Swag Portal: More flexible authentication options

[usernamenumber]

swagportal currently uses PAM to authenticate, which means all users must have accounts recognized by the OS on the Linux server where the portal is hosted. It would be nice to be able to offer alternatives like social media login, oAuth, etc.

Options for doing this include:

• Expanding the existing PHP-based portal to incorporate PHP-based auth libraries. A quick search reviews a few candidates:
  • PHP Native oauth support
  • HybridAuth
• Switch to a framework with built-in (or easily added) support for multiple authentication options
  • Some work has been done on a Django-based portal, but it isn't complete
  • Might be worth considering a lighter-weight framework like Flask

My suggestion: HybridAuth looks promising. It would be great if someone could start by looking into it. Even if we move to something else later, this might be the easiest way to get more flexible auth set up quickly.

[usernamenumber]

Overview of OAuth https://en.wikipedia.org/wiki/OAuth

[limikael]

Ideas around implementing this... The goal for the "authentication" is basically to populate the $_SESSION["username"] variable with something, this is checked in https://github.com/tunapanda/swagportal/blob/master/src/controllers/MainController.php on line 69.

So... One way to do it would be to have a configuration variable in the config.php file that chooses between different configuration options. And there would be 2 options, the current PAM method, and then a new one based on maybe HybridAuth, and the option would select which one should be used...

[usernamenumber]

If we go with HybridAuth, they have an example in their user manual that it looks like we could use to offer both pretty easily. That way, no config tweaking would be needed unless we want to let people explicitly not allow one method or another.

...and actually, looking more closely at that example, I think it's way more than we need. In the example they're actually itegrating social auth into an existing login system. I think if we just did steps 1, 2, and 4 of the linked example, but in step 4 stop at line 52 and simply set $_SESSION["username"] instead of all the database stuff, that should work for our purposes, yes?

[limikael]

Yep, I think HybridAuth is the way to go...

// Micke

On Wed, Apr 22, 2015 at 8:20 PM, Brad Smith notifications@github.com wrote:

...and actually, looking more closely at that example, I think it's way more that we need. In the example they're actually itegrating social auth into an existing login system. All we really need is to present the social auth buttons next to the un/pw prompt, which should be even easier.

— Reply to this email directly or view it on GitHub https://github.com/tunapanda/swagportal/issues/1#issuecomment-95272408.

[limikael]

HybridAuth is implemented!

I only enabled it for Facebook, should we have more from the start?

Someone who would like to test this and we can close the issue?

[usernamenumber]

When I load the login page I see this:

Should there be a Facebook login icon or something?

[usernamenumber]

Ah! Had to enable it in the config file. Ok, now I'm getting this:

Is this something you need to set up on the FB end?

[limikael]

Hm... if you enable it in the config file you should get the facebook login button... As you say, similar to this:

https://github.com/tunapanda/swag/blob/master/config.template.ini

What could be wrong? I added a dependency on:

https://github.com/samcollins/css-social-buttons.git

Maybe you need to update the dependencies?

If not, do you get some errors in the javascript console, php log or are there some network resources it tries to load but can't? (Strange though, there shouldn't be any "invisible" errors, I have tried to make it fail "hard" if there are any problems)

// Micke

On 12 May 2015 17:42, "Brad Smith" notifications@github.com wrote:

Ah! Had to enable it in the config file. Ok, now I'm getting this:

[image: screen shot 2015-05-12 at 11 37 42 am] https://cloud.githubusercontent.com/assets/188349/7591431/d9fba942-f89b-11e4-9f8d-5320ec237eca.png

Is this something you need to set up on the FB end?

— Reply to this email directly or view it on GitHub https://github.com/tunapanda/swag/issues/1#issuecomment-101324894.

[usernamenumber]

This is what you get from responding via email. :P See my follow-up comments.

(I'm assuming you were responding to the lack of a Facebook button, not the error about me not being an authorized test user)

[limikael]

Ah ok...

I made the app live on FB, try now!

[usernamenumber]

Woo! I am logged in. Great work, Micke! :D

I've now got another error (of course), but afaict it's not related to this issue, so I'll make a new one for it: #8.

We may want to keep this issue open until we either get PAM working or get non-FB logins working some other way, though.