Differences

This shows you the differences between two versions of the page.

--- devel:auth_plugins [2018-06-06 00:48] – Klap-in
+++ devel:auth_plugins [2023-09-19 10:50] (current) – [addGroup] andi
@@ Line 1: / Line 1: @@
 ====== Authentication Plugins ======
-| **Info on this page is for 2013-05-10 "Weatherwax" and later**\\ \\ Below are the docs for new auth plugins. It may contain errors! Please report them, all feedback is welcome. |
+DokuWiki's authentication system is highly modular and can, generally speaking, authenticate using anything that is accessible from PHP. Check the [[plugintype>128#extension__table|list of Auth Plugins]] to see what is already available. Auth Plugins can be installed via the [[plugin:Extension|Extension Manager]].
-(//For reference the old documentation can be found at the old [[devel:authentication backends|development docs]] and the old  [[:auth|authentication modules]] itself//)
+Authentication plugins provide multiple tasks:
-DokuWiki's authentication system is highly modular and can, generally speaking, authenticate using anything that is accessible from PHP. Available [[plugintype>128#extension__table|Auth Plugins]] are listed.
+  - authenticate the current user, eg. check some password, trust a cookie or similar
+  - provide user information on any user, eg. get the name, email address, and group memberships
+  - provide mechanisms to manage users, eg. create new users, change profile data
-In summary, there are two distinct ways of building your authentication plugin. Firstly, you can create a plugin that implements all DokuWiki's methods needed to gather user info and verify users. Secondly, you can use the ''trustExternal()'' method, which will replace the Dokuwiki authentication functions. You handle the authentication in this method by calling your own backend.
 ===== Synopsis =====
-An Authentication Plugin //Example// needs:
+Please refer to [[devel:plugins]] and [[plugin file structure]] for general info for plugin development. Best use the [[plugin:dev|dev plugin]] to get started.
-  * class name  ''auth_plugin_example''
+Your new class needs to follow the general naming scheme for plugins and inherit from [[xref>dokuwiki\Extension\AuthPlugin]].
-  * which extends [[xref>DokuWiki_Auth_Plugin]]((defined in ''lib/plugins/auth.php'')).
-  * to be stored in a file ''lib/plugins/example/auth.php''.
-Moreover, a [[plugin_info|plugin.info.txt]] file is needed. For full details of plugins and their files and how to create more auth components refer to [[plugin file structure]].
+Eg. for a plugin ''example'', the class name would be ''auth_plugin_example'' defined in ''lib/plugins/example/auth.php''.
+Below, the most important methods when writing an auth plugin are described. Refer to [[devel:common plugin functions]] for inherited functions available to all plugins and check your IDE for additional possible overrides.
-====Required implementation====
-You need to implement at least two fields and three methods.
-//Fields://
+===== Initialization and Capabilities =====
-  * **''[[xref>$success]]''** \\ This simple boolean needs to be set to //true// in your constructor if your auth module was correctly initialized. Use this to notify the frontend if anything went wrong by setting it to //false//.
+Your plugin needs to signal that it is ready to use to DokuWiki's authentication sub system.
-  * **''[[xref>$cando]]''** \\ The ''$cando'' field is an associative array of booleans. You need to set the array fields to //true// for all functions your backend provides. Here is a list of keys in ''$cando'' and their meaning:
+This is done in the plugin's constructor. You can use it check that configuration is complete, database connections work, etc. If everything is okay, you need to set the [[xref>AuthPlugin::$success|$success]] property to ''true''.
-    * ''addUser''     -- can Users be created?
-    * ''delUser''     -- can Users be deleted?
-    * ''modLogin''    -- can login names be changed?
-    * ''modPass''     -- can passwords be changed?
-    * ''modName''     -- can real names be changed?
-    * ''modMail''     -- can emails be changed?
-    * ''modGroups''   -- can groups be changed?
-    * ''getUsers''    -- can a (filtered) list of users be retrieved?
-    * ''getUserCount'' -- can the number of users be retrieved?
-    * ''getGroups''   -- can a list of available groups be retrieved?
-    * ''external''    -- does the module do external auth checking?
