Overview

This use case describes the implementation of attribute-based user login in Drupal using the miniOrange OAuth Client Module. User authentication and identification are performed using attributes received from an OAuth Identity Provider during Single Sign-On (SSO).

Prerequisites:

In this section, we’ll discuss everything from requirements and implementation process to results.

• miniOrange OAuth Client module (version 8.x and above) is installed and enabled.
• Administrator access to module configuration.
• OAuth Provider is configured and reachable.
• Required user attributes are available in the OAuth token.

Problem

If your Drupal site depends on an external Identity Provider for logging people in, things can get messy when your local info say, usernames or emails doesn’t line up with what’s in the Identity Provider. That mismatch causes all sorts of headaches. You might end up with duplicate user accounts. Sometimes the system matches people to the wrong accounts when they try to sign in. User profiles can get outdated, and you’re left doing a lot of manual work just to keep everything straight. Worst of all, these issues can open the door to unauthorized access. It’s a real pain.

Solution

By enabling the attribute-based login feature in the Drupal OAuth Client module, site admins can pick which OAuth attributes will act as the main / primary user identifiers, handling both authentication and user creation.

Adding this to your Drupal site, requires a few key configuration steps:

SSO Login Identifier Configuration

• Administrators can configure a specific OAuth server attribute to be used as the SSO login identifier. This attribute acts as the primary key for user identification during authentication.
• You set up the SSO Login Identifier by choosing an attribute from your OAuth server usually something like an email address, a username, or maybe an employee ID or external user ID. When someone tries to log in, Drupal checks for a user account that matches the value in that attribute. This way, you always get a reliable match between the OAuth user and the Drupal account, no guesswork involved.

Authentication and Identification Flow

• User initiates login from the Drupal application
• User is redirected to the OAuth Provider
• Authentication is completed at the Identity Provider
• OAuth token containing user attributes is returned to Drupal
• Configured SSO login attribute is evaluated
• User account is matched or created
• Mapped attributes are synchronized to the Drupal user profile
• User session is established

Configuration

SSO Login Attribute

• A single OAuth server attribute is selected to identify users during login. Supported attributes include, but are not limited to:
• Email
• Username
• This attribute is used to locate existing Drupal users during SSO.

Attribute Mapping

• OAuth server attributes are mapped to Drupal user fields.
• Examples:
• email → mail
• name → name
• department → field_department
• Mapped attributes are updated on each successful login.

Benefits

• Deterministic user identification.
• Consistent identity synchronization.
• Reduced administrative overhead.
• Secure and scalable authentication flow.

Conclusion

Attribute-based login using the miniOrange OAuth Client provides a reliable mechanism for user identification in Drupal applications integrated with OAuth Identity Providers. By evaluating OAuth attributes during authentication, Drupal ensures accurate user matching, automated provisioning, and consistent identity management.