Difference between revisions of "Remote Authentication"

From GeeklogWiki
Jump to: navigation, search
m (Link to LDAP module description)
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
New in geeklog 1.4.0 is the Remote Authentication system. With Remote Authentication enabled, users can login to your site via any authorised external service and act as a regular user.
+
New in Geeklog 1.4.0 is the Remote Authentication system. With Remote Authentication enabled, users can login to your site via any authorised external service and act as a regular user.
  
 
This allows you to disable anonymous comments and make it easier for people to comment (they don't have to sign up on yet another site (yours) they can use a pre-existing central account to make comments).
 
This allows you to disable anonymous comments and make it easier for people to comment (they don't have to sign up on yet another site (yours) they can use a pre-existing central account to make comments).
Line 5: Line 5:
 
To enable Remote Authentication:
 
To enable Remote Authentication:
  
#Set $_CONF['remoteauthentication'] = true; in config.php
+
# Install one or more Authentication classes in <tt>/path/to/geeklog/system/classes/authentication</tt> (Geeklog ships with a class for for LiveJournal.com and an LDAP class)
#Set $_CONF['usersubmission'] = 0; in config.php
+
# In Geeklog 1.5 or later:
#Install one or more Authentication classes in /path/to/geeklog/system/classes/authentication (Geeklog ships with a class for Blogger.com and one for LiveJournal.com)
+
## In the Configuration, go to "Users and Submissions" > "Users" and set "User Login Method[3rdparty]" to "True"
 +
## (optional) On the same Configuration panel under "User Submission", set "User Submission Queue?" to "False"
 +
# In Geeklog 1.4.x:
 +
## Set <code>$_CONF['remoteauthentication'] = true;</code> in config.php
 +
## (optional) Set <code>$_CONF['usersubmission'] = 0;</code> in config.php
  
 
With Remote Authentication enabled, the user is presented with a select box on the login screen to choose the login service. This will default to your site, but allow them to choose an external service. Users are authenticated via their remote username and password, and if they pass authentication a ''local'' account is created on your geeklog site that is slaved to that remote account. These local slave accounts can be banned, have special permissions etc just like any regular site user. The account creation process is the same as for local accounts, so all custom functions and plugin notifications are carried out as normal.
 
With Remote Authentication enabled, the user is presented with a select box on the login screen to choose the login service. This will default to your site, but allow them to choose an external service. Users are authenticated via their remote username and password, and if they pass authentication a ''local'' account is created on your geeklog site that is slaved to that remote account. These local slave accounts can be banned, have special permissions etc just like any regular site user. The account creation process is the same as for local accounts, so all custom functions and plugin notifications are carried out as normal.
  
 
In addition, the user is added to the group 'Remote Users' allowing you to automaticaly grant/deny specific permissions to all remote users.
 
In addition, the user is added to the group 'Remote Users' allowing you to automaticaly grant/deny specific permissions to all remote users.
 +
  
 
== Unique Usernames ==
 
== Unique Usernames ==
When a new account is created, the local username for that account is set to the remote username. However, if there is already a user in the system with the same  username a call is made to custom_uniqueRemoteUsername passing in their remote username and the name of the service used to validate the user. This allows the admin to supply a custom function to ensure unique usernames for all users.
+
 
 +
When a new account is created, the local username for that account is set to the remote username. However, if there is already a user in the system with the same  username a call is made to <code>CUSTOM_uniqueUsername</code> passing in their remote username. This allows the admin to supply a custom function to ensure unique usernames for all users.
  
 
It is not ''necessary'' to have unique usernames. This does not break the security of a local user or remote users login, as the full remote username and service are stored locally to avoid collision and internally users are identified by a unique number. However, if you want to ensure it is clear ''who'' has posted a comment or article by the name displayed, this function allows you to ensure uniqueness.
 
It is not ''necessary'' to have unique usernames. This does not break the security of a local user or remote users login, as the full remote username and service are stored locally to avoid collision and internally users are identified by a unique number. However, if you want to ensure it is clear ''who'' has posted a comment or article by the name displayed, this function allows you to ensure uniqueness.
 +
 +
The default implementation (<code>USER_uniqueUsername</code> in <tt>lib-user.php</tt>) adds a random number with up to for digits to the username. So if the username "john" is already taken, it may come up with "john443" as the username instead.
 +
  
 
== Disabling Services ==
 
== Disabling Services ==
To disable a specific service, simply remove the (servicename).auth.class.php file from /path/to/geeklog/system/classes/authentication and that remote service will no longer be available to your users.
+
 
 +
To disable a specific service, simply remove the (servicename).auth.class.php file from <tt>/path/to/geeklog/system/classes/authentication</tt> and that remote service will no longer be available to your users.
 +
 
  
 
== Adding Services ==
 
== Adding Services ==
 +
 
Currently authentication modules are available for:
 
Currently authentication modules are available for:
 
* LiveJournal
 
* LiveJournal
Line 27: Line 39:
 
A module for authentication with Blogger was shipped with Geeklog 1.4.0 and 1.4.1 but has since been removed after Blogger changed their login procedure (the module doesn't work any more).
 