-    * ''logout''      -- can the user logout again? (eg. not possible with HTTP auth)
-//Methods://
+You also need to signal what functionality your plugin provides. For example with some backends it might not be possible to change user names while others have no way to log out after logging in. This is done by setting the different flags in the [[xref>AuthPlugin::$cando|$cando]] property. The more flags you enable here, the more methods you need to implement as described below.
-Only a few functions need to be implemented. But the more you do the more the frontend will be able to do. See [[xref>lib/plugins/auth.php]] for the methods' arguments and return values and for an example implementation see [[xref>lib/plugins/authplain/auth.php]] the plain authentication backend, DokuWikis default.
+<code php>
+public function __construct()
+{
+    parent::__construct();
-  * **''[[xref>__construct|__construct()]]''** \\ Well your class should have a constructor of course :-) Set the fields ''$success'' and ''$cando'' mentioned above here.
+    $this->cando['modName'] = true;
+    $this->cando['modMail'] = true;
-  * **''[[xref>checkPass|checkPass($user, $pass)]]''** \\ This function need to check if the given userid ''$user'' exists and the given plaintext password ''$pass'' is correct.
+    $this->success = true;
+}
+</code>
-  * **''[[xref>getUserData|getUserData($user, $requireGroups=true)]]''** \\ Used to return user information like email address and real name, for the requested userid ''$user'' \\ If ''$requireGroups'' is True, the function should return the user's groups as well. \\ Return false or an array with at least the keys<code php>
-array(
+Here is a list of keys in ''$cando'' and their meaning:
-    'name' => string,
-    'mail' => string,
+  * ''addUser''     -- can Users be created?
-    'grps' => array()
+  * ''delUser''     -- can Users be deleted?
-)
+  * ''modLogin''    -- can login names be changed?
+  * ''modPass''     -- can passwords be changed?
+  * ''modName''     -- can real names be changed?
+  * ''modMail''     -- can emails be changed?
+  * ''modGroups''   -- can groups be changed?
+  * ''getUsers''    -- can a (filtered) list of users be retrieved?
+  * ''getUserCount'' -- can the number of users be retrieved?
+  * ''getGroups''   -- can a list of available groups be retrieved?
+  * ''external''    -- does the module do external auth checking?
+  * ''logout''      -- can the user logout again? (eg. not possible with HTTP auth)
+===== Authentication =====
+There are two distinct ways of how your authentication plugin can authenticate the current user:
+  - Let DokuWiki do most of the work and only do password checking in your plugin
+  - Implement the authentication yourself, for example when trusting a 3rd party cookie
+==== checkPass ====
+The first method is the default. It requires you to implement the [[xref>AuthPlugin::checkPass()|checkPass()]] method. This function need to check if the given userid ''$user'' exists and the given plaintext password ''$pass'' is correct.
+<code php>
+public function checkPass($user, $pass)
+{
+    // obviously implement a real check here
+    if($user == 'andi' && $pass='secret') {
+        return true;
+    }
+    return false;
+}
 </code>
+==== trustExternal ====
-====Optional implementation====
+The second option is to implement the [[xref>AuthPlugin::trustExternal()|trustExternal()]] method. Be sure to also enable the ''trustExternal'' flag in the ''canDo'' array.
-All these methods are optional and will **only** be called **if** the appropriate **[[#Required implementation|$cando]] fields are set**
+The trustExternal() method completely replaces the default [[xref>auth_login()]] function from ''inc/auth.php'', so might read a bit into its sources.
+The method needs to set a few DokuWiki internal variables to create a logged in state. Namely ''$USERINFO'', ''$_SERVER['REMOTE_USER']'' and $_SESSION[DOKU_COOKIE]['auth'] infos.
