Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add extensible authentication mechanism #20

Open
arthurfabre opened this issue Dec 18, 2014 · 4 comments
Open

Add extensible authentication mechanism #20

arthurfabre opened this issue Dec 18, 2014 · 4 comments

Comments

@arthurfabre
Copy link
Contributor

Currently, either the built in authentication mechanism or external authentication can be used.
This is fine as long as the webserver used has the required modules to preform the desired authentication, but this becomes a limitation when it can't (ie lacking ldap auth in nginx, or a shared hosting environment).

We could define a simple AuthenticationSource class that has a single method - authenticateUser($username, $password) that would either return false if the user can't be authenticated, or return array("user" => $user, "email" => $email) (This could be extended to provide more information, such as the name of a user).
The basic database authentication, and external webserver authentication could be reimplemented as two AuthenticationSources.

The allowed AuthenticationSources could then be specified in the config file, allowing users to have more control over the authentication, and allowing them to write their own AuthenticationSources if they need.

Is this a modification that would be accepted / welcome?
@wavexx
Copy link
Member

wavexx commented Dec 19, 2014

On 12/18/2014 06:19 PM, Arthur Fabre wrote:

We could define a simple AuthenticationSource class that has a
single method - authenticateUser($username, $password) that would
either return false if the user can't be authenticated, or return
array("user" => $user, "email" => $email) (This could be extended
to provide more information, such as the name of a user). The basic
database authentication, and external webserver authentication could
be reimplemented as two AuthenticationSources.

Yes

The allowed AuthenticationSources could then be specified in the
config file, allowing users to have more control over the
authentication, and allowing them to write their own
AuthenticationSources if they need.

Is this a modification that would be accepted / welcome?

Absolutely. This is how I had in mind to implement a pluggable quota
mechanism, but never got to it.

Generally, I'd follow how RoundCube does it (which is very simple),
where you have:

htdocs/include/plugins/auth/[name]

and you specify the required plugin in the configuration file:

$authMethod = "[name]";

which is then included.

Like you say, a single method would be enough for authentication to
implement both current methods.

When constructing the class however, we might need some extra parameters
to pass to the authentication method.
For instance, for LDAP, we need the hostname.

I would provision something like:

$authData = array()...

in the configuration file which is passed directly to the constructor of
AuthenticationSource($data).

Better ideas?

@arthurfabre
Copy link
Contributor Author

Generally, I'd follow how RoundCube does it (which is very simple), where you have: htdocs/include/plugins/auth/[name] and you specify the required plugin in the configuration file: $authMethod = "[name]";

That seems like a nice way of doing it - it's very similar to what a lot of projects seem to do.
We could also make authMethod an array in order to support multiple auth sources at once which would be attempted in order - not sure if this is a good idea or not.

When constructing the class however, we might need some extra parameters to pass to the authentication method.
For instance, for LDAP, we need the hostname.

I would provision something like: $authData = array()...

in the configuration file which is passed directly to the constructor of AuthenticationSource($data).

That would work pretty well, we could implement pretty much any auth source that way.
If we want to support multiple auth sources, we could also define a bunch of extra config parameters (such as $LDAP_auth_hostname, $basic_auth_realm) but I imagine that could get rather messy.

@wavexx
Copy link
Member

wavexx commented Dec 19, 2014

On 12/19/2014 01:07 PM, Arthur Fabre wrote:

Generally, I'd follow how RoundCube does it (which is very simple),
where you have: htdocs/include/plugins/auth/[name] and you specify
the required plugin in the configuration file: $authMethod =
"[name]";

That seems like a nice way of doing it - it's very similar to what a
lot of projects seem to do. We could also make authMethod an array
in order to support multiple auth sources at once which would be
attempted in order - not sure if this is a good idea or not.

I'll keep it simple at first. extending authMethod to support an array
would be trivial in the future, if needed.

@wavexx
Copy link
Member

wavexx commented Jul 14, 2017

Note: should we handle ticket authentication in here as well?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wavexx @arthurfabre