By carlmcdade on

The first and foremost problem with Distributed Authentication (DA) in Drupal is that there is no findable user or code documentation of it anywhere. A drupal.org search produces virtually no hits. A look through www.drupaldocs.org produces nothing because the functions associated with it are unknown. Looking through the handbook there are no topics concerning it. Some other questions and problems:

Where are the drupalids stored? When are they created? how are conflicts resolved?

Can drupalids be manipulated? ex. can a myname@www.site.com/folder be changed to myname@www.site.com?

What is the criteria for DA to work? There always seems to be a problem with using logins between sites. Like at the moment drupal.org users can use there drupalid on my site but my site users cannot use their drupalid on drupal .org

What modules are responsible for DA. Looking at the drupal module it seems that it is has dependacies that are undocumented. What RSS feeds and modules does DA use?

Is DA effected by SSL? (Topic for another thread but is anyone using SSL and Drupal?)

Spaces in usernames is still a problem. There is no warning message for spaces and there is no default repair or removall of the spacing. The email with a username with a space in it is sent out with a truncated drupalid and link.

Is there a flowchart of the Distrubuted Authenication process somewhere from the time of its development?

Comments

rivena’s picture

rivena commented

I dunno if this helps, but I pulled this from the admin/help in 4.6:

-------------------
Distributed authentication

One of the more tedious moments in visiting a new website is filling out the registration form. The reg form provides helpful information to the website owner, but not much value for the user. The value for the end user is usually the ability to post a messages or receive personalized news, etc. Distributed authentication (DA) gives the user what they want without having to fill out the reg form. Removing this obstacle yields more registered and active users for the website.

DA enables a new user to input a username and password into the login box and immediately be recognized, even if that user never registered on your site. This works because Drupal knows how to communicate with external registration databases. For example, lets say that your new user 'Joe' is already a registered member of Delphi Forums. If your Drupal has the delphi module installed, then Drupal will inform Joe on the registration and login screens that he may login with his Delphi ID instead of registering with your Drupal instance. Joe likes that idea, and logs in with a username of joe@remote.delphiforums.com and his usual Delphi password. Drupal then communicates with remote.delphiforums.com (usually using XML, HTTP-POST, or SOAP) behind the scenes and asks "is this password for username=joe?" If Delphi replies yes, then Drupal will create a new local account for joe and log joe into it. Joe may keep on logging into your Drupal instance in the same manner, and he will be logged into the same joe@remote.delphiforums.com account.

One key element of DA is the 'authmap' table, which maps a user's authname (e.g. joe@remote.delphiforums.com) to his local UID (i.e. user identification number). This map is checked whenever a user successfully logs into an external authentication source. Once Drupal knows that the current user is definitely joe@remote.delphiforums.com (because Delphi says so), he looks up Joe's UID and logs Joe into that account.

To disable distributed authentication, simply disable or remove all DA modules. For a virgin install, that means removing/disabling the jabber module and the drupal module.
-------------------

Anisa.

------------------------------------------
www.animecards.org

14,702 card scans and counting!
------------------------------------------

carlmcdade’s picture

carlmcdade commented

Yeah, all searchs lead to that text. It is old though and there is no complemting information on the system presently used. I started to study Jabber when I came upon the fact that they existed at the same time and the Drupal DA was a different implementation. The jabber module does not exist anylonger and the Drupal DA code is not concentrated in the drupal module. There is also no indicators in the database as to where or how the drupalid is stored.

I have not been able to trace the drupalid that is put in the confirmation email to anything tangible either.

---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia

rivena’s picture

rivena commented

Is it that old? Ha! I knew it.

Though that doesn't help you. :) If you find any good info, please let me know. Why not contact the authors of the livejournal module?

Anisa.

------------------------------------------
www.animecards.org

14,702 card scans and counting!
------------------------------------------

carlmcdade’s picture

carlmcdade commented

I'll have to turn this off. Anything that is so ingrained into the system but has no documentation is a big security risk.

---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia

javanaut’s picture

javanaut commented

I'm discussing redesigning the Distributed Authentication system here:

http://drupal.org/node/19113

It goes into a lot of the details of the current (4.5.x) system. I don't think it changed much between 4.5.x and 4.6.

kees’s picture

kees commented

I happen to be in somewhat the same situation and I did not have any problems finding the information that I was looking for. The API doc on drupaldocs.org documents the authentication hook and should provide a starting point.

What basically happens is this:

Create your own module and hake a function yourmodule_auth($username, $password, $server) in which you do your magic. Return false if you dont see a reason to authenticat the user (note that other modules still might!) or true of you decide that his credentials are valid.

For example, the following code fragment might illustrate a bit.

define('MYSERVER', 'leune.org');
function my_auth($username, $password, $server) {
    if ($server != MYSERVER) return false;

    $authenticated = my_fancy_authentication_function($user, $password);
    if ($authenticated) return true;
    return false;
}

Drupal then creates a new user account for username@server and adds an entry in the authmap table , which is pretty straightforward. From then on, a new drupal user exists, but authentication is handled by your module.

To answer your questions:

Where are the drupalids stored? When are they created? how are conflicts resolved?

- drupalids are stored in the database. That's really all you should know, but they are in the users table.

- They are created when you first authenticate with an external user.

