Differences

This shows you the differences between two versions of the page.

--- devel:auth_plugins [2014-03-24 15:06] – Klap-in
+++ devel:auth_plugins [2023-09-19 10:50] (current) – [addGroup] andi
@@ Line 1: / Line 1: @@
 ====== Authentication Plugins ======
-| **Info on this page is for 2013-05-10 "Weatherwax" and later**\\ \\ See for info for releases 2012-10-13 "Adora Belle" and older on:\\ - development of  old [[devel:authentication backends]] \\ -  old authentication modules [[:auth]] \\ \\ Below first version of docs for new auth plugins. It may contain errors! Please report them, all feedback is welcome.|
+DokuWiki's authentication system is highly modular and can, generally speaking, authenticate using anything that is accessible from PHP. Check the [[plugintype>128#extension__table|list of Auth Plugins]] to see what is already available. Auth Plugins can be installed via the [[plugin:Extension|Extension Manager]].
-DokuWiki's authentication system is highly modular and can, generally speaking, authenticate using anything that is accessible from PHP. Available [[plugintype>128#extension__table|Auth Plugins]] are listed.
+Authentication plugins provide multiple tasks:
+  - authenticate the current user, eg. check some password, trust a cookie or similar
+  - provide user information on any user, eg. get the name, email address, and group memberships
+  - provide mechanisms to manage users, eg. create new users, change profile data
-In summary, there are two distinct ways of building your authentication plugin. Firstly, you can create a plugin that implements all DokuWiki's methods needed to gather user info and verify users. Secondly, you can use the ''trustExternal()'' method, which will replace the Dokuwiki authentication functions. You handle the authentication in this method by calling your own backend.
 ===== Synopsis =====
-An Authentication Plugin //Example// needs:
+Please refer to [[devel:plugins]] and [[plugin file structure]] for general info for plugin development. Best use the [[plugin:dev|dev plugin]] to get started.
-  * class name  ''auth_plugin_authexample''
-  * which extends [[xref>DokuWiki_Auth_Plugin]]((defined in ''lib/plugins/auth.php'')).
-  * to be stored in a file ''lib/plugins/authexample/auth.php''.
-Moreover, a [[plugin_info|plugin.info.txt]] file is needed. For full details of plugins and their files and how to create more auth components refer to [[plugin file structure]].
+Your new class needs to follow the general naming scheme for plugins and inherit from [[xref>dokuwiki\Extension\AuthPlugin]].
-====Required implementation====
+Eg. for a plugin ''example'', the class name would be ''auth_plugin_example'' defined in ''lib/plugins/example/auth.php''.
-You need to implement at least two fields and three methods.
-//Fields://
+Below, the most important methods when writing an auth plugin are described. Refer to [[devel:common plugin functions]] for inherited functions available to all plugins and check your IDE for additional possible overrides.
-  * **''[[xref>$success]]''** \\ This simple boolean needs to be set to //true// in your constructor if your auth module was correctly initialized. Use this to notify the frontend if anything went wrong by setting it to //false//.
-  * **''[[xref>$cando]]''** \\ The ''$cando'' field is an associative array of booleans. You need to set the array fields to //true// for all functions your backend provides. Here is a list of keys in ''$cando'' and their meaning:
+===== Initialization and Capabilities =====
-    * ''addUser''     -- can Users be created?
-    * ''delUser''     -- can Users be deleted?
-    * ''modLogin''    -- can login names be changed?
-    * ''modPass''     -- can passwords be changed?
-    * ''modName''     -- can real names be changed?
-    * ''modMail''     -- can emails be changed?
-    * ''modGroups''   -- can groups be changed?
-    * ''getUsers''    -- can a (filtered) list of users be retrieved?
-    * ''getUserCount'' -- can the number of users be retrieved?
-    * ''getGroups''   -- can a list of available groups be retrieved?
-    * ''external''    -- does the module do external auth checking?
-    * ''logout''      -- can the user logout again? (eg. not possible with HTTP auth)
-//Methods://
+Your plugin needs to signal that it is ready to use to DokuWiki's authentication sub system.
-Only a few functions need to be implemented. But the more you do the more the frontend will be able to do. See [[xref>lib/plugins/auth.php]] for the methods' arguments and return values and for an example implementation see [[xref>lib/plugins/authplain/auth.php]] the plain authentication backend, DokuWikis default.
+This is done in the plugin's constructor. You can use it check that configuration is complete, database connections work, etc. If everything is okay, you need to set the [[xref>AuthPlugin::$success|$success]] property to ''true''.
-  * **''[[xref>__construct|__construct()]]''** \\ Well your class should have a constructor of course :-) Set the fields ''$success'' and ''$cando'' mentioned above here.
+You also need to signal what functionality your plugin provides. For example with some backends it might not be possible to change user names while others have no way to log out after logging in. This is done by setting the different flags in the [[xref>AuthPlugin::$cando|$cando]] property. The more flags you enable here, the more methods you need to implement as described below.
+<code php>
+public function __construct()
+{
+    parent::__construct();
-  * **''[[xref>checkPass|checkPass($user, $pass)]]''** \\ This function need to check if the given userid ''$user'' exists and the given plaintext password ''$pass'' is correct.
+    $this->cando['modName'] = true;
+    $this->cando['modMail'] = true;
-  * **''[[xref>getUserData|getUserData($user)]]''** \\ Used to return user information like email address and real name, for the requested userid ''$user'' \\ Return false or an array with at least the keys<code php>
+    $this->success = true;
-array(
+}
-    'name' => string,
-    'mail' => string,
-    'grps' => array()
-)
 </code>
+Here is a list of keys in ''$cando'' and their meaning:
-====Optional implementation====
+  * ''addUser''     -- can Users be created?
+  * ''delUser''     -- can Users be deleted?
+  * ''modLogin''    -- can login names be changed?
+  * ''modPass''     -- can passwords be changed?
+  * ''modName''     -- can real names be changed?
+  * ''modMail''     -- can emails be changed?
+  * ''modGroups''   -- can groups be changed?
+  * ''getUsers''    -- can a (filtered) list of users be retrieved?
+  * ''getUserCount'' -- can the number of users be retrieved?
+  * ''getGroups''   -- can a list of available groups be retrieved?
+  * ''external''    -- does the module do external auth checking?
+  * ''logout''      -- can the user logout again? (eg. not possible with HTTP auth)
-All these methods are optional and will **only** be called **if** the appropriate **[[#Required implementation|$cando]] fields are set**
+===== Authentication =====
+There are two distinct ways of how your authentication plugin can authenticate the current user:
-  * **''[[xref>trustExternal|trustExternal()]]''** (replaces DokuWiki authentication functions)\\ If ''$cando['external']'' is true, this method is used to authenticate a user -- all other DokuWiki internals will not be used for authenticating. The function can be used to authenticate against third party cookies or Apache auth mechanisms and replaces the default ''auth_login()'' function from ''inc/auth.php''. \\ \\ If this method is implemented you may omit the implementation of all the other methods from your module. You only really needs a constructor and this trustExternal() function, however it is strong recommended to have ''getUserData()'' so DokuWiki can display your users nicely and ''logoff()'' to permit DokuWiki to communicate the logoff to your backend. The other methods are only needed when you like that some internals of DokuWiki interact with your backend. Search the source code or browse on http://xref.dokuwiki.org/ to check out the connections. \\ \\ Have a look at the [[auth:punbb]] backend for an example usage of this method. According to the example method in the parent ''auth_basic'' class the trustExternal() method has to set the global variables: $USERINFO, $SERVER and _SESSION[DOKU_COOKIE] for the indicated fields. \\ \\ The implementation depends very much on your backend, here are some often used parts indicated as example. Look also for other implementations, when it doesn't fit your requirements. <code php>
+  - Let DokuWiki do most of the work and only do password checking in your plugin
+  - Implement the authentication yourself, for example when trusting a 3rd party cookie
+==== checkPass ====
+The first method is the default. It requires you to implement the [[xref>AuthPlugin::checkPass()|checkPass()]] method. This function need to check if the given userid ''$user'' exists and the given plaintext password ''$pass'' is correct.
+<code php>
+public function checkPass($user, $pass)
+{
+    // obviously implement a real check here
+    if($user == 'andi' && $pass='secret') {
+        return true;
+    }
+    return false;
+}
+</code>
+==== trustExternal ====
+The second option is to implement the [[xref>AuthPlugin::trustExternal()|trustExternal()]] method. Be sure to also enable the ''trustExternal'' flag in the ''canDo'' array.
+The trustExternal() method completely replaces the default [[xref>auth_login()]] function from ''inc/auth.php'', so might read a bit into its sources.
+The method needs to set a few DokuWiki internal variables to create a logged in state. Namely ''$USERINFO'', ''$_SERVER['REMOTE_USER']'' and $_SESSION[DOKU_COOKIE]['auth'] infos.
+The implementation depends very much on your backend, here are some often used parts indicated as example. Look also for other implementations, when it doesn't fit your requirements.
+<code php>
 function trustExternal($user, $pass, $sticky=false) {
     global $USERINFO;
+    global $lang;
     // someone used the login form
     if(!empty($user)){
         //situation: there are user credentials, lets check them
-        if( ...try to authenticate again your backend...)
+        if( ...try to authenticate against your backend...)
             // here you can handle additional post login actions
@@ Line 100: / Line 132: @@
         //when needed, logoff explicitly.
     }
-</code> For a description of the ''$USERINFO'' variables see the documentation of the ''getUserData()'' function. Do not forget to add ''global $USERINFO'' to the start of this function, to make the variable accessible.\\ \\ Another thing to keep in mind if you're implementing Single Sign On based on a cookie, is that if you want to be able to use DokuWiki's login form when SSO cookie is not present, you need to set that cookie once you verify the credentials, so on next page load you can authenticate based on that SSO cookie as $user and $pass variables will be empty since login form is not submitted. In [[auth:punbb]] this is done with ''pun_setcookie()'' function call. \\ \\ Dokuwiki will not show any message if the login failed, therefore this method shall show some information using msg(). \\ \\ **Examples** \\ See also this [[working example of trustExternal()]]. \\ \\ Some (old) backends using this function are: [[auth:punbb]], [[auth:cas]], [[auth:cosign]], [[auth:plaincas]], [[auth:django]], [[https://github.com/cato-/django-external-auth|extdjango]], [[http://docs.blackfin.uclinux.org/inc/auth/gforge.class.phps|gforge]], [[auth:ggauth#http|http]] version of ggauth, [[http://keeyai.com/projects-and-releases/dokuwiki-tools/dokuwiki-and-wordpress-integration/|keeyaiwp]], [[auth:mod_auth_tkt]], [[auth:ssp]] \\ \\
+</code>
+In theory you can create an auth plugin that only implements ''trustExternal'' however, it is strongly recommended to have ''getUserData()'' so DokuWiki can display your users nicely and ''logoff()'' to permit DokuWiki to communicate the logoff to your backend.
-  * **''[[xref>logOff()]]''** (only when required/possible)\\ Run in addition to the usual logoff. Useful with [[#trustExternal|trustExternal()]] to initiate actions for the external backend e.g. use it to clear cookies or similar actions.
+===== Get User Information =====
-  * **''[[xref>createUser()|createUser($user,$pass,$name,$mail,$grps=null)]]''** (only when required/possible)\\ Creates a user with the provided data. Returns false, when user already exists, null when error and true when succeeded.
+==== getUserData ====
-  * **''[[xref>modifyUser()|modifyUser($user, $changes)]]''** (only when required/possible)\\ Modifies a user's data.
+DokuWiki will need to query user information for the currently logged in user (if not supplied in ''trustExternal'') but also for other users. The latter happens for example when [[:subscription|Email Subscriptions]] are handled or full user names are to be displayed.
-  * **''[[xref>deleteUsers()|deleteUsers($users)]]''** (only when required/possible)\\ Deletes one or more users.
+User information is requested from your plugin via the [[xref>AuthPlugin::getUserData()|getUserData()]] method.
+The method should return an array with at least the full name and email address for the given ''$user''. If ''$requireGroups'' is true, the user's groups should be returned as well. Return false if the given user can't be found.
-  * **''[[xref>getUserCount()|getUserCount($filter=array()]]''** (needed when retrieveUsers() is implemented)\\ Returns the number of users matching certain filter criteria.
+<code php>
+public function getUserData($user, $requireGroups = true)
+{
+    // obviously implement real user data retrieval here
+    if ($user == 'andi') {
+        return [
+           'name' => 'Andreas Gohr',
+           'mail' => 'andi@splitbrain.org',
+           'grps' => ['user', 'admin']
+        ];
+    }
+    return false;
+}
+</code>
-  * **''[[xref>retrieveUsers()|retrieveUsers($start=0,$limit=-1,$filter=null)]]''** (only when required/possible)\\ Fetches userdata for multiple users matching a certain filter criteria.
+==== retrieveUsers ====
+optional, set ''getUsers'' capability
-  * **''[[xref>addGroup()|addGroup($group) ]]''** (only when required/possible)\\ Creates a new Group
+The [[xref>AuthPlugin::retrieveUsers()|retrieveUsers()]] method is used to retrieve a list of users matching a given criteria. It is used for example in the [[plugin:usermanager]] Plugin.
-  * **''[[xref>retrieveGroups()|retrieveGroups($start=0,$limit=0) ]]''** (only when required/possible)\\ List all available groups
+FIXME explain filter syntax
-  * **''[[xref>isCaseSensitive()]]''** (optional)\\ When your backend is caseinsensitive, override it with a method that returns false.
+==== getUserCount ====
-  * **''[[xref>cleanUser()|cleanUser($user)]]''** (optional)\\ Applied when username is given to and return from backend. Enforce here also username restrictions.
+optional, set ''getUserCount'' capability
-  * **''[[xref>cleanGroup()|cleanGroup($group)]]''** (optional)\\ Applied when groupname is given to and return from backend. Enforce here also groupname restrictions. Groupnames are to be passed without a leading '@' here.
+The [[xref>AuthPlugin::getUserCount()|getUserCount]] method returns the number of users matching certain filter criteria. Used for pagination in the [[plugin:usermanager]] Plugin. (Needed when retrieveUsers() is implemented)
-  * **''[[xref>useSessionCache()|useSessionCache($user)]]''** (only when required)\\ DokuWiki caches user info for a timespan. This function check expiration of this caching.
+==== retrieveGroups ====
-==== Inherited methods ====
+optional, set ''getGroups'' capability
-  * All the optional methods defined above are inherited methods, mostly these are a fallback warning explaining it's not implemented in your plugin yet.
-  * **''[[xref>canDo()|canDo($cap)]]''** Checks capabilities set in ''$cando'' field, or the pseudo capabilities: ''Profile'' and ''UserMod''.
-  * **''[[xref>triggerUserMod()|triggerUserMod($type, $params)]]''** Triggers ''AUTH_USERDATA_CHANGE'', which calls the methods defined on the current authentication plugin for the ''$type'' equal to: ''create'', ''modify'' and ''delete'' where ''$params'' are type specific parameters.
-  * See [[devel:common plugin functions]] for inherited function available to all plugins. e.g. localisation, configuration and introspection.
+The [[xref>AuthPlugin::retrieveGroups|retrieveGroups]] method returns a list of all available groups.
-===== Notes =====
-====Config loading sequence====
-At the moment, temporary, also the config of old style auth modules are loaded.\\ The loading order is:
-    - Default config settings
-    - Old style auth module config settings (i.e. ''$conf['auth']['yourauthbackend']''))
-    - The current auth plugin settings (i.e. ''$conf['plugin']['yourauthplugin']'').
-====Start session customization====
+===== User Management =====
-[[devel:develonly]]
-Dokuwiki starts (in [[xref>inc/init.php]]) a session prior to using the authentication plugin. If your framework uses specific session settings, you can define before your own settings in the file ''inc/preload.php''. You need to create it when non-existing (an example file is at [[https://github.com/splitbrain/dokuwiki/blob/master/inc/preload.php.dist|inc/preload.php.dist]]). In this ''inc/preload.php'' you can supply one or more of these defines:
+==== createUser ====
-  * ''DOKU_SESSION_NAME''
-  * ''DOKU_SESSION_LIFETIME''
-  * ''DOKU_SESSION_PATH''
-  * ''DOKU_SESSION_DOMAIN''
-The defines correspond to the arguments of [[phpfn>session_set_cookie_params|session_set_cookie_params()]], please refer to its docs for more details. To use SSL for your cookies, you enable the [[config:securecookie]] configuration setting.
-==Example==
+optional, set ''addUSer'' capability
-<code php inc/preload.php>
-//settings specific for use of the ... authentication plugin
-define ('DOKU_SESSION_NAME', "YOURSESSIONNAME");
-define ('DOKU_SESSION_LIFETIME', 0);
-//etc...
-//a custom session path
+The [[xref>AuthPlugin::createUser()|createUser()]] method creates a user with the provided data. Returns false, when user already exists, null on error and true when successful.
-$sessiepath = fullpath(dirname(__FILE__) . '/../../') . '/session';
-session_save_path($sessiepath);
-</code>
-====About autoloading====
+==== modifyUser ====
-Your backend (or its framework) cannot use %%__autoload%% to include further classes, those classes must be loaded manually via require()
-===== Handling of old auth backends =====
-When you update your wiki to the 2013-05-10 “Weatherwax” release, you need an auth plugin for the authentication, because the authentication backends aren't supported anymore. The previous bundled authentication backends are already converted to auth plugins: [[plugin:AuthPlain]], [[plugin:AuthMySQL]], [[plugin:AuthPgSQL]], [[plugin:AuthAD]] and [[plugin:AuthLDAP]].
+optional, set ''modLogin'', ''modPass'', ''modName'', ''modMail'', ''modGroups'' capabilities
-When you use another plugin than the bundled one, you need to check if someone has already shared the auth plugin version in the plugin repository. You can filter the plugins by [[plugintype>128#extension__table|Auth plugintype]]. Or you should rewrite the authentication backend yourself. See [[#Howto update your old backend]] below.
+The [[xref>AuthPlugin::modifyUser()|modifyUser()]] method modifies a user's data. You can expect to only receive data as per set capabilities.
+==== deleteUsers ====
-====Update wiki to new backend====
+optional, set ''delUser'' capability
-When you used the ''plain'' authentication backend before, DokuWiki will pick up the new ''authplain'' due to DokuWiki's defaults are updated too. For all other values of the [[config:authtype]] configuration, you get the warning ''User authentication is temporarily unavailable. If this situation persists, please inform your Wiki Admin.'' and you cannot login anymore. This can be solved by updating the [[config:authtype]] configuration to the auth plugin version of your desired backend. When you use a not bundled auth plugin you should first install this one.
-When your desired auth plugin is installed you can modify your the [[config:authtype]] configuration setting in ''conf/local.php'' (or ''conf/local.protected.php'') by an editor on your server by prefixing your ''<authentication backend name>'' with ''auth'' to ''auth<authentication backend name>'':
+The [[xref>AuthPlugin::deleteUsers()|deleteUsers()]] method deletes one or more users.
-<code php conf/local.php>
+==== addGroup ====
-...
-// $conf['authtype'] = 'example';  //auth backend
-$conf['authtype'] = 'authexample'; //auth plugin
-...
-</code>
-====Howto install an auth plugin via plugin manager without working backend?====
+optional
-When you prefer to install an auth plugin by the DokuWiki plugin manager, you need to switch to the plain authentication backend. You need access to the configuration file ''conf/local.php'' on you server. Open it in an editor and remove the line from ''conf/local.php'' or ''conf/local.protected.php'':
-<code php>
+The [[xref>AuthPlugin::addGroup()|addGroup()]] method creates a new group. This only needs to be implemented if a group needs to be created before users can be assigned to it.
-// $conf['authtype'] = '...'; //disable your authtype config
-</code>
-or change that line to:
-<code php>
+===== Utility Methods =====
-$conf['authtype'] = 'authplain';
-</code>
-and save the file. Now your wiki uses the AuthPlain plugin. Next you login as superuser. Hint: Probably you can login by the user you define on installation (the installer creates default that users as superuser). Now you can use the plugin manager as usually.
+==== logOff ====
-Next you can configure the plugin settings via the configuration manager (these settings are stored in ''conf/local.php'') or you can save these protected against changes from the configuration manager by creating and editing the file ''conf/local.protected.php''. Lastly, you change the [[config:authtype]] configuration to your new auth plugin and save. When your wiki becomes inaccessible again, you can modify the configuration settings via an editor on your server again.
+optional, set ''logout'' capability
-See farther for more info about the [[plugin:config|configuration files and the config manager]].
+The [[xref>AuthPlugin::logOff|logOff()]] method is run in addition to the usual logoff. It is useful with [[#trustExternal|trustExternal()]] to initiate actions for the external backend e.g. use it to clear cookies or similar actions.
-====Old configurations====
+==== isCaseSensitive ====
-When auth plugin is activated, and there is an old config available, then first the old auth backend is loaded, next the new auth plugin config is loaded. So when auth plugin configuration settings are set these overwrite the old auth backend values.
+When your backend is caseinsensitive, implement [[xref>AuthPlugin::isCaseSensitive()|isCaseSensitive()]] and return false.
-Complete load sequence of plugin config settings:
+==== cleanUser ====
-  - settings from ''lib/plugins/<pluginname>/conf/default.php''
-  - settings from ''conf/local.php'' (or possibly overwritten by ''conf/local.protected.php'') where:
-    - first settings of ''$config['auth']['<authbackendname>']'' are read
-    - and next settings of ''$config['plugin']['auth<authbackendname>']''
-Tip:\\
+optional
-When you start changing settings of auth plugin, especially when you reset a setting to its plugin default, it is recommended to remove the old ''$config['auth']['<authbackendname>']'' settings from the ''local.php'' and/or ''local.protected.php''.
+The [[xref>AuthPlugin::cleanUser()|cleanUser()]] method is applied when a username is given to and returned from the backend. Can be used to enforce username restrictions.
-===== Howto update your old backend =====
+==== cleanGroup ====
-Some tips on updating your backend from ''inc/auth/<authname>.class.php'' to an Auth plugin.
-Simple approach:
+optional
-  - Create a plugin skelet corresponding to [[devel:plugin file structure]] and the [[#synopsis]] at top of this page. (skelet generator: http://pluginwiz.dokuwiki.org/)
-    * Please prefix the plugin name of your Auth plugin by ''auth'' e.g. ''authexample''.
+The [[xref>AuthPlugin::cleanGroup()|cleanGroup()]] method is applied when a group name is given to and returned from the backend. Can be used to enforce group name restrictions.
-  - You can reuse the code from ''inc/auth/<authbackendname>.class.php'' in your new ''lib/plugins/auth<authbackendname>/auth.php''.
-    * Be aware you can load other plugins or helper plugins
+Groupnames are passed without a leading ''@'' here.
-    * There are some inherited functions for localisation, configuration and more, see [[#inherited methods]] above.
+==== useSessionCache ====
+optional
+DokuWiki caches user info for a timespan. The [[xref>AuthPlugin::useSessionCache()|useSessionCache()]] method can be used to influence the expiration of this caching.
+===== Notes =====
+====Start session customization====
+Dokuwiki starts (in [[xref>inc/init.php]]) a session prior to using the authentication plugin. If your framework uses specific session settings, you can define before your own settings in the file ''conf/local.protected.php''. You need to create it when non-existing. In this ''conf/local.protected.php'' you can supply one or more of these defines:
+  * ''DOKU_SESSION_NAME''
+  * ''DOKU_SESSION_LIFETIME''
+  * ''DOKU_SESSION_PATH''
+  * ''DOKU_SESSION_DOMAIN''
+The defines correspond to the arguments of [[phpfn>session_set_cookie_params|session_set_cookie_params()]], please refer to its docs for more details. To use SSL for your cookies, you enable the [[config:securecookie]] configuration setting.
+<code php conf/local.protected.php>
+//settings specific for use of the ... authentication plugin
+define ('DOKU_SESSION_NAME', "YOURSESSIONNAME");
+define ('DOKU_SESSION_LIFETIME', 0);
+//etc...
+//a custom session path
+$sessiepath = fullpath(dirname(__FILE__) . '/../../') . '/session';
+session_save_path($sessiepath);
+</code>
-FIXME more relevant directions??
 ===== Further reading =====