-  * **''[[xref>trustExternal|trustExternal()]]''** (replaces DokuWiki authentication functions)\\ If ''$cando['external']'' is true, this method is used to authenticate a user -- all other DokuWiki internals will not be used for authenticating. The function can be used to authenticate against third party cookies or Apache auth mechanisms and replaces the default ''auth_login()'' function from ''inc/auth.php''. \\ \\ If this method is implemented you may omit the implementation of all the other methods from your module. You only really needs a constructor and this trustExternal() function, however it is strongly recommended to have ''getUserData()'' so DokuWiki can display your users nicely and ''logoff()'' to permit DokuWiki to communicate the logoff to your backend. The other methods are only needed when you like that some internals of DokuWiki interact with your backend. Search the source code or browse on http://xref.dokuwiki.org/ to check out the connections. \\ \\ Have a look at the old [[auth:punbb]] backend for an example usage of this method. (TODO: update with example usage of Auth Plugin) According to the example method in the parent ''auth_basic'' class the trustExternal() method has to set the global variables: $USERINFO, $SERVER and _SESSION[DOKU_COOKIE] for the indicated fields. \\ \\ The implementation depends very much on your backend, here are some often used parts indicated as example. Look also for other implementations, when it doesn't fit your requirements. <code php>
+The implementation depends very much on your backend, here are some often used parts indicated as example. Look also for other implementations, when it doesn't fit your requirements.
+<code php>
 function trustExternal($user, $pass, $sticky=false) {
     global $USERINFO;
+    global $lang;
     // someone used the login form
@@ Line 104: / Line 132: @@
         //when needed, logoff explicitly.
     }
-</code> For a description of the ''$USERINFO'' variables see the documentation of the ''getUserData()'' function. Do not forget to add ''global $USERINFO'' to the start of this function, to make the variable accessible.\\ \\ Another thing to keep in mind if you're implementing Single Sign On based on a cookie, is that if you want to be able to use DokuWiki's login form when SSO cookie is not present, you need to set that cookie once you verify the credentials, so on next page load you can authenticate based on that SSO cookie as $user and $pass variables will be empty since login form is not submitted. In [[auth:punbb]] this is done with ''pun_setcookie()'' function call. (TODO: update with example usage of Auth Plugin instead old Auth backend) \\ \\ Dokuwiki will not show any message if the login failed, therefore this method shall show some information using msg().  \\ \\ **Examples** \\ See also this [[working example of trustExternal()|example of trustExternal()]]. \\ \\ Some auth plugins using this function are: [[plugin:authplaincas]] plugin.\\ \\ Some (very old) backends using this function are: [[auth:punbb]], [[auth:cas]], [[auth:cosign]], [[auth:plaincas]], [[auth:django]], [[https://github.com/cato-/django-external-auth|extdjango]], [[http://docs.blackfin.uclinux.org/inc/auth/gforge.class.phps|gforge]], [[auth:ggauth#http|http]] version of ggauth, [[http://keeyai.com/projects-and-releases/dokuwiki-tools/dokuwiki-and-wordpress-integration/|keeyaiwp]], [[auth:mod_auth_tkt]], [[auth:ssp]] (Please find here instruction how-to reuse parts of these old backends for a modern Auth Plugin: [[https://www.dokuwiki.org/devel:auth_plugins#handling_of_old_auth_backends|Handling of old auth backends]]\\ \\
+</code>
+In theory you can create an auth plugin that only implements ''trustExternal'' however, it is strongly recommended to have ''getUserData()'' so DokuWiki can display your users nicely and ''logoff()'' to permit DokuWiki to communicate the logoff to your backend.
-  * **''[[xref>logOff()]]''** (only when required/possible)\\ Run in addition to the usual logoff. Useful with [[#trustExternal|trustExternal()]] to initiate actions for the external backend e.g. use it to clear cookies or similar actions.
+===== Get User Information =====
-  * **''[[xref>createUser()|createUser($user,$pass,$name,$mail,$grps=null)]]''** (only when required/possible)\\ Creates a user with the provided data. Returns false, when user already exists, null when error and true when succeeded.
+==== getUserData ====
-  * **''[[xref>modifyUser()|modifyUser($user, $changes)]]''** (only when required/possible)\\ Modifies a user's data.
+DokuWiki will need to query user information for the currently logged in user (if not supplied in ''trustExternal'') but also for other users. The latter happens for example when [[:subscription|Email Subscriptions]] are handled or full user names are to be displayed.
-  * **''[[xref>deleteUsers()|deleteUsers($users)]]''** (only when required/possible)\\ Deletes one or more users.
+User information is requested from your plugin via the [[xref>AuthPlugin::getUserData()|getUserData()]] method.
+The method should return an array with at least the full name and email address for the given ''$user''. If ''$requireGroups'' is true, the user's groups should be returned as well. Return false if the given user can't be found.
