authetication plugin with callback ?
20 views
Skip to first unread message
Ronny Buelund
Dec 28, 2024, 4:29:22 AM12/28/24
to Joomla! General Development
I am trying to modify the Joomla authentication plugin. After normal login I want the user to verify through an OpenID service that then activates a callback to Joomla - this is a opne time verification, so not a two factor authentification. Is it possible to do this the plugin way ? The user must not be able to navigate on the site before proper verification. My problem is - how to use the callback of the OpenID service to come back with data to the plugin ?
Chris Davenport
Dec 28, 2024, 4:41:19 PM12/28/24
to Joomla! General Development
Hi Ronny,
The way I've done this sort of thing in the past is to use the OpenID Connect Code Flow protocol and make the OpenID server the sole identity authority, so the Joomla auth plugin is disabled and the only way to log in is via the OpenID server. There are probably other ways to do it, but that was relatively straightforward to implement and it provided Single-Sign On (SSO) if multiple Joomla (or a mix with non-Joomla) websites were involved.
The protocol specification is here: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
The basic steps are as follows:
1. When the user visits a page on the website that requires them to be logged in (or they click the "Log in" link), the plugin detects this and redirects them to the OpenID server with a specially-crafted URL.
2. The user "logs in" to the OpenID server using whatever means required (password, MFA, etc.), after which the OpenID server will redirect the user back to the website with a URL that includes a short-lived token.
3. The Joomla plugin detects that the URL is a returning user and then does a background POST request to the OpenID server using the token supplied in the previous step. The response verifies to the plugin that the user has indeed authenticated themselves. The user can now be safely logged in to the website (without user dialogue). If the user is not known to Joomla then a new user record can also be created using whatever information the OpenID server provided (which could be just an email address, but that's often all that's needed).
The devil is the detail, of course. I found the trickiest part was correctly unpacking and decrypting the response to the POST request.
Hope that helps.
Chris.
The way I've done this sort of thing in the past is to use the OpenID Connect Code Flow protocol and make the OpenID server the sole identity authority, so the Joomla auth plugin is disabled and the only way to log in is via the OpenID server. There are probably other ways to do it, but that was relatively straightforward to implement and it provided Single-Sign On (SSO) if multiple Joomla (or a mix with non-Joomla) websites were involved.
The protocol specification is here: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
The basic steps are as follows:
1. When the user visits a page on the website that requires them to be logged in (or they click the "Log in" link), the plugin detects this and redirects them to the OpenID server with a specially-crafted URL.
2. The user "logs in" to the OpenID server using whatever means required (password, MFA, etc.), after which the OpenID server will redirect the user back to the website with a URL that includes a short-lived token.
3. The Joomla plugin detects that the URL is a returning user and then does a background POST request to the OpenID server using the token supplied in the previous step. The response verifies to the plugin that the user has indeed authenticated themselves. The user can now be safely logged in to the website (without user dialogue). If the user is not known to Joomla then a new user record can also be created using whatever information the OpenID server provided (which could be just an email address, but that's often all that's needed).
The devil is the detail, of course. I found the trickiest part was correctly unpacking and decrypting the response to the POST request.
Hope that helps.
Chris.
Ronny Buelund
Dec 28, 2024, 5:47:41 PM12/28/24
to joomla-de...@googlegroups.com
Do you maybe have som plugin code examples i could see?
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to joomla-dev-gene...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/joomla-dev-general/25733e84-54ef-427d-bd73-5d881a386dc8n%40googlegroups.com.
Reply all
Reply to author
Forward
Message has been deleted
0 new messages