Index: openacs-4/packages/acs-core-docs/www/ext-auth-requirements.adp =================================================================== RCS file: /usr/local/cvsroot/openacs-4/packages/acs-core-docs/www/ext-auth-requirements.adp,v diff -u -r1.6 -r1.7 --- openacs-4/packages/acs-core-docs/www/ext-auth-requirements.adp 25 Apr 2018 08:38:27 -0000 1.6 +++ openacs-4/packages/acs-core-docs/www/ext-auth-requirements.adp 3 Sep 2024 15:37:32 -0000 1.7 @@ -1,7 +1,11 @@ -{/doc/acs-core-docs {ACS Core Documentation}} {External Authentication Requirements} +{/doc/acs-core-docs/ {ACS Core Documentation}} {External Authentication Requirements} External Authentication Requirements + External Authentication Requirements

-Vision

People have plenty of usernames and passwords already, we +Vision

People have plenty of usernames and passwords already, we don't want them to have yet another. We want people to be able to log in to OpenACS with the same password they use to log in to any other system.

Besides, administrators have better things to do than create @@ -74,83 +78,43 @@

Requirements

-New API

-
-
-New -API: EXT-AUTH-01
-: -A
-: -Extend Authentication/Acct Status API
-
-
-New -API: EXT-AUTH-03
-: -A
-: -Account Creation API
-
-
-New -API: EXT-AUTH-05
-: -A
-: -Password Management API
-
-
-New -API: EXT-AUTH-30
-: -A
-: -Authority Management API
-
-
+New API
+ + + + + + + + + + + + + +
FeatureStatusDescription
New API
EXT-AUTH-01AExtend Authentication/Acct Status API
EXT-AUTH-03AAccount Creation API
EXT-AUTH-05APassword Management API
EXT-AUTH-30AAuthority Management API

-Login

-
-
-Login: EXT-AUTH-04
-: -A
-: -Rewrite login, register, and admin pages to use APIs
-
-
-Login: EXT-AUTH-38
-: -A
-: -ad_form complain feature
-
-
-Login: EXT-AUTH-19
-: -A
-: -Rewrite password recovery to use API
-
-
-Login: EXT-AUTH-21
-: -A
-: -Rewrite email verification with API
-
-
-Login: EXT-AUTH-28
-: -A
-: -Username is email switch
-
-

Users will log in using a username, a authority, and a password. -The authority is the source for user/password verification. OpenACS -can be an authority itself.

Each user in OpenACS will belong to exactly one authority, which +Login

+ + + + + + + + + + + + + + + +
FeatureStatusDescription
Login
EXT-AUTH-04ARewrite login, register, and admin pages to use +APIs
EXT-AUTH-38Aad_form complain feature
EXT-AUTH-19ARewrite password recovery to use API
EXT-AUTH-21ARewrite email verification with API
EXT-AUTH-28AUsername is email switch

Users will log in using a username, an authority, and a +password. The authority is the source for user/password +verification. OpenACS can be an authority itself.

Each user in OpenACS will belong to exactly one authority, which can either be the "local" OpenACS users table, in which case the password column is used, or it can be some external authority, which will be communicated with using some protocol, as @@ -176,14 +140,13 @@ the authority drop-down element at all.

-Configuration

-
-Configuration: EXT-AUTH-07
-: -A
-: -Admin pages to control Ext-Auth parameters
-

The site-wide systems administrator can configure the +Configuration

+ + + + + +
FeatureStatusDescription
Configuration
EXT-AUTH-07AAdmin pages to control Ext-Auth parameters

The site-wide systems administrator can configure the authentication process from a page linked under /acs-admin.

  • Authorities - ordered list of authorities defined

  • Account Registration Allowed: Yes/No. Account registration can be disabled altogether.

  • Registration authority - the authority in which accounts should @@ -194,47 +157,31 @@ and is primarily meant for backwards compatibility with the old OpenACS login process.

The local authority driver is an encapsulation of current -functionality within an driver matching a service contract. The +functionality within a driver matching a service contract. The other drivers call external functions. The possible functions for each authority are split into several drivers for convenience. One driver handles authentication, one account creation, and one -changing passwords.

-
-
-create service -contract: EXT-AUTH-16
-: -A
-: -Create service contract for Authentication
-
-
-create service -contract: EXT-AUTH-17
-: -A
-: -Create service contract for Acct. Creation
-
-
-create service -contract: EXT-AUTH-29
-: -A
-: -Create service contract for Passwd Management
-
-
-
-: -EXT-AUTH-18
-: -A
-: -Authority configuration data model
-

Each authority is defined like this:

    +changing passwords.

