Please upgrade here. These earlier versions are no longer being updated and have security issues.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Integrating own authentication mechanism into Vanilla

Dear all,

Though I am aware that this question has been posted before in various incarnations, I do not feel that it has been answered in a way that I now know what is possible and what is not. First off, I am an experienced PHP developer, so I am not hesitant to write additional code or specific addons to reach my goal.

What I have set up now is a Vanilla forum installation (non-embedded), that uses jsConnect to automatically sign in users that have previously signed in to the website that has the user account database. So this now works in my setup:

[website] -> {user signs in} -> {user visits forum} -> [forum uses jsConnect] -> {user is automatically signed into Vanilla forum}

No real problems there, as jsConnect is well documented.

The next step is to have users use the same username and password that they have on the [website] to sign into the forum directly. So in this step, the user does not first visit [website], but uses his/her credentials to sign in on [forum]. Something like this:

[forum] -> {user clicks sign in} -> {user enters credentials} -> {forum does background authentication@website} -> {user is authenticated@forum}

There are two ways to approach this, I guess.

  1. Have the forum load the oAuth popup from [website] to login, instead of its own popup.
  2. Have the forum do a background authentication, after the user has entered his credentials in the [forum] popup.

I assume that the second option is the easiest to implement, as it has no effect on the user interaction (front-end) of Vanilla.

Now, my actual questions:

  1. Is there a standard way to achieve the described goal?
  2. If not, could you please give me some pointers on where to insert code to do the background authentication, taking into mind that I would prefer to make the adjustments in such a way, that I can still easily upgrade to a next version of Vanilla, i.e. that I would prefer to have my code in an addon of some sorts, as not to change the "base" code of Vanilla itself.

Thank you very much in advance for your help.

Comments

  • The next step is to have users use the same username and password that they have on the [website] to sign into the forum directly. So in this step, the user does not first visit [website], but uses his/her credentials to sign in on [forum].

    Why?

    That defeats the whole purpose of single sign on.

    You can use any form, for logon, and redirect back to forum. I wouldn't complicate it further than that.

    jsConnect is about authentication, so it can be used to authenticate against the logged on authority.

    grep is your friend.

  • Hi x00: That sounds good. How do I "use any form, for logon"?
    Or: How do I integrate a remote form into vanilla?

  • No, I think the better question is: How do I make Vanilla forum redirect to a remote login-form?
    I have now set the config option: $Configuration['Garden']['Authenticator']['SignInUrl'] to the location of my remote login form, but the login button still refers to /entry/signin.

  • What version of vanilla are you using?

    grep is your friend.

  • Installed the latest version this morning (2.1 stable).

  • LincLinc Detroit Admin

    The jsConnect addon, when set up correctly, makes it so that you do log into the forum "directly" using the same username and password. Add the URLs for your sign in and register pages to the connection setup and it will redirect accordingly.

  • Yep it turns out that $Configuration['Garden']['Authenticator']['SignInUrl'] is used elseware.

    If you want to change the links then predefine the functions SignInUrl and SignOutUrl

    to return your url

    You can define them in /conf/bootstrap.after.phpwhich you can create. that way you can user other native function like

    return 'http://yoursite/sso/login?return='.urlencode(Gdn::Controller()->SelfUrl);
    

    Or even better

    return sprintf(C('Garden.Authenticator.SignInUrl'), urlencode(Gdn::Controller()->SelfUrl));
    

    You can do the same for logout, though you may have certain issues, with nonce protected logout, but is outside of vanilla control.

    grep is your friend.

  • x00x00 MVP
    edited May 2014

    It is understandably confusing.

    You have SigninUrl passed from the provider. This is what comes up dynamically once jsConnect has detected the provider (of which there can technically be more than one, but if not you may what automatic sign in).

    You basic bog standard sign in link which uses SigninUrl function, and $Configuration['Garden']['Authenticator']['SignInUrl'] which is a default if not passed from the provider.

    My approach to using jsConnect is to force the login through the one source. Try and lock down any loose ends.

    grep is your friend.

  • @Linc said:
    The jsConnect addon, when set up correctly, makes it so that you do log into the forum "directly" using the same username and password. Add the URLs for your sign in and register pages to the connection setup and it will redirect accordingly.

    Ok, I have tried this ... but it does not seem to do anything.
    I have created an URL that sends me an e-mail when it is called, and I have configured that URL for jsConnect to be used as the 'Sign In Url'. But the URL is never called, when I enter a username and password in the default "SignIn Popup" of Vanilla Forum.

  • The sign url that you use with your provider, is used to create alternative sign in or 'connect' link.

    I would simply bypass the vanilla login form altogether, to simplify things.

    Then lock down entry/signin

    grep is your friend.

  • Also why would the provider's authentication system necessarily accept arbitrary post fields from a vanilla form?

    grep is your friend.

  • x00x00 MVP
    edited May 2014

    The main purpose of of jsConnect is to validate the authentication of the provider, not to log you in. That is just bells and whistles stuff the may not be helpful.

    grep is your friend.

  • millymilly New
    edited February 2015

    so what do i fix as the "authenticate url", sample please.
    e.g http://mysite.com/forum/...
    i.e the jsonp authentication data when I am filling the jsconnect fields.

  • LincLinc Detroit Admin

    @milly This will help explain jsConnect: http://docs.vanillaforums.com/features/sso/

Sign In or Register to comment.