" data-config-key="oauth2.privateKeyPath">Private key path</div>
+        </div>
         <div id="upgrade">
           <div class="pmf-config-item" data-config-key="upgrade.releaseEnvironment">Release environment</div>
         </div>

phpmyfaq/admin/assets/src/configuration/configuration.test.ts

@@ -47,6 +47,7 @@ const TAB_TARGETS = [
   '#layout',
   '#mail',
   '#api',
+  '#oauth2',
   '#upgrade',
   '#translation',
   '#storage',

phpmyfaq/admin/assets/src/configuration/configuration.ts

@@ -119,6 +119,12 @@
                 API
               </a>
             </li>
+            <li role="presentation" class="nav-item" data-config-group="integrations" data-config-label="{{ 'oauthControlCenter' | translate }}">
+              <a href="#oauth2" aria-controls="oauth2" role="tab" data-bs-toggle="tab" class="nav-link">
+                <i aria-hidden="true" class="bi bi-shield-lock"></i>
+                {{ 'oauthControlCenter' | translate }}
+              </a>
+            </li>
             <li role="presentation" class="nav-item" data-config-group="integrations" data-config-label="LDAP">
               <a href="#ldap" aria-controls="ldap" role="tab" data-bs-toggle="tab" class="nav-link">
                 <i aria-hidden="true" class="bi bi-database"></i>
@@ -154,6 +160,7 @@
             <div role="tabpanel" class="tab-pane fade" id="layout"></div>
             <div role="tabpanel" class="tab-pane fade" id="mail"></div>
             <div role="tabpanel" class="tab-pane fade" id="api"></div>
+            <div role="tabpanel" class="tab-pane fade" id="oauth2"></div>
             <div role="tabpanel" class="tab-pane fade" id="upgrade"></div>
             <div role="tabpanel" class="tab-pane fade" id="translation"></div>
             <div role="tabpanel" class="tab-pane fade" id="storage"></div>

phpmyfaq/assets/templates/admin/configuration/main.twig

@@ -13,6 +13,7 @@
   'mail': 'mailControlCenter',
   'push': 'pushControlCenter',
   'api': 'API',
+  'oauth2': 'oauthControlCenter',
   'ldap': 'LDAP',
   'upgrade': 'upgradeControlCenter',
 } %}

phpmyfaq/assets/templates/admin/configuration/tab-list.twig

@@ -26,6 +26,7 @@
 {
     public function __construct(
         private Configuration $configuration,
+        private OAuthDiscoveryService $oAuthDiscoveryService,
     ) {
     }
 
@@ -49,7 +50,7 @@ public function getPublicMetadata(): array
             'availableLanguages' => LanguageHelper::getAvailableLanguages(),
             'enabledFeatures' => $this->buildEnabledFeatures(),
             'publicLogoUrl' => $this->buildPublicLogoUrl(),
-            'oauthDiscovery' => $this->buildOAuthDiscovery(),
+            'oauthDiscovery' => $this->oAuthDiscoveryService->getMetaDiscovery(),
         ];
     }
 
@@ -70,24 +71,6 @@ private function buildEnabledFeatures(): array
         ];
     }
 
-    /**
-     * @return array<string, bool|string|string[]>
-     */
-    private function buildOAuthDiscovery(): array
-    {
-        $apiBaseUrl = rtrim($this->configuration->getDefaultUrl(), characters: '/') . '/api';
-
-        return [
-            'enabled' => $this->toBool($this->configuration->get('oauth2.enable')),
-            'issuer' => $apiBaseUrl,
-            'authorizationEndpoint' => $apiBaseUrl . '/oauth/authorize',
-            'tokenEndpoint' => $apiBaseUrl . '/oauth/token',
-            'grantTypesSupported' => ['authorization_code', 'client_credentials', 'refresh_token'],
-            'responseTypesSupported' => ['code'],
-            'tokenEndpointAuthMethodsSupported' => ['client_secret_basic', 'client_secret_post', 'none'],
-        ];
-    }
-
     private function buildPublicLogoUrl(): string
     {
         return rtrim($this->configuration->getDefaultUrl(), characters: '/') . '/assets/images/logo-transparent.svg';

