Integrating own authentication mechanism into Vanilla
robertjan
New
Dear all,
Though I am aware that this question has been posted before in various incarnations, I do not feel that it has been answered in a way that I now know what is possible and what is not. First off, I am an experienced PHP developer, so I am not hesitant to write additional code or specific addons to reach my goal.
What I have set up now is a Vanilla forum installation (non-embedded), that uses jsConnect to automatically sign in users that have previously signed in to the website that has the user account database. So this now works in my setup:
[website] -> {user signs in} -> {user visits forum} -> [forum uses jsConnect] -> {user is automatically signed into Vanilla forum}
No real problems there, as jsConnect is well documented.
The next step is to have users use the same username and password that they have on the [website] to sign into the forum directly. So in this step, the user does not first visit [website], but uses his/her credentials to sign in on [forum]. Something like this:
[forum] -> {user clicks sign in} -> {user enters credentials} -> {forum does background authentication@website} -> {user is authenticated@forum}
There are two ways to approach this, I guess.
- Have the forum load the oAuth popup from [website] to login, instead of its own popup.
- Have the forum do a background authentication, after the user has entered his credentials in the [forum] popup.
I assume that the second option is the easiest to implement, as it has no effect on the user interaction (front-end) of Vanilla.
Now, my actual questions:
- Is there a standard way to achieve the described goal?
- If not, could you please give me some pointers on where to insert code to do the background authentication, taking into mind that I would prefer to make the adjustments in such a way, that I can still easily upgrade to a next version of Vanilla, i.e. that I would prefer to have my code in an addon of some sorts, as not to change the "base" code of Vanilla itself.
Thank you very much in advance for your help.
Comments
Why?
That defeats the whole purpose of single sign on.
You can use any form, for logon, and redirect back to forum. I wouldn't complicate it further than that.
jsConnect is about authentication, so it can be used to authenticate against the logged on authority.
grep is your friend.
Hi x00: That sounds good. How do I "use any form, for logon"?
Or: How do I integrate a remote form into vanilla?
No, I think the better question is: How do I make Vanilla forum redirect to a remote login-form?
I have now set the config option: $Configuration['Garden']['Authenticator']['SignInUrl'] to the location of my remote login form, but the login button still refers to /entry/signin.
What version of vanilla are you using?
grep is your friend.
Installed the latest version this morning (2.1 stable).
The jsConnect addon, when set up correctly, makes it so that you do log into the forum "directly" using the same username and password. Add the URLs for your sign in and register pages to the connection setup and it will redirect accordingly.
Yep it turns out that
$Configuration['Garden']['Authenticator']['SignInUrl']is used elseware.If you want to change the links then predefine the functions
SignInUrlandSignOutUrlto return your url
You can define them in
/conf/bootstrap.after.phpwhich you can create. that way you can user other native function likeOr even better
return sprintf(C('Garden.Authenticator.SignInUrl'), urlencode(Gdn::Controller()->SelfUrl));You can do the same for logout, though you may have certain issues, with nonce protected logout, but is outside of vanilla control.
grep is your friend.
It is understandably confusing.
You have
SigninUrlpassed from the provider. This is what comes up dynamically once jsConnect has detected the provider (of which there can technically be more than one, but if not you may what automatic sign in).You basic bog standard sign in link which uses
SigninUrlfunction, and$Configuration['Garden']['Authenticator']['SignInUrl']which is a default if not passed from the provider.My approach to using jsConnect is to force the login through the one source. Try and lock down any loose ends.
grep is your friend.
Ok, I have tried this ... but it does not seem to do anything.
I have created an URL that sends me an e-mail when it is called, and I have configured that URL for jsConnect to be used as the 'Sign In Url'. But the URL is never called, when I enter a username and password in the default "SignIn Popup" of Vanilla Forum.
The sign url that you use with your provider, is used to create alternative sign in or 'connect' link.
I would simply bypass the vanilla login form altogether, to simplify things.
Then lock down
entry/signingrep is your friend.
Also why would the provider's authentication system necessarily accept arbitrary post fields from a vanilla form?
grep is your friend.
The main purpose of of jsConnect is to validate the authentication of the provider, not to log you in. That is just bells and whistles stuff the may not be helpful.
grep is your friend.
so what do i fix as the "authenticate url", sample please.
e.g http://mysite.com/forum/...
i.e the jsonp authentication data when I am filling the jsconnect fields.
@milly This will help explain jsConnect: http://docs.vanillaforums.com/features/sso/