GSoC Project
End Goal: An object-oriented interface for authentication backends allowing multiple authentication plugins to be selected simultaneously and allows them to change the user interface. Profile changes to both account settings and profile data should either be preventable by such plugins or cause notification of the respective plugin so the data can also be changed in its own database. Refactoring existing function-based authentication plugins and adding an OpenID implementation.
Proposed Changes
- Authentication (login)
- Create method to handle login from a 3rd party service.
- Allow login via forum username/password or 3rd party authentication.
- Registration
- Allow the use of the same username as a 3rd party service or one specific to forums.
- Require the user to have a separate forum password in case they de-authorize all 3rd party services.
- Copy over contact information from the 3rd party service including e-mail if possible into the registration forum, let user change any information before concluding registration. (Optional)
- Authorize the 3rd party service by default.
- User Control Panel
- Authorize 3rd party authentication.
- Allow the user to authorize a 3rd party service to let them log into their account.
- Allow the user to copy information from 3rd party at this stage (ask user about each element?) (Optional)
- De-authorize 3rd party authentication.
- Allow a user to remove an authorized 3rd party service.
- Authorize 3rd party authentication.
- Admin Control Panel
- 3rd Party Services
- Choose which services to allow.
- Completely clear authorization of a particular service.
- User Admin
- Allow admin to deauthorize a user from using a specific service on the phpBB forum.
- Allow admin to ban a user from a specific service. (Optional)
- Allow admin to ban a specific user on a 3rd party service from registering on the site.
- 3rd Party Services
- Authorization Request
- Redirect page
- Redirects the user to 3rd party service for authorization.
- Ask the service for the authorization key.
- Login Request
- Ask the 3rd party service for authentication on login using the authorization key.
- If authorization is no longer granted, asks the user to reauthorize the account via the redirect page.
- Deauthorization Request
- Send information to the service (possibly a redirect page to them) that would deauthorize the phpBB site to login a specific user.
- The Request
- May need to be specific for each service depending on how they want data formatted.
- Formatting of the request could be done using a switch for each service (not sure how well this would integrate with plugins).
- Redirect page
- Database changes
- Authorizations
- Authorization bans
Third Party Auth Services to Use:
- OpenID
Mockups:
User Control Panel for Third Party Login Services
Authorize an account to login. "Authorize" button would send the user to the appropriate third party website where they can allow authorization (javascript to bring up popup window to do this?).
Login with either your phpBB credentials or your registered OpenID credentials.
Registration page. Would go after the "You must be 13 or older to register"/terms of service page and before the actual account creation page. It would send the user to the third party site to authorize the account, then send the user back to set a phpBB password and set their account information.
Ticket: http://tracker.phpbb.com/browse/PHPBB3-9734
Pull Request (WIP): https://github.com/phpbb/phpbb3/pull/836
Edit 1: Add list of Third Party Auth Services
Edit 2: Add mock-up diagrams.