Table of Contents

HTTP Authentication Plugin

Compatible with DokuWiki

  • 2017-02-19 "Frusterick Manners" yes
  • 2016-06-26 "Elenor Of Tsort" yes
  • 2015-08-10 "Detritus" yes
  • 2014-09-29 "Hrun" yes

plugin Authenticate against HTTP authentication credentials

Last updated on
2016-06-09
Provides
Auth, Action
Repository
Source

Tagged with authentication, http

:!: This is an authentication plugin for DokuWiki Weatherwax 2013-05-10a and later! For a solution for earlier DokuWiki versions please refer to ggauth.

Last version successfully tested: 2015-08-10a (PHP 5.6.22 and 7.0.7).

Description

This auth plugin is for you if you don't want your users to have to login through the login form all the time when you have instead already configured your webserver to perform some sort of authentication (eg. HTTP Basic or NTLM authentication). In that case, the Webserver provides a user's credentials to PHP scripts through the superglobal variables $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].

Out of the box DokuWiki will already pick these up and pretend the user supplied those through the login form. It will perform authentication using the configured auth plugin (usually authplain) and, if successful, show the user (and the admin) options depending on the auth plugin's capabilities.

This all works out as long as

If the first condition is not true, ie. the plugin does provide the named capabilities, the user could attempt to change his password through the “User profile” function. The admin, through the “User manager”, could also change his login name, delete him or add him with a different login name.

Now if the second condition is also not true, there can be inconsistencies between the HTTP authentication (which might eg. use an old password) and DokuWiki's auth plugin (which might have stored a new password somewhere else), causing Single Sign-On to break and errors to be displayed.

Note that this is not a bug in DokuWiki - DokuWiki can't in any way know how your Webserver's HTTP authentication has been set up.

For example, if you configure your Webserver to display the username/password prompt but not to actually validate them, there is no problem at all since DokuWiki (without this plugin) is the only entity doing actual authentication. This might actually be a considerable setup since there is not much point in authenticating twice. httpauth-passthru describes this.

This plugin does it the other way round. It assumes that the web server already did the authentication and essentially annuls DokuWiki's own authentication by providing a minimalistic checkPass() method which does not really authenticate. It merely checks that DokuWiki's idea of username/password equals the HTTP authentication credentials which should always be the case (except if you did not enable HTTP authentication in your Webserver).

Note however that DokuWiki expects information that HTTP authentication does not provide and where the plugin thus has to improvise:

If these limitations are not acceptable, you might want to combine authhttp with another plugin, authsplit. authhttp comes with an action plugin that improves integration with authsplit:

Installation

Download the latest version from GitHub and rename the extracted directory to authhttp, otherwise the plugin won't work.

Please refer to Plugins for additional info on how to install plugins in DokuWiki.

Configuration and Settings

Note: when authhttp is used together with authsplit and authhttp is the primary auth plugin for authsplit, the last three configuration settings above will have no effect any longer due to the way authsplit works.

Change Log

Credits

This plugin is based on ideas in the ggauth auth backend by Grant Gardner. Grant does not actively maintain ggauth anymore, so an update for the new auth plugins concept is unlikely. Also, his “http” auth backend uses trustExternal() which eg. does not support group memberships if used on its own, ie. without the ggauth "split" auth backend.

Discussion

Please use the Discussion page for user comments.