phpmyfaq/src/phpMyFAQ/Api/MetaService.php

@@ -0,0 +1,72 @@
+<?php
+
+/**
+ * OAuth discovery metadata service.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-11
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Api;
+
+use phpMyFAQ\Configuration;
+
+final readonly class OAuthDiscoveryService
+{
+    public function __construct(
+        private Configuration $configuration,
+    ) {
+    }
+
+    /**
+     * @return array<string, bool|string|string[]>
+     */
+    public function getMetaDiscovery(): array
+    {
+        $document = $this->getDiscoveryDocument();
+
+        return [
+            'enabled' => $this->isEnabled(),
+            'issuer' => (string) $document['issuer'],
+            'authorizationEndpoint' => (string) $document['authorization_endpoint'],
+            'tokenEndpoint' => (string) $document['token_endpoint'],
+            'grantTypesSupported' => $document['grant_types_supported'],
+            'responseTypesSupported' => $document['response_types_supported'],
+            'tokenEndpointAuthMethodsSupported' => $document['token_endpoint_auth_methods_supported'],
+        ];
+    }
+
+    /**
+     * @return array<string, string|string[]>
+     */
+    public function getDiscoveryDocument(): array
+    {
+        $apiBaseUrl = rtrim($this->configuration->getDefaultUrl(), characters: '/') . '/api';
+
+        return [
+            'issuer' => $apiBaseUrl,
+            'authorization_endpoint' => $apiBaseUrl . '/oauth/authorize',
+            'token_endpoint' => $apiBaseUrl . '/oauth/token',
+            'grant_types_supported' => ['authorization_code', 'client_credentials', 'refresh_token'],
+            'response_types_supported' => ['code'],
+            'token_endpoint_auth_methods_supported' => ['client_secret_basic', 'client_secret_post', 'none'],
+        ];
+    }
+
+    public function isEnabled(): bool
+    {
+        $value = $this->configuration->get('oauth2.enable');
+
+        return $value === true || $value === 1 || $value === '1' || $value === 'true';
+    }
+}

phpmyfaq/src/phpMyFAQ/Api/OAuthDiscoveryService.php

@@ -21,6 +21,7 @@
 
 use OpenApi\Attributes as OA;
 use phpMyFAQ\Api\MetaService;
+use phpMyFAQ\Api\OAuthDiscoveryService;
 use phpMyFAQ\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException;
@@ -33,7 +34,10 @@ final class MetaController extends AbstractController
     public function __construct(?MetaService $metaService = null)
     {
         parent::__construct();
-        $this->metaService = $metaService ?? new MetaService($this->configuration);
+        $this->metaService = $metaService ?? new MetaService(
+            $this->configuration,
+            new OAuthDiscoveryService($this->configuration),
+        );
 
         if (!$this->isApiEnabled()) {
             throw new UnauthorizedHttpException(challenge: 'API is not enabled');

phpmyfaq/src/phpMyFAQ/Controller/Api/MetaController.php

@@ -0,0 +1,67 @@
+<?php
+
+/**
+ * OAuth discovery endpoint controller.
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
+ * @copyright 2026 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2026-04-11
+ */
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Controller\Frontend;
+
+use OpenApi\Attributes as OA;
+use phpMyFAQ\Api\OAuthDiscoveryService;
+use phpMyFAQ\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\Routing\Attribute\Route;
+
+final class OAuthDiscoveryController extends AbstractController
+{
+    public function __construct(
+        private readonly OAuthDiscoveryService $oAuthDiscoveryService,
+    ) {
+        parent::__construct();
+    }
+
+    #[OA\Get(
+        path: '/.well-known/oauth-authorization-server',
+        operationId: 'getOAuthAuthorizationServerMetadata',
+        tags: ['Public Endpoints'],
+    )]
+    #[OA\Response(
+        response: 200,
+        description: 'Returns OAuth 2.0 Authorization Server Metadata.',
+        content: new OA\JsonContent(properties: [
+            new OA\Property(property: 'issuer', type: 'string', example: 'https://localhost/api'),
+            new OA\Property(property: 'authorization_endpoint', type: 'string'),
+            new OA\Property(property: 'token_endpoint', type: 'string'),
+            new OA\Property(property: 'grant_types_supported', type: 'array', items: new OA\Items(type: 'string')),
+            new OA\Property(property: 'response_types_supported', type: 'array', items: new OA\Items(type: 'string')),
+            new OA\Property(
+                property: 'token_endpoint_auth_methods_supported',
+                type: 'array',
+                items: new OA\Items(type: 'string'),
+            ),
+        ]),
+    )]
+    #[Route(path: '/.well-known/oauth-authorization-server', name: 'public.oauth.discovery', methods: ['GET'])]
+    public function index(): JsonResponse
+    {
+        if (!$this->oAuthDiscoveryService->isEnabled()) {
+            throw new NotFoundHttpException('OAuth 2.0 authorization server metadata is not available.');
+        }
+
+        return $this->json($this->oAuthDiscoveryService->getDiscoveryDocument());
+    }
+}