Authentication in Joomla! 1.5 Presented By: Jason Kendall Joomla! Development Workgroup

Authentication in Authentication in JoJoomomlala!! 1.51.5

Presented By: Jason KendallPresented By: Jason Kendall

Joomla! Development WorkgroupJoomla! Development Workgroup

March 23rd 10:15 AMMarch 23rd 10:15 AM DRAFTDRAFTPresented By Jason KendallPresented By Jason Kendall


22

About MeAbout Me Born in Feb 1979, started in the computing industry with Pong.Born in Feb 1979, started in the computing industry with Pong. In the late ‘80s moved into the Commodore 64 where I developed In the late ‘80s moved into the Commodore 64 where I developed

utilities in Basic (Yes, before I was 10). utilities in Basic (Yes, before I was 10). Moved into a Tandy PC shortly there after when even more Basic Moved into a Tandy PC shortly there after when even more Basic

programming was completed including a full blown login system. programming was completed including a full blown login system. I ran a BBS (‘The BBS Enterprise’) for 4 years and became a I ran a BBS (‘The BBS Enterprise’) for 4 years and became a

regular poster on the Fido Network. regular poster on the Fido Network. First introduction to the Internet was via my high school to the time First introduction to the Internet was via my high school to the time

where we accessed gopher and telnet via a shared modem line. where we accessed gopher and telnet via a shared modem line. I started with Slackware Linux in the early ‘90s and ever since then I started with Slackware Linux in the early ‘90s and ever since then

I’ve been working with new technologies including VoIP, and IPv6.I’ve been working with new technologies including VoIP, and IPv6. Started PHP development in Feb 2000 with my own concept of what Started PHP development in Feb 2000 with my own concept of what

is now known as MVC, although you wouldn’t know it. is now known as MVC, although you wouldn’t know it. I’m currently working as an Information Security Analyst and hold a I’m currently working as an Information Security Analyst and hold a

number of certifications on computer networking and technologies. number of certifications on computer networking and technologies.



33

OverviewOverview

Changes from 1.xChanges from 1.x Structure/How it worksStructure/How it works Code base detailsCode base details Hello World ExampleHello World Example GMail ExampleGMail Example OpenID & our pit fallsOpenID & our pit falls Other schemes to implementOther schemes to implement QuestionsQuestions



44

What has changed since 1.x?What has changed since 1.x?

Added Plug-in system using JDispatchAdded Plug-in system using JDispatch Ability to completely customize the Ability to completely customize the

authentication system from end to endauthentication system from end to end Ability for end plug-ins to overwrite user Ability for end plug-ins to overwrite user

details for user auto-creation. ie: One can details for user auto-creation. ie: One can login with LDAP email address, and login with LDAP email address, and rewrite the UserID to just the loginrewrite the UserID to just the login

Enabled the creation of temp users from Enabled the creation of temp users from external plugins.external plugins.



55

StructureStructure

LDAPAuth

OtherAuth

Plugins

OpenIDAuth

JoomlaAuth

Joomla!Application

• The Joomla! application sends the authentication request to all enabled plug-ins.

• The order is based on the plug-in rank in the manager.

• Each plug-in processes the request and sends back a status to the handler.

• The handler checks for a success and passes it off to the application.

• In the case of a failure, it logs the errors to JLog for analysis by the admin.



66

Code BaseCode Base

function onAuthenticate( $username, $password )function onAuthenticate( $username, $password ) Process an Authentication requestProcess an Authentication request Gets a username and passwordGets a username and password Returns a JAuthenticateResponse objectReturns a JAuthenticateResponse object

statusstatus JAUTHENTICATE_STATUS_SUCCESSJAUTHENTICATE_STATUS_SUCCESS JAUTHENTICATE_STATUS_FAILUREJAUTHENTICATE_STATUS_FAILURE

error_messageerror_message Can be any text Can be any text

Text should identify the error that occurredText should identify the error that occurred Gets sent to JLog system to be loggedGets sent to JLog system to be logged

On failure end user will only see invalid credentials responseOn failure end user will only see invalid credentials response Can also return: username, fullname, password etc.Can also return: username, fullname, password etc.



77

Code Base cont.Code Base cont.

function onAuthenticateFailure( $username, $password )function onAuthenticateFailure( $username, $password )

Fires when only a failure is detected. Fires when only a failure is detected. Can be used to clear details from J! or Can be used to clear details from J! or

cookies on failure.cookies on failure.



88


function onLoginUser( $response, $remember )function onLoginUser( $response, $remember ) Processed on a successful login by a pluginProcessed on a successful login by a plugin $response is the JAuthenticateResponse from the $response is the JAuthenticateResponse from the

accepted pluginaccepted plugin $remember is set when the user wants to be $remember is set when the user wants to be

rememberedremembered



99


function onLogoutUser( $parameters )function onLogoutUser( $parameters ) Processed on a logout request from userProcessed on a logout request from user $parameters is an array:$parameters is an array:

Username: The username being logged outUsername: The username being logged out ID: The users IDID: The users ID



1010


Extra events for syncing users include:Extra events for syncing users include: onBeforeStoreUseronBeforeStoreUser onAfterStoreUseronAfterStoreUser onBeforeDeleteUseronBeforeDeleteUser onAfterDeleteUseronAfterDeleteUser



1111

Hello World of AuthenticationHello World of Authentication

function onAuthenticate( $username, $password )function onAuthenticate( $username, $password ){{

$return = new JAuthenticateResponse('example');$return = new JAuthenticateResponse('example');if ($username == “Hello” && $password == “World”)if ($username == “Hello” && $password == “World”)

$return->type = $return->type = JAUTHENTICATE_STATUS_SUCCESSJAUTHENTICATE_STATUS_SUCCESS;;elseelse

$return->type = $return->type = JAUTHENTICATE_STATUS_FAILUREJAUTHENTICATE_STATUS_FAILURE;;return $return;return $return;

}}



1212

GMail ExampleGMail Examplefunctionfunction onAuthenticate( $username, $password ) { onAuthenticate( $username, $password ) {

$return = $return = newnew JAuthenticateResponse( JAuthenticateResponse('gmail''gmail'););$curl = $curl = curl_init("https://mail.google.com/gmail/feed/atom");curl_init("https://mail.google.com/gmail/feed/atom");curl_setopt($curl, curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);CURLOPT_RETURNTRANSFER, 1);curl_setopt($curl, CURLOPT_FOLLOWLOCATION, curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);1);curl_setopt($curl, CURLOPT_USERPWD, curl_setopt($curl, CURLOPT_USERPWD, "$username:$password");"$username:$password");

$result = curl_exec($curl);$result = curl_exec($curl);$code = curl_getinfo ($curl, $code = curl_getinfo ($curl, CURLINFO_HTTP_CODE);CURLINFO_HTTP_CODE);$message = $message = '''';;$success = 0;$success = 0;

switchswitch($code) {($code) {casecase 200: 200:

$message = $message = 'Access Granted''Access Granted';;$success = 1;$success = 1;breakbreak;;

casecase 401: 401:$message = $message = 'Access Denied''Access Denied';;breakbreak;;

defaultdefault::$message = $message = 'Result unknown, 'Result unknown,

access denied.'access denied.';;breakbreak;;

}}

ifif ($success) { ($success) {$return->status = $return->status =

JAUTHENTICATE_STATUS_SUCCESS;JAUTHENTICATE_STATUS_SUCCESS;$return->email = $username;$return->email = $username;$return->fullname = $username;$return->fullname = $username;

} } else else {{$return->status = $return->status =

JAUTHENTICATE_STATUS_FAILURE;JAUTHENTICATE_STATUS_FAILURE;$return->error_message= $return->error_message= 'Failed to 'Failed to authenticate: 'authenticate: ' . $message; . $message;

}}returnreturn $return; $return;

}}



1313

OpenID & Our Pit FallsOpenID & Our Pit Falls

IssuesIssues Cookie data needs to be sent to clientCookie data needs to be sent to client It must redirect to external siteIt must redirect to external site It should return to the authentication plug-inIt should return to the authentication plug-in Limited Support in PHP4Limited Support in PHP4



1414

OpenID & Our Pit Falls OpenID & Our Pit Falls cont.cont.

Used JSession to store cookiesUsed JSession to store cookies Built URIs with JURI and redirected via Built URIs with JURI and redirected via

$mainframe$mainframe Returned mimicking a login form responseReturned mimicking a login form response Checked for cookie/session state to Checked for cookie/session state to

complete the requestcomplete the request Used SimpleXML to mimic OpenID Used SimpleXML to mimic OpenID

requestsrequests



1515

Other schemesOther schemes

RadiusRadius RSA SecurIDRSA SecurID WiKID WiKID Extendable External Databases (EED)Extendable External Databases (EED) Google Account AuthenticationGoogle Account Authentication KerberosKerberos IMap/POP3IMap/POP3

Questions?Questions?

Documents

Authentication in Joomla! 1.5 Presented By: Jason Kendall Joomla! Development Workgroup