    + + + + + + + + + + + +
    FeatureStatusDescription
    create service contract
    EXT-AUTH-16ACreate service contract for Authentication
    EXT-AUTH-17ACreate service contract for Acct. Creation
    EXT-AUTH-29ACreate service contract for Passwd Management
    + + + + + +
    FeatureStatusDescription
    EXT-AUTH-18AAuthority configuration data model

    Each authority is defined like this:

    • Authority pretty-name, e.g. "URZ"

    • Authentication Driver, e.g. "RADIUS". In practice, -this would be a reference to a service contract implementation.

    • Authentication Driver configuration settings, e.g. host name, +this would be a reference to a service contract implementation.

    • Authentication Driver configuration settings, e.g. hostname, port, etc., as required by the particular driver. Note that this is per authority, not per driver, i.e., you can have multiple authorities with the same driver but different configuration @@ -248,7 +195,7 @@ this would be a reference to a service contract implementation. The reason we have separate drivers for authentication and account creation is that organizations are likely to have a home-grown -account registration process.

    • Account Creation Driver configuration settings, e.g. host name, +account registration process.

    • Account Creation Driver configuration settings, e.g. hostname, port, etc., as required by the particular driver. Note that this is per authority, not per driver, i.e., you can have multiple authorities with the same driver but different configuration @@ -264,53 +211,27 @@ to access these settings.

      OpenACS will come pre-configured with one authority, which is the "local" authority, meaning we'll authenticate as normal using the local users table. This will, just like any other -authority, be implemetned using a service contract.

      +authority, be implemented using a service contract.

    Synchronizing and Linking -Users

    -
    -
    -Synchronizing and -linking users: EXT-AUTH-28
    -: -A
    -: -Create service contract for Batch Sync.
    -
    -
    -Synchronizing and -linking users: EXT-AUTH-38
    -: -A
    -: -Batch User Synchronization API
    -
    -
    -Synchronizing and -linking users: EXT-AUTH-38
    -: -A
    -: -IMS Synchronization driver
    -
    -
    -Synchronizing and -linking users: EXT-AUTH-08
    -: -A
    -: -Automation of batch Synchronization
    -
    -
    -Synchronizing and -linking users: EXT-AUTH-15
    -: -B
    -: -On-demand synchronization
    -
    -

    Regardless of the login method, the user needs to have a row in +Users

+ + + + + + + + + + + + + + + +
FeatureStatusDescription
Synchronizing and linking users
EXT-AUTH-28ACreate service contract for Batch Sync.
EXT-AUTH-38ABatch User Synchronization API
EXT-AUTH-38AIMS Synchronization driver
EXT-AUTH-08AAutomation of batch Synchronization
EXT-AUTH-15BOn-demand synchronization

Regardless of the login method, the user needs to have a row in the OpenACS users table. This can happen through a batch job, in real-time, or both in combination. We use the IMS Enterprise 1.1 specification.

Batch job means that we do a synchronization (import new users, modify changed, purge deleted) on a regular interval, e.g. every @@ -343,14 +264,13 @@ same person. We'd still have a problem if there was an email conflict between two accounts on the same authority. Hm. I don't think it's worth spending too much time trying to -solve this problem through software.

-
-EXT-AUTH-31: EXT-AUTH-31
-: -A
-: -Upgrade user data model for ext-auth
-

After having authenticated using the relevant authority driver, +solve this problem through software.

+ + + + + +
FeatureStatusDescription
EXT-AUTH-31
EXT-AUTH-31AUpgrade user data model for ext-auth

After having authenticated using the relevant authority driver, we'll look for the username/authority pair in the users table.

If we don't find any, that means that we're either not doing batch synchronizing, or that the user has been added since @@ -367,7 +287,7 @@ Account Registration

If a user doesn't have an account, the site-wide configuration can allow the user to register for one, as defined in the configuration discussed above. This section is about normal -account registration through a authority driver.

The account creation service contract implementation will need +account registration through an authority driver.

The account creation service contract implementation will need to tell us which information to ask the user for:

  • Required Fields: A list of fields which are required.

  • Optional Fields: A list of fields which are optional.

The fields to choose from are these:

    @@ -394,14 +314,13 @@ desires to change password.

-Login Pages Over HTTPS

-
-EXT-AUTH-20: EXT-AUTH-20
-: -A
-: -Login over HTTPS
-

Login pages must be able to be sent over a secure connection +Login Pages Over HTTPS

+ + + + + +
FeatureStatusDescription
EXT-AUTH-20
EXT-AUTH-20ALogin over HTTPS

Login pages must be able to be sent over a secure connection (https), so your password won't get sent over the wire in cleartext, while leaving the rest of the site non-secure (http). I believe that this requires some (minor) changes to the current @@ -428,14 +347,13 @@ we're messing with this part of the codebase anyway.

Recommended: -Untrusted Logins and Login Levels

-
-EXT-AUTH-33: EXT-AUTH-33
-: -A
-: -Untrusted Logins
-

I like the idea of having multiple login levels:

    +Untrusted Logins and Login Levels
+ + + + + +
FeatureStatusDescription
EXT-AUTH-33
EXT-AUTH-33AUntrusted Logins

I like the idea of having multiple login levels:

  1. Not logged-in

  2. Untrusted login: We'll show you un-sensitive personal content, but won't let you modify anything or see personal data. A normal login becomes untrusted after a certain amount of @@ -469,20 +387,19 @@ mode.

    Similarly, ad_conn user_id will continue to return 0 (not logged-in) when the user is only logged-in untrusted, and we'll supply another variable, -ad_conn untrusted_user_id, which wlll +ad_conn untrusted_user_id, which will be set to the user_id for all login levels.

    This should ensure that we get full access to the new feature, while leaving all current code just as secure as it was before.

Recommended: Make -Non-Persistent Login Work

-
-EXT-AUTH-34: EXT-AUTH-34
-: -A
-: -Expire Logins
-

Currently, OpenACS is unusable in practice without persistent +Non-Persistent Login Work

+ + + + + +
FeatureStatusDescription
EXT-AUTH-34
EXT-AUTH-34AExpire Logins

Currently, OpenACS is unusable in practice without persistent login. The login will expire after just a few minutes of inactivity, and you'll get bounced to the login page where you have to enter both email and password again. Unacceptable in @@ -496,12 +413,13 @@ current session handling code.

-Recommended: Single-Sign-On

-
-EXT-AUTH-23: EXT-AUTH-23
:
-: -Single sign-on
-

Instead of redirecting to the login page, auth::require_login +Recommended: Single-Sign-On

+ + + + + +
FeatureStatusDescription
EXT-AUTH-23
EXT-AUTH-23Single sign-on

Instead of redirecting to the login page, auth::require_login can redirect to an authentication server, which can redirect back to a page that logs the user in. This should be very easy to implement.

Alternatively, if you want to combine this with fallback to @@ -511,14 +429,13 @@

Recommended: Expire All -Logins

-
-EXT-AUTH-22: EXT-AUTH-22
-: -B
-: -rewrite cookie handling
-

Currently, if you've ever left a permanent login cookie on +Logins

+ + + + + +
FeatureStatusDescription
EXT-AUTH-22
EXT-AUTH-22Brewrite cookie handling

Currently, if you've ever left a permanent login cookie on someone elses machine, that person will be forever logged-in until he/she explicitly logs out. You can change your password, you can do anything you want, but unless a logout is requested from that @@ -537,26 +454,24 @@

Recommended: -Email account owner on password change

-
-EXT-AUTH-24: EXT-AUTH-24
-: -A
-: -Email on password change
-

As an additional security measure, we should email the +Email account owner on password change

+ + + + + +
FeatureStatusDescription
EXT-AUTH-24
EXT-AUTH-24AEmail on password change

As an additional security measure, we should email the account's email address whenever the password is changed, so that he/she is at least alerted to the fact.

-Optional: Password policy

-
-EXT-AUTH-25: EXT-AUTH-25
-: -A
-: -Implement password policy
-

Again, to increase security, we should add password policies, +Optional: Password policy

+ + + + + +
FeatureStatusDescription
EXT-AUTH-25
EXT-AUTH-25AImplement password policy

Again, to increase security, we should add password policies, such as passwords needing to be changed after a certain number of days, change on next login (after a new random password has been generated), or requiring that the password satisfies certain @@ -566,14 +481,13 @@

Optional: Login -Without Explicit Authority

-
-EXT-AUTH-26: EXT-AUTH-26
-: -B
-: -Login without explicit domain
-

In order to make it easier for people, we've been toying +Without Explicit Authority

+ + + + + +
FeatureStatusDescription
EXT-AUTH-26
EXT-AUTH-26BLogin without explicit domain

In order to make it easier for people, we've been toying with the idea of a functionality like this:

  • If the user enters "foobar\@ix.urz.uni-heidelberg.de", it is translated to mean username = "foobar", authority = @@ -596,7 +510,7 @@ in the sort order.

The relevant code in user-login.tcl would look like this:

 if { ![auth::split_username -username_var username -authority_var authority] } {
-    # bounce back to the form with a message saying that the login wasn't valid.
+    # bounce back to the form with a message saying that the login was not valid. 
     ad_script_abort
 }
 
@@ -605,14 +519,13 @@

-Optional: Who's Online

-
-EXT-AUTH-27: EXT-AUTH-27
-: -B
-: -Who's online list
-

While we're touching the session handling code, anyway, it +Optional: Who's Online

+ + + + + +
FeatureStatusDescription
EXT-AUTH-27
EXT-AUTH-27BWho's online list

While we're touching the session handling code, anyway, it would be nice to add a feature to show who's currently online, a nice real-time collaboration feature frequently requested by members of the community. This is particularly interesting when @@ -630,36 +543,31 @@

Optional: -Subsite-level configuration

-
-EXT-AUTH-28: EXT-AUTH-28
:
-: -implement subsite-level config
-

If we want to, we could let subsite administrators configure the +Subsite-level configuration

+ + + + + +
FeatureStatusDescription
EXT-AUTH-28
EXT-AUTH-28implement subsite-level config

If we want to, we could let subsite administrators configure the login process for that particular subsite. This would probably only entail letting the subsite admin leave out certain authorities defined site-wide, and change the sort order.

I think we should leave this out until we have a use case for it, someone who'd need it.

Future: Making -the Authentication API itself a service contract

-
-
-EXT-AUTH-32: EXT-AUTH-32
-: -A
-: -Parameters for Service Contract Implementation
-
-
-EXT-AUTH-32: EXT-AUTH-35
-: -A
-: -Make the Authentication API a service contract
-
-

For completely free-form authentication logic and mechanisms, +the Authentication API itself a service contract

+ + + + + + + + + +
FeatureStatusDescription
EXT-AUTH-32
EXT-AUTH-32AParameters for Service Contract Implementation
EXT-AUTH-35AMake the Authentication API a service contract

For completely free-form authentication logic and mechanisms, something like Andrew Grumet's Pluggable Authentication for OACS Draft is interesting. He's proposing a scheme where the entire user interaction is encapsulated in, and left entirely to, a service @@ -673,14 +581,13 @@

Future: -Authenticating against multiple servers simultaneously

-
-EXT-AUTH-36: EXT-AUTH-36
-: -A
-: -Authenticate against multiple servers
-

Both OKI and OpenACS supports a form of stacking, where you can +Authenticating against multiple servers simultaneously

+ + + + + +
FeatureStatusDescription
EXT-AUTH-36
EXT-AUTH-36AAuthenticate against multiple servers

Both OKI and OpenACS supports a form of stacking, where you can be logged into multiple authorities at the same time. This is useful if, for example, you need to get login tokens such as Kerberos tickets for access to shared resources.

I can see the value in this, but for simplicity's sake, @@ -696,59 +603,28 @@ wait till they're there.

-Implement Specific Drivers

-
-
-Implement specific -drivers: EXT-AUTH-09
-: -A
-: -Create Auth. drivers for Local Authority
-
-
-Implement specific -drivers: EXT-AUTH-10
-: -A
-: -Create Acct. Creation driver for Local Authority
-
-
-Implement specific -drivers: EXT-AUTH-11
-: -A
-: -Create Auth. driver for PAM
-
-
-Implement specific -drivers: EXT-AUTH-12
-: -X
-:Create Acct. Creation driver for PAM - -this functionality is explicitly excluded from -PAM -
-
-
-Implement specific -drivers: EXT-AUTH-13
-: -A
-: -Create Acct. Creation driver for LDAP
-
-
-Implement specific -drivers: EXT-AUTH-14
-: -A
-: -Create Auth. driver for LDAP
-
-

We'll need drivers for:

    +Implement Specific Drivers
+ + + + + + + + + + + + + + + + + +
FeatureStatusDescription
Implement specific drivers
EXT-AUTH-09ACreate Auth. drivers for Local Authority
EXT-AUTH-10ACreate Acct. Creation driver for Local +Authority
EXT-AUTH-11ACreate Auth. driver for PAM
EXT-AUTH-12XCreate Acct. Creation +driver for PAM - this functionality is explicitly excluded from +PAM
EXT-AUTH-13ACreate Acct. Creation driver for LDAP
EXT-AUTH-14ACreate Auth. driver for LDAP

We'll need drivers for:

  • Operating system (Linux/Solaris) PAM: Delegate to the operating system, which can then talk to RADIUS, LDAP, whatever. This is convenient because there'll be plenty of drivers for the OS PAM