[ User authentication by remote identity providers ]
- Adding an AuthenticationMethod class to offer custom methods of authentication from remote identity providers.
[ Database changes ]
- Adding a new table users_auth. Schema is identical to the Zed implementation.
+---------+-----------+---------------+-----------------+---------+ | auth_id | auth_type | auth_identity | auth_properties | user_id | +---------+-----------+---------------+-----------------+---------+
auth_type matches the AuthenticationMethod::$id property, auth_id is the primary key.
auth_identity matches the AuthenticationMethod::$remoteUserId property.
auth_properties can receive extra authentication information. For example, if you implement a Yubikey authentication method, you can set as property the authentication server, and leave blank to use YubiCloud.
An user is considerated authentified and matching a local user when the auth_type and auth_identity fields match the information received by the remote identity provider.
[ Core libraries changes ]
- Adding a Permission class with getResourceTypeLetterFromCode and getResourceTypeCodeFromLetter methods to convert between W <--> workspace, the two resource types notations.
- Adding an ObjectDeserializableWithContext interface. This interface is similar to ObjectDeserializable, but require a context to deserialize the object. This is implemented by WorkspaceConfiguration, which need to set the AuthenticationMethod classes' context property.
- To optimize User load, stores instances in an hashtable, to be able to get it later on the execution. For example, if a remote identity provider authentication method is used by an user for the first time, we try to match remote and local e-mails to see if it already exists. Doing so, we query the users table, the hashtable allows not to query it again to fill the context.
[ User actions changes ]
- Fixing typo in GivePermissionUserAction exceptions
- Fixing bug in GivePermissionUserAction serialization code: the class uses the letter resource notation (e.g. 'W'), the JSON documents the full resource type in lowercase notation (e.g. 'workspace'. Cf. the new Permission class.
[ Workspace changes ]
- WorkspaceConfiguration now implements ObjectDeserializableWithContext
- Fixing bug: initialize WorkspaceConfiguration::$authenticationMethods array
[ Controllers change ]
- The anonymous controller initializes authentication method related resources when the user has to login.
- Resorting index.php entry point order of operations, to be sure each new components have access to the needed resources, like l10n and context.
- The login/logout code checks the existence of a authenticationMethodId URL parameter. If found, the method handleRequest of the relevant AuthenticationMethod class is called. This allows remote identity providers helper classes to have a logic (like an OpenID check).
- Fixing bug: loads the controller configuration after workspace autoselect.
[ Views ]
- header.tpl includes the workspace name in logout code.
- login.tpl includes the workspace name in the page title and use it as product name.
- login.tpl doesn't print anymore internal login box when it's disabled by workspace configuration and prints links to available other ways to authenticate.
[ L10n ]
- New entries: ExternalLogin, SignIn,ExternalLoginNotRemotelyLoggedIn, ExternalLoginNotLegitReply, ExternalLoginCantCreateAccount, ExternalLoginTechnicalDifficulty.
- Removing from fr and en files Logout duplicate.