GSOC 2010 Authentication framework
From LimeSurvey Manual
This page is dedicated to the "Authentication framework" project for GSOC2010
FAQ
- What is the difficult part of the project ?
The difficult part will not be to implement openId or CAS or any
authentication scheme as we usually are able to find opensource
libraries to connect to these authentication backends. I think the most
difficult part will be to design an interface in LS1 that will make it
possible to implement _any_kind_ of authentication backends.
- Is there a list of authentication protocol you want to support ?
There is no such list because we want a framework that can be extended even with user-specific authentication systems.
For instance, you can consider the following different cases:
1- Case study 1:
LS1 authentication is based on a simple User/Password form, and the
password (or password hash) is read from the internal (usual) DB or on
another Database (such as LDAP when using Ldap as a database and not
using ldap-bind).
2- Case study 2:
LS1 authentication is based on a simple User/Password form, but the
authentication is delegated to a server able to check the password
validity: for instance LDAP (when using Ldap-bind authentication), or
Radius.
3- Case study 3:
LS1 is integrated into another web application which does implement
authentication.
LS1 authentication is then done simply by checking a value in a given
SESSION parameter, or in a GET parameter.
4- Case study 4:
LS1 uses the web server Authentication (equivalent of current Web
Server Authentication Delegation mode)
5-Case study 5:
LS1 authentication uses an external authentication protocol which
requires several messages to be exchanged between the authentication
server and the client (maybe several forms to be filled). For instance:
first screen asks for username, the server replies with a challenge,
then the second form ask for the passwords corresponding to the proposed
challenge.
6-Case study 6:
Authentication is done on a remote web service which generates a
service-token for LS1. The user is then redirected to LS1 and provides
(either in a cookie or in a GET or POST parameter) the token. LS1 has to
check that the token is valid and then grants access to the user.
Example of such authentication protocoles are CAS and openId.
- Do I have to implemenet a framework for each of the above test case ?
Of course not.
Let's say that the Generic Authentication Framework is implemented as a PHP Class, then it will define an API made up of his public methods. Then each True authentication module will inherit from this Class.
For instance, the Generic framework may define:
- An API that will return the capability of the module (is it able to do authentication, user-provisionning, ...)
- A set of methods to handle authentication, user provisionning (maybe noop if not implemented), ...
- A set of facility methods used by modules in order to display messages, errors, login forms, setup-forms
- A set of methods to record/read/modify the module parameters in DB
Then in LS1 core code, an instance of an Auth module is instanciated (depending on the setup parameters), and only the methods defined in the Generic Authentication Framework are used (never specific methods form the Authentication module). This makes it easy to implement a new Autnentication module without having to modify LS1 core code.
- Is this project just about authentication ?
No it isn't restricted to authentication but extends as well to user-provisionning (which I sometimes call authorization).
Indeed, authentication only checks that the user is
really who he pretends to be, but it doesn't cope with the user rights
issue. So once authentication is performed, LS1 needs to know the user
rights for this user: the global rights, as well as specific rights on
each survey. The current approach when delegating authentication to the
Web server, is to let the authentication module create the new user if
it is not already in the LS1 database. it is event possible to assign
him user-specific global rights by a "hook" function. The Authentication
interface will have to specify this aspect as well so that any
authentication module will be able to populate the LS1 permissions system.
- What other sources of information should I read/use, ... ?
I really encourage you to carefully read and understand the following page:
Morover a look at the following file in LS1 will help you:
usercontrol.php
This project could bebefit from ideas developped for the Horde project, especially the Auth class and library
Some user-proposed patches: