Authentication in Joomla! 1.5

About Me  Born in Feb 1979, started in the computing industry with Pong.  In the late ‘80s moved into the Commodore 64 where I developed utilities in Basic (Yes, before I was 10).  Moved into a Tandy PC shortly there after when even more Basic programming was completed including a full blown login system.  I ran a BBS (‘The BBS Enterprise’) for 4 years and became a regular poster on the Fido Network.  First introduction to the Internet was via my high school to the time where we accessed gopher and telnet via a shared modem line.  I started with Slackware Linux in the early ‘90s and ever since then I’ve been working with new technologies including VoIP, and IPv6.  Started PHP development in Feb 2000 with my own concept of what is now known as MVC, although you wouldn’t know it.  I’m currently working as an Information Security Analyst and hold a number of certifications on computer networking and technologies.

Overview  Changes from 1.x  Structure/How it works  Code base details  Hello World Example  GMail Example  OpenID & our pit falls  Other schemes to implement  Questions

What has changed since 1.x?  Added Plug-in system using JDispatch  Ability to completely customize the authentication system from end to end  Ability for end plug-ins to overwrite user details for user auto-creation. ie: One can login with LDAP address, and rewrite the UserID to just the login  Enabled the creation of temp users from external plugins.

Structure Joomla! Application Joomla Auth OpenID Auth Other Auth Plugins LDAP Auth The Joomla! application sends the authentication request to all enabled plug-ins. The order is based on the plug- in rank in the manager. Each plug-in processes the request and sends back a status to the handler. The handler checks for a success and passes it off to the application. In the case of a failure, it logs the errors to JLog for analysis by the admin.

Code Base  function onAuthenticate( $username, $password )  Process an Authentication request  Gets a username and password  Returns a JAuthenticateResponse object  status  JAUTHENTICATE_STATUS_SUCCESS  JAUTHENTICATE_STATUS_FAILURE  error_message  Can be any text  Text should identify the error that occurred  Gets sent to JLog system to be logged  On failure end user will only see invalid credentials response  Can also return: username, fullname, password etc.

Code Base cont.  function onAuthenticateFailure( $username, $password )  Fires when only a failure is detected.  Can be used to clear details from J! or cookies on failure.

Code Base cont.  function onLoginUser( $response, $remember )  Processed on a successful login by a plugin  $response is the JAuthenticateResponse from the accepted plugin  $remember is set when the user wants to be remembered

Code Base cont.  function onLogoutUser( $parameters )  Processed on a logout request from user  $parameters is an array:  Username: The username being logged out  ID: The users ID

Code Base cont.  Extra events for syncing users include:  onBeforeStoreUser  onAfterStoreUser  onBeforeDeleteUser  onAfterDeleteUser

Hello World of Authentication function onAuthenticate( $username, $password ) { $return = new JAuthenticateResponse('example'); if ($username == “Hello” && $password == “World”) $return->type = JAUTHENTICATE_STATUS_SUCCESS; else $return->type = JAUTHENTICATE_STATUS_FAILURE; return $return; }

GMail Example function onAuthenticate( $username, $password ) { $return = new JAuthenticateResponse('gmail'); $curl = curl_init(" curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($curl, CURLOPT_USERPWD, "$username:$password"); $result = curl_exec($curl); $code = curl_getinfo ($curl, CURLINFO_HTTP_CODE); $message = ''; $success = 0; switch($code) { case 200: $message = 'Access Granted'; $success = 1; break; case 401: $message = 'Access Denied'; break; default: $message = 'Result unknown, access denied.'; break; } if ($success) { $return->status = JAUTHENTICATE_STATUS_SUCCESS; $return-> = $username; $return->fullname = $username; } else { $return->status = JAUTHENTICATE_STATUS_FAILURE; $return->error_message= 'Failed to authenticate: '. $message; } return $return; }

OpenID & Our Pit Falls  Issues  Cookie data needs to be sent to client  It must redirect to external site  It should return to the authentication plug-in  Limited Support in PHP4

OpenID & Our Pit Falls cont.  Used JSession to store cookies  Built URIs with JURI and redirected via $mainframe  Returned mimicking a login form response  Checked for cookie/session state to complete the request  Used SimpleXML to mimic OpenID requests

Other schemes  Radius  RSA SecurID  WiKID  Extendable External Databases (EED)  Google Account Authentication  Kerberos  IMap/POP3

Questions?