-  * **''[[xref>getUserCount()|getUserCount($filter=array()]]''** (needed when retrieveUsers() is implemented)\\ Returns the number of users matching certain filter criteria.
+<code php>
+public function getUserData($user, $requireGroups = true)
+{
+    // obviously implement real user data retrieval here
+    if ($user == 'andi') {
+        return [
+           'name' => 'Andreas Gohr',
+           'mail' => 'andi@splitbrain.org',
+           'grps' => ['user', 'admin']
+        ];
+    }
+    return false;
+}
+</code>
-  * **''[[xref>retrieveUsers()|retrieveUsers($start=0,$limit=-1,$filter=null)]]''** (only when required/possible)\\ Fetches userdata for multiple users matching a certain filter criteria.
+==== retrieveUsers ====
+optional, set ''getUsers'' capability
-  * **''[[xref>addGroup()|addGroup($group) ]]''** (only when required/possible)\\ Creates a new Group
+The [[xref>AuthPlugin::retrieveUsers()|retrieveUsers()]] method is used to retrieve a list of users matching a given criteria. It is used for example in the [[plugin:usermanager]] Plugin.
-  * **''[[xref>retrieveGroups()|retrieveGroups($start=0,$limit=0) ]]''** (only when required/possible)\\ List all available groups
+FIXME explain filter syntax
-  * **''[[xref>isCaseSensitive()]]''** (optional)\\ When your backend is caseinsensitive, override it with a method that returns false.
+==== getUserCount ====
-  * **''[[xref>cleanUser()|cleanUser($user)]]''** (optional)\\ Applied when username is given to and return from backend. Enforce here also username restrictions.
+optional, set ''getUserCount'' capability
-  * **''[[xref>cleanGroup()|cleanGroup($group)]]''** (optional)\\ Applied when groupname is given to and return from backend. Enforce here also groupname restrictions. Groupnames are to be passed without a leading '@' here.
+The [[xref>AuthPlugin::getUserCount()|getUserCount]] method returns the number of users matching certain filter criteria. Used for pagination in the [[plugin:usermanager]] Plugin. (Needed when retrieveUsers() is implemented)
-  * **''[[xref>useSessionCache()|useSessionCache($user)]]''** (only when required)\\ DokuWiki caches user info for a timespan. This function check expiration of this caching.
+==== retrieveGroups ====
-==== Inherited methods ====
+optional, set ''getGroups'' capability
-  * All the optional methods defined above are inherited methods, mostly these are a fallback warning explaining it's not implemented in your plugin yet.
-  * **''[[xref>canDo()|canDo($cap)]]''** Checks capabilities set in ''$cando'' field, or the pseudo capabilities: ''Profile'' and ''UserMod''.
-  * **''[[xref>triggerUserMod()|triggerUserMod($type, $params)]]''** Triggers ''AUTH_USERDATA_CHANGE'', which calls the methods defined on the current authentication plugin for the ''$type'' equal to: ''create'', ''modify'' and ''delete'' where ''$params'' are type specific parameters.
-  * See [[devel:common plugin functions]] for inherited function available to all plugins. e.g. localisation, configuration and introspection.
+The [[xref>AuthPlugin::retrieveGroups|retrieveGroups]] method returns a list of all available groups.
-===== Notes =====
-====Config loading sequence====
-At the moment, temporary, also the config of old style auth modules are loaded.\\ The loading order is:
-    - Default config settings
-    - Old style auth module config settings (i.e. ''$conf['auth']['yourauthbackend']''))
-    - The current auth plugin settings (i.e. ''$conf['plugin']['yourauthplugin']'').
-====Start session customization====
+===== User Management =====
-(Available since release 2014-05-05 "Ponder Stibbons")
-Dokuwiki starts (in [[xref>inc/init.php]]) a session prior to using the authentication plugin. If your framework uses specific session settings, you can define before your own settings in the file ''conf/local.protected.php''. You need to create it when non-existing. In this ''conf/local.protected.php'' you can supply one or more of these defines:
+==== createUser ====
-  * ''DOKU_SESSION_NAME''
-  * ''DOKU_SESSION_LIFETIME''
-  * ''DOKU_SESSION_PATH''
-  * ''DOKU_SESSION_DOMAIN''
-The defines correspond to the arguments of [[phpfn>session_set_cookie_params|session_set_cookie_params()]], please refer to its docs for more details. To use SSL for your cookies, you enable the [[config:securecookie]] configuration setting.
