Page MenuHomePhabricator

Feature request: Provide a hook point for third party authorization before a user get's logged in
Closed, DeclinedPublic

Description

I am working on MediaWiki-extensions-LDAPAuthorization . The goal is to re-implement functionality that formerly was available through "LdapAuthentication" (by Ryan Lane). One of the features is a group based authorization mechanism during the implicit authentication. For the new "LDAP Stack" I'd like to use "Auth_remoteuser" for the implicit authentication. Unfortunately I need a way to check for the users authorization too. And in case the user is not authorized, I need to stop the implicit login. This hook point should only be called once per user session, as authorization logic will do some requests to a remote resource.

I've already implemented a little patch for this [1]. But I'd like to hear your opinion and advice.

[1] https://gerrit.wikimedia.org/r/#/c/mediawiki/extensions/Auth_remoteuser/+/458730

Details

Related Gerrit Patches:
mediawiki/extensions/Auth_remoteuser : masterProvide a hook point to allow authorization

Event Timeline

Osnard created this task.Sep 7 2018, 8:41 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 7 2018, 8:41 AM

Change 458730 had a related patch set uploaded (by Robert Vogel; owner: Robert Vogel):
[mediawiki/extensions/Auth_remoteuser@master] Provide a hook point to allow authorization

https://gerrit.wikimedia.org/r/458730

Osnard updated the task description. (Show Details)Sep 7 2018, 8:42 AM
Revansx added a subscriber: Revansx.Sep 7 2018, 3:20 PM

Question -- My private enterprise wiki uses Auth_RremoteUser to provide user authentication and autologin from properties found in an immutable session provided by a Remote SSO provider. Does this mod offer me any new capabilities that I can take advantage of?

Osnard added a comment.EditedSep 10 2018, 7:24 AM

This modification would enable you to do some extra authorization checks (e.g. "A user is authenticated by the SSO provider, but as he belongs to the group 'NoWikiAccess' in the customer Database he may not be logged in") and maybe abort the implicit login process.

@Enst80 Do you think this can be implemented?

Osnard added a comment.Oct 9 2018, 5:55 AM

@Enst80 Is there anything I can do to help here?

Hi, i'm back from vacation and parental leave right after. Sorry for the delay ;-)

Thank you @Osnard for your patch. I'll have a look at it (and test it in my vagrant environment) next week.

@Enst80 , I'd like to kindly remind you of this topic. Sorry for bothering.

I now might have found a different solution to my problem: In the official documentation (https://www.mediawiki.org/wiki/Extension:Auth_remoteuser#Parameters), example 6 of $wgAuthRemoteuserUserName shows what I intend to do:

$wgAuthRemoteuserUserName = function() {
    $credentials = explode( ':', $_SERVER[ 'HTTP_AUTHORIZATION' ] );
    $username = $credentials[0];
    $password = $credentials[1];
    return MyOwnAuthorizer::authenticate( $username, $password ) ? $username : '';
};

I need to check against an LDAP resource whether or not the incoming user is in certain required groups. Now unfortunately this callback is evaluated very often (on every request), which means that my LDAP lookup would also be executed very often. But that is expensive. This is why I propose the change from the provided patch. Such a hook would only be called once in a session lifespan.

For now, I have implemented my authorization check in the way it is recommended in example 6. I also cache the results of my LDAP lookup. So my use case could actually be satisfied without the new hook. What do you think, is it still worth it?

Change 458730 had a related patch set uploaded (by Robert Vogel; owner: Robert Vogel):
[mediawiki/extensions/Auth_remoteuser@master] Provide a hook point to allow authorization

https://gerrit.wikimedia.org/r/458730

Change 458730 abandoned by Robert Vogel:
Provide a hook point to allow authorization

Reason:
Nevermind. Found different solution.

https://gerrit.wikimedia.org/r/458730

Osnard closed this task as Declined.Oct 25 2019, 12:01 PM