Add acquia_id and acquia_trials_id modules for Acquia ID SSO#41
Open
mglaman wants to merge 5 commits intoacquia:mainfrom
Open
Add acquia_id and acquia_trials_id modules for Acquia ID SSO#41mglaman wants to merge 5 commits intoacquia:mainfrom
mglaman wants to merge 5 commits intoacquia:mainfrom
Conversation
acquia_id provides a reusable OAuth2 PKCE authorization code flow
against Acquia ID (id.acquia.com). It dispatches OAuth2AuthorizationEvent
after token exchange; implementing modules subscribe to resolve the
Drupal user. The client_id and IdP URIs are service parameters so they
are overridable per environment without code changes.
acquia_trials_id subscribes to that event, verifies the authenticated
user has access to the current Acquia Cloud application via
GET /api/applications/{uuid}, then finds or creates the Drupal user
by email.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mglaman
commented
Apr 9, 2026
| @@ -0,0 +1,26 @@ | |||
| parameters: | |||
| acquia_id.client_id: '' | |||
Removes the getProvider() and getAccessToken() getter methods in favour of direct public readonly property access ($event->provider, $event->accessToken). The properties are constructor-injected and never mutate, so getters add no value. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Both point to production Acquia endpoints so they only need to be overridden in non-production environments. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Users authenticating via Acquia ID on a trial site are always granted the administrator role, whether their account is newly created or already exists. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sets the Drupal user's uuid field to match the Acquia account UUID from the resource owner data, keeping the identity consistent across systems. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
acquia_id— a standalone OAuth2 SSO module using the PKCE authorization code flow against Acquia ID (id.acquia.com). DispatchesOAuth2AuthorizationEventfor subscriber-based user resolution; ships with no default subscriber so implementing modules control user find/create logic.acquia_trials_id— a thin module that subscribes toOAuth2AuthorizationEvent, verifies the authenticated user has access to the current Acquia Cloud application viaGET /api/applications/{uuid}, then finds or creates the Drupal user by email.league/oauth2-client: ^2to the rootcomposer.json.Key design decisions
CLIENT_IDis a service parameter (acquia_id.client_id) rather than a hardcoded constant, making it overridable per environment.accounts.acquia.comAcquia provider is not included; only the modern Acquia ID (id.acquia.com) provider is used./acquia-id/sso(route nameacquia_id.sso).acquia_trials_idreuses%acquia_id.cloud_api_base_uri%and reads the application UUID fromAcquiaDrupalEnvironmentDetector::getAhApplicationUuid().Test plan
acquia_id.*service parameters and enableacquia_id/acquia-id/sso— should redirect to Acquia ID authorization URLOAuth2AuthorizationEventshould be dispatchedacquia_trials_idand confirm login grants access when the Cloud API returns 200 for the application UUIDidp_logout_redirect_uri) when the Cloud API returns a non-200🤖 Generated with Claude Code