-==Example==
+optional, set ''addUSer'' capability
-<code php conf/local.protected.php>
-//settings specific for use of the ... authentication plugin
-define ('DOKU_SESSION_NAME', "YOURSESSIONNAME");
-define ('DOKU_SESSION_LIFETIME', 0);
-//etc...
-//a custom session path
+The [[xref>AuthPlugin::createUser()|createUser()]] method creates a user with the provided data. Returns false, when user already exists, null on error and true when successful.
-$sessiepath = fullpath(dirname(__FILE__) . '/../../') . '/session';
-session_save_path($sessiepath);
-</code>
-====About autoloading====
-Your backend (or its framework) cannot use %%__autoload%% to include further classes, those classes must be loaded manually via require()
-===== Handling of old auth backends =====
-When you update your wiki to the 2013-05-10 “Weatherwax” release, you need an auth plugin for the authentication, because the authentication backends aren't supported anymore. The previous bundled authentication backends are already converted to auth plugins: [[plugin:AuthPlain]], [[plugin:AuthMySQL]], [[plugin:AuthPgSQL]], [[plugin:AuthAD]] and [[plugin:AuthLDAP]].
+==== modifyUser ====
-When you use another plugin than the bundled one, you need to check if someone has already shared the auth plugin version in the plugin repository. You can filter the plugins by [[plugintype>128#extension__table|Auth plugintype]]. Or you should rewrite the authentication backend yourself. See [[#Howto update your old backend]] below.
+optional, set ''modLogin'', ''modPass'', ''modName'', ''modMail'', ''modGroups'' capabilities
+The [[xref>AuthPlugin::modifyUser()|modifyUser()]] method modifies a user's data. You can expect to only receive data as per set capabilities.
-====Update wiki to new backend====
+==== deleteUsers ====
-When you used the ''plain'' authentication backend before, DokuWiki will pick up the new ''authplain'' due to DokuWiki's defaults are updated too. For all other values of the [[config:authtype]] configuration, you get the warning ''User authentication is temporarily unavailable. If this situation persists, please inform your Wiki Admin.'' and you cannot login anymore. This can be solved by updating the [[config:authtype]] configuration to the auth plugin version of your desired backend. When you use a not bundled auth plugin you should first install this one.
-When your desired auth plugin is installed you can modify your the [[config:authtype]] configuration setting in ''conf/local.php'' (or ''conf/local.protected.php'') by an editor on your server by prefixing your ''<authentication backend name>'' with ''auth'' to ''auth<authentication backend name>'':
+optional, set ''delUser'' capability
-<code php conf/local.php>
+The [[xref>AuthPlugin::deleteUsers()|deleteUsers()]] method deletes one or more users.
-...
-// $conf['authtype'] = 'example';  //auth backend
-$conf['authtype'] = 'authexample'; //auth plugin
-...
-</code>
-====Howto install an auth plugin via extension manager without working backend?====
+==== addGroup ====
-When you prefer to install an auth plugin by the DokuWiki extension manager, you need to switch to the plain authentication backend. You need access to the configuration file ''conf/local.php'' on you server. Open it in an editor and remove the line from ''conf/local.php'' or ''conf/local.protected.php'':
-<code php>
+optional
-// $conf['authtype'] = '...'; //disable your authtype config
-</code>
-or change that line to:
+The [[xref>AuthPlugin::addGroup()|addGroup()]] method creates a new group. This only needs to be implemented if a group needs to be created before users can be assigned to it.
-<code php>
-$conf['authtype'] = 'authplain';
-</code>
-and save the file. Now your wiki uses the AuthPlain plugin. Next you login as superuser. Hint: Probably you can login by the user you define on installation (the installer creates default that users as superuser). Now you can use the extension manager as usually.
+===== Utility Methods =====
-Next you can configure the plugin settings via the configuration manager (these settings are stored in ''conf/local.php'') or you can save these protected against changes from the configuration manager by creating and editing the file ''conf/local.protected.php''. Lastly, you change the [[config:authtype]] configuration to your new auth plugin and save. When your wiki becomes inaccessible again, you can modify the configuration settings via an editor on your server again.
+==== logOff ====
-See farther for more info about the [[plugin:config|configuration files and the config manager]].
+optional, set ''logout'' capability
-====Old configurations====
+The [[xref>AuthPlugin::logOff|logOff()]] method is run in addition to the usual logoff. It is useful with [[#trustExternal|trustExternal()]] to initiate actions for the external backend e.g. use it to clear cookies or similar actions.
-When auth plugin is activated, and there is an old config available, then first the old auth backend is loaded, next the new auth plugin config is loaded. So when auth plugin configuration settings are set these overwrite the old auth backend values.
+==== isCaseSensitive ====
-Complete load sequence of plugin config settings:
+When your backend is caseinsensitive, implement [[xref>AuthPlugin::isCaseSensitive()|isCaseSensitive()]] and return false.
-  - settings from ''lib/plugins/<pluginname>/conf/default.php''
-  - settings from ''conf/local.php'' (or possibly overwritten by ''conf/local.protected.php'') where:
-    - first settings of ''$config['auth']['<authbackendname>']'' are read
-    - and next settings of ''$config['plugin']['auth<authbackendname>']''
-Tip:\\
+==== cleanUser ====
-When you start changing settings of auth plugin, especially when you reset a setting to its plugin default, it is recommended to remove the old ''$config['auth']['<authbackendname>']'' settings from the ''local.php'' and/or ''local.protected.php''.
+optional
-===== Howto update your old backend =====
+The [[xref>AuthPlugin::cleanUser()|cleanUser()]] method is applied when a username is given to and returned from the backend. Can be used to enforce username restrictions.
-Some tips on updating your backend from ''inc/auth/<authname>.class.php'' to an Auth plugin.
-Simple approach:
+==== cleanGroup ====
-  - Create a plugin skelet corresponding to [[devel:plugin file structure]] and the [[#synopsis]] at top of this page. (skelet generator: http://pluginwiz.dokuwiki.org/)
-    * Please prefix the plugin name of your Auth plugin by ''auth'' e.g. ''authexample''.
+optional
-  - You can reuse the code from ''inc/auth/<authbackendname>.class.php'' in your new ''lib/plugins/auth<authbackendname>/auth.php''.
-    * Be aware you can load other plugins or helper plugins
+The [[xref>AuthPlugin::cleanGroup()|cleanGroup()]] method is applied when a group name is given to and returned from the backend. Can be used to enforce group name restrictions.
-    * There are some inherited functions for localisation, configuration and more, see [[#inherited methods]] above.
+Groupnames are passed without a leading ''@'' here.
+==== useSessionCache ====
+optional
+DokuWiki caches user info for a timespan. The [[xref>AuthPlugin::useSessionCache()|useSessionCache()]] method can be used to influence the expiration of this caching.
+===== Notes =====
+====Start session customization====
+Dokuwiki starts (in [[xref>inc/init.php]]) a session prior to using the authentication plugin. If your framework uses specific session settings, you can define before your own settings in the file ''conf/local.protected.php''. You need to create it when non-existing. In this ''conf/local.protected.php'' you can supply one or more of these defines:
+  * ''DOKU_SESSION_NAME''
+  * ''DOKU_SESSION_LIFETIME''
+  * ''DOKU_SESSION_PATH''
+  * ''DOKU_SESSION_DOMAIN''
+The defines correspond to the arguments of [[phpfn>session_set_cookie_params|session_set_cookie_params()]], please refer to its docs for more details. To use SSL for your cookies, you enable the [[config:securecookie]] configuration setting.
+<code php conf/local.protected.php>
+//settings specific for use of the ... authentication plugin
+define ('DOKU_SESSION_NAME', "YOURSESSIONNAME");
+define ('DOKU_SESSION_LIFETIME', 0);
+//etc...
+//a custom session path
+$sessiepath = fullpath(dirname(__FILE__) . '/../../') . '/session';
+session_save_path($sessiepath);
+</code>
-FIXME more relevant directions??
 ===== Further reading =====