- There are no conflicts, since the new username will contain @server.


What is the criteria for DA to work? There always seems to be a problem with using logins between sites. Like at the moment drupal.org users can use there drupalid on my site but my site users cannot use their drupalid on drupal .org

Distributed authentication is not symmetric; i.e. if two sites A and B want to authenticate eachother's users, both need to implement an external authentication.

What modules are responsible for DA.

I dont know; I use my own module for that; however the drupal module comes to mind. I also read something about a jabber module a while back.

Is DA effected by SSL?

It shouldn't. Drupal is a PHP application, and PHP knows nothing of the underlaying transport mechanism.

Hope I interpreted your questions correctly and gave a somewhat useful response.

carlmcdade’s picture

carlmcdade commented

A good starting point. But I still have a question about the storage of the drupalID. Exactly where in the database is it stored and how is it stored? Can I manipulate it?

I will take your advise and start mapping my own flowcharts of the user authentication process.

I am looking at sxip and shareID also because as you mentioned the mutual trust authentication is not there. I will need this later on.

---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia

kees’s picture

kees commented

I'm not entirely sure what you mean by drupalID; are you referring to the username in the format kees@drupal.org ? That is stored in the authmap table, which contains the columns aid, uid, authname and module. aid is the authentication id (a number), uid is the drupal user ID (a number), authname is the username, including server (a string, like kees@drupal.org) and module is the name of the module that authenticated the user.

The uid and the authname is duplicated in the users table's columns uid and name (why twice?)

To find out more info, just log on to your database and query it with SQL statements like

SELECT * FROM authmap;

or

SELECT * FROM users;

or even fancier

SELECT * FROM authmap a, users u where a.uid = i.uid;

You also asked

Can I manipulate it?

Well; yes, of course. However, I would strongly recommend AGAINST manipulating any tables of which you are not the 'owner'. Not doing so is good programming practice and will prevent loads of headache in the future.

-kees

carlmcdade’s picture

carlmcdade commented

That is the reciprocal site login. I mean the login that is created when a new user is created on the originating site. Example I have a new user named t@www.hivemindz.com/hm which is wrong because the name was created with a space. This name appears in the confirmation email but I cannot find it in any db table Where is this stored? Or is it recreated on demand like when a user tries to login on to a trusted site?

---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia

kees’s picture

kees commented

Let's do a scenario; maybe that will help me understand the problem. There are two sites: site-a.com and site-b.com. A user john on site a tries to log in to site b and uses john@site-a.com.

The database of site-b is now updated with

a) a new user 'john@site-a.com'
b) an authmap entry

The database of site-a does not change.

Is this what you are looking for?

carlmcdade’s picture

carlmcdade commented

Good idea.

Nope, I am looking for:

1) john@site-a.com database entry to site-a.com so that I can change it to fix the fact that john has mistakenly entered 'john john' as user name and now has to use john@site-a.com as a drupaid. This is because the space bug or fix creates a username with a space when it should not. This is also where conlflicts arise. 'big john' and 'john john' would recieve the same drupalid because of the space but they would not conflict on the username.

2) or the point in the code that the login john@site-a.com is created at site-a. So that I can fix the code so that this does not happen again and warn the user for trying to create a username in the wrong format.

3) the point in the code at site-a.com that responds to the attempted login at site-b.com using john@site-a.com so that site-a.com code can be fixed not to try and hand out information on a username with a space in it (or find one using a db query)

---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia

kees’s picture

kees commented

1) john@site-a.com database entry to site-a.com so that I can change it to fix

select uid,name from users where name like '% %'

that will return the userid that you are looking for, say 13

update users set name='john@site-a.com' where uid=13;
update authmap set authname='john@site-a.com' where uid=13;

2) or the point in the code that the login john@site-a.com is...

modules/user.module line 857 (in the 4.5.2 release version) starts the block where new external users are created.

3) the point in the code at site-a.com ....

that's module dependent.

-Kees
PS: If I am wrong in any of this, feel free to jump in!

carlmcdade’s picture

carlmcdade commented

Okay, now we are at the point that I got stuck. I am the owner of site-a.com and my authmap table only shows the logins from site-b.com not the outgoing john@site-a.com.

So if I take 'john john' and change it to 'johnjohn' will this users drupalid be corrected as johnjohn@site-a.com when site-b.com calls for the information? or is it more complicated than that?
---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia

kees’s picture

kees commented

That should be it!

carlmcdade’s picture

carlmcdade commented

Thanks, I happened to think also that this could have been avoided if Drupal had realname and alias when creating a user. I have not tested it but I get the feeling that extended charactersets might be a problem in usernames. Something like 'björn@drupal.org' might not do well as a drupal id because all dbs and server settings are not the same. But Björn should be allowed as an alias (screen name) and stored in the db as character entities. But this is a topic for another thread.

---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia

moshe weitzman’s picture

moshe weitzman commented

carl - are you volunteering to enhance the documentation once these answers are provided? anyone else?

carlmcdade’s picture

carlmcdade commented

I am not sure how that would work. The answers would be documented on the site as soon as they are provided. But if you mean do a write up so that the answers are understandable by a wider audience, sure.

Where would this information be archived? the Handbook? API docs?
---------------------------
Hivemindz CMSopedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia