GSOC 2010 Authentication framework

This page is dedicated to the "Authentication framework" project for GSOC2010

=FAQ=
 * What is the difficult part of the project ?

The difficult part will not be to implement openId or CAS or any

authentication scheme as we usually are able to find opensource

libraries to connect to these authentication backends. I think the most

difficult part will be to design an interface in LS1 that will make it

possible to implement  _any_kind_  of authentication backends.
 * Is there a list of authentication protocol you want to support ?

There is no such list because we want a framework that can be extended even with user-specific authentication systems.

For instance, you can consider the following different cases:

1- Case study 1:

LS1 authentication is based on a simple User/Password form, and the

password (or password hash) is read from the internal (usual) DB or on

another Database (such as LDAP when using Ldap as a database and not

using ldap-bind).

2- Case study 2:

LS1 authentication is based on a simple User/Password form, but the

authentication is delegated to a server able to check the password

validity: for instance LDAP (when using Ldap-bind authentication), or

Radius.

3- Case study 3:

LS1 is integrated into another web application which does implement

authentication.

LS1 authentication is then done simply by checking a value in a given

SESSION parameter, or in a GET parameter.

4- Case study 4:

LS1 uses the web server Authentication (equivalent of current Web

Server Authentication Delegation mode)

5-Case study 5:

LS1 authentication uses an external authentication protocol which

requires several messages to be exchanged between the authentication

server and the client (maybe several forms to be filled). For instance:

first screen asks for username, the server replies with a challenge,

then the second form ask for the passwords corresponding to the proposed

challenge.

6-Case study 6:

Authentication is done on a remote web service which generates a

service-token for LS1. The user is then redirected to LS1 and provides

(either in a cookie or in a GET or POST parameter) the token. LS1 has to

check that the token is valid and then grants access to the user.

Example of such authentication protocoles are CAS and openId.
 * Do I have to implemenet a framework for each of the above test case ?

Of course not.

Let's say that the Generic Authentication Framework is implemented as a PHP Class, then it will define an API made up of his public methods. Then each True authentication module will inherit from this Class.

For instance, the Generic framework may define:

- An API that will return the capability of the module (is it able to do authentication, user-provisionning, ...)

- A set of methods to handle authentication, user provisionning (maybe noop if not implemented), ...

- A set of facility methods used by modules in order to display messages, errors, login forms, setup-forms

- A set of methods to record/read/modify the module parameters in DB

Then in LS1 core code, an instance of an Auth module is instanciated (depending on the setup parameters), and only the methods defined in the Generic Authentication Framework are used (never specific methods form the Authentication module). This makes it easy to implement a new Autnentication module without having to modify LS1 core code.
 * Is this project just about authentication ?

No it isn't restricted to authentication but extends as well to user-provisionning (which I sometimes call authorization).

Indeed, authentication only checks that the user is

really who he pretends to be, but it doesn't cope with the user rights

issue. So once authentication is performed, LS1 needs to know the user

rights for this user: the global rights, as well as specific rights on

each survey. The current approach when delegating authentication to the

Web server, is to let the authentication module create the new user if

it is not already in the LS1 database. it is event possible to assign

him user-specific global rights by a "hook" function. The Authentication

interface will have to specify this aspect as well so that any

authentication module will be able to populate the LS1 permissions system.
 * What other sources of information should I read/use, ... ?

I really encourage you to carefully read and understand the following page:

http://docs.limesurvey.org/tiki-index.php?page=Optional+settings&structure;=English+Instructions+for+LimeSurvey#Authentication

Morover a look at the following file in LS1 will help you:

usercontrol.php

This project could bebefit from ideas developped for the Horde project, especially the Auth class and library

Some user-proposed patches:

http://bugs.limesurvey.org/view.php?id=4035

http://bugs.limesurvey.org/view.php?id=3020