The XC Authentication module allows remote authentication systems to authenticate Drupal users through the eXtensible Catalog Drupal Toolkit. The module creates a layer on top of Drupal's own authentication system to build a foundation for a more complex, yet flexible, authentication system:

  • allowing multiple authentication systems to authenticate the same Drupal user
  • using a single login form for multiple authentication systems
  • preventing collision with identical usernames across multiple authentication systems
  • automatically creating Drupal users for existing users authenticated via remote systems for the first time

Although seemingly complex, the concepts in this module can be simple to understand. From a Drupal administrator's perspective, there are configuration screens that allow him or her to select a set up a connection to their remote system in order to authenticate Drupal users, by creating authentication types. From a Drupal developer's perspective, there are underlying APIs and hooks that allow Drupal to connect to and authenticate using remote systems and manage those users within the Drupal Toolkit, by creating authentication methods and authentication credentials.

For example, the XC NCIP Provider module provides a method to authenticate users via NCIP using username and password credentials. An administrator can configure an authentication type by selecting this method, therefore allowing users to authenticate via NCIP, usually to an NCIP Toolkit. The user would then simply select which NCIP toolkit. More detailed information about authentication types, methods, and credentials are explained below.

Authentication types
The only configuration available from the user interface allows administrators with specific information about a remote authentication system to create a connection to it. This configuration is stored as an authentication type. The administration interface allows the administrator to configure this by selecting an authentication method, described below, and providing the properties required for the particular method to authenticate successfully.

Authentication methods
Remote systems have different ways of authenticating a user; for example, via LDAP authentication, NCIP authentication, or Drupal authentication. These are called authentication methods. Each method has its own authentication process, executed by a method function within the module supporting the method. Each method has its own set of properties needing configuration; provided by a form and also defined within the module supporting the method. Each method also has one kind of authentication credential, explained below, that it supports.

Authentication credentials
These ways of authenticating a user require different kinds of user inputs; for example, username and password, email and password, or last name, PIN number, email, email confirmation, and some random string. These are called authentication credentials. Similar to authentication methods, they are defined in a supporting module. However, unlike methods, the role of credentials is not to authenticate a user, but rather to define login form inputs that are gathered, validated, and passed to the method function during authentication.

Users and virtual accounts
The XC Authentication module keeps track of all users connected through remote authentication systems. These users are called authenticated users or "auth users" and are virtual accounts. Each virtual account can be associated with one and only one Drupal account, however the adverse is not true. Each Drupal account can be associated with zero, one, or more than one virtual accounts. When users log into Drupal via a remote authentication system the Drupal username displayed is for their Drupal account matches the username from the remote system. For example, if a user logs into NCIP with the username "foo" the username displayed in Drupal is "foo". Because of this, two different Drupal accounts may display the same username; however, they are not the same account. Drupal usernames should be unique and there is no guarantee that the administrator may not create two authentication types connecting to two separate remote authentication systems of which there exists the same username. So, the XC Authentication module creates a unique username for Drupal, for example, "foo_1", and simply themes the username, for example, as "foo".

Login forms
After creating authentication types, login forms must be created to allow users to authenticate. These forms are created as Drupal blocks and can be placed anywhere in a theme. The forms:

  • handle login, logout, and in some situations adding information during user registration
  • can automatically create Drupal accounts for users authenticating with remote authentication systems for the first time

There are three types of login forms.

  • Automatic Login Forms: provide login to one out of a set of multiple remote authentication systems using one login form, thereby logging a user into the Drupal account associated with or creating a new Drupal account if none exists for the first successful authentication
  • Single Login Forms: provide login to one remote authentication system using one login form, thereby logging a user into the Drupal account associated with or creating a new Drupal account if none exists for a successful authentication
  • Multiple Login Forms: provide login to multiple out of a set of multiple remote authentication systems using multiple login forms, each login form provides the same functionality as a single login form

APIs and custom hooks
The XC Authentication module provides an API and related custom hooks for other modules to implement features, such as creating authentication methods and credentials and the forms for each. See the XC NCIP Provider module for examples. In addition, the module implements hooks provided by the XC Account module; mainly, the login and account information hooks, for each authentication method. This allows the XC Authentication module to pass in additional parameters, that would not be passed by the XC Account hooks.