A module for authentication with Blogger was shipped with Geeklog 1.4.0 and 1.4.1 but has since been removed after Blogger changed their login procedure (the module doesn't work any more).
  
If you wish to add further services you will have to write custom modules to do so. This can be done by creating a php file named ServiceName.auth.class.php which declares a class called ServiceName with a method called authenticate. Authenticate takes username and password as arguments and should return a boolean. The class should expose an 'email' property and attempt to provide the users valid email address if this can be aquired from the remote server.
+
If you wish to add further services you will have to write custom modules to do so. This can be done by creating a PHP file named ServiceName.auth.class.php which declares a class called ServiceName with a method called <code>authenticate</code>. Authenticate takes username and password as arguments and should return a boolean. The class should expose an 'email' property and attempt to provide the users valid email address if this can be aquired from the remote server. If that information is available, the class can also provide the user's full name ('fullname' property) and homepage ('homepage' property).
 +
 
 +
=== OpenID ===
 +
 
 +
Support for [[OpenID]] 1.1 was added in Geeklog 1.5.0. For technical reasons, it could not be implemented as a Remote Authentication module but instead had to be built into Geeklog's core code.
 +
 
 +
=== OAuth ===
 +
 
 +
Support for [[OAuth]] 1.0 was added in Geeklog 1.8.0.

Latest revision as of 18:20, 11 November 2010

New in Geeklog 1.4.0 is the Remote Authentication system. With Remote Authentication enabled, users can login to your site via any authorised external service and act as a regular user.

This allows you to disable anonymous comments and make it easier for people to comment (they don't have to sign up on yet another site (yours) they can use a pre-existing central account to make comments).

To enable Remote Authentication:

  1. Install one or more Authentication classes in /path/to/geeklog/system/classes/authentication (Geeklog ships with a class for for LiveJournal.com and an LDAP class)
  2. In Geeklog 1.5 or later:
    1. In the Configuration, go to "Users and Submissions" > "Users" and set "User Login Method[3rdparty]" to "True"
    2. (optional) On the same Configuration panel under "User Submission", set "User Submission Queue?" to "False"
  3. In Geeklog 1.4.x:
    1. Set $_CONF['remoteauthentication'] = true; in config.php
    2. (optional) Set $_CONF['usersubmission'] = 0; in config.php

With Remote Authentication enabled, the user is presented with a select box on the login screen to choose the login service. This will default to your site, but allow them to choose an external service. Users are authenticated via their remote username and password, and if they pass authentication a local account is created on your geeklog site that is slaved to that remote account. These local slave accounts can be banned, have special permissions etc just like any regular site user. The account creation process is the same as for local accounts, so all custom functions and plugin notifications are carried out as normal.

In addition, the user is added to the group 'Remote Users' allowing you to automaticaly grant/deny specific permissions to all remote users.


Unique Usernames

When a new account is created, the local username for that account is set to the remote username. However, if there is already a user in the system with the same username a call is made to CUSTOM_uniqueUsername passing in their remote username. This allows the admin to supply a custom function to ensure unique usernames for all users.

It is not necessary to have unique usernames. This does not break the security of a local user or remote users login, as the full remote username and service are stored locally to avoid collision and internally users are identified by a unique number. However, if you want to ensure it is clear who has posted a comment or article by the name displayed, this function allows you to ensure uniqueness.

The default implementation (USER_uniqueUsername in lib-user.php) adds a random number with up to for digits to the username. So if the username "john" is already taken, it may come up with "john443" as the username instead.


Disabling Services

To disable a specific service, simply remove the (servicename).auth.class.php file from /path/to/geeklog/system/classes/authentication and that remote service will no longer be available to your users.


Adding Services

Currently authentication modules are available for:

A module for authentication with Blogger was shipped with Geeklog 1.4.0 and 1.4.1 but has since been removed after Blogger changed their login procedure (the module doesn't work any more).

If you wish to add further services you will have to write custom modules to do so. This can be done by creating a PHP file named ServiceName.auth.class.php which declares a class called ServiceName with a method called authenticate. Authenticate takes username and password as arguments and should return a boolean. The class should expose an 'email' property and attempt to provide the users valid email address if this can be aquired from the remote server. If that information is available, the class can also provide the user's full name ('fullname' property) and homepage ('homepage' property).

OpenID

Support for OpenID 1.1 was added in Geeklog 1.5.0. For technical reasons, it could not be implemented as a Remote Authentication module but instead had to be built into Geeklog's core code.

OAuth

Support for OAuth 1.0 was added in Geeklog 1.8.0.