Remote Authentication in Geeklog 1.4
Geeklog 1.4 introduces a new feature “Remote Authentication”. The motivation behind this core feature is simple: Users do not want to sign up at every site they visit to post a comment, and site administrators do not want to allow anonymous comments due to spam and other factors. Remote Authentication solves this problem by allowing people to login to your Geeklog site with their login credentials for another, established service.
Firstly, a caveat to users, the Remote Authentication feature in Geeklog requires you to expose your password for the remote service when logging in. An unscrupulous systems administrator could modify the code to capture your password. Do not use this feature on sites you do not trust!
Remote Authentication ships with support for LiveJournal.com and Blogger.com accounts. When correctly configured the Remote Authentication system will allow registered LiveJournal or Blogger users to login with their remote account to your Geeklog instance. This feature is disabled by default, to enable it you must set the $_CONF['remoteauthentication'] variable to true in your config.php file, and disable user submission (set $_CONF['usersubmission'] to 0).
When enabled, each login form will include a drop down box of supported login services. The default option is your Geeklog site, listed with the text from your site name configuration from config.php ($_CONF[‘site_name’]). You can add or remove sites used for authentication simply by adding and removing authentication classes from $_CONF[‘path_system’]/classes/authentication. For example; to disable LiveJournal support, delete the LiveJournal.auth.class.php file.
To add support for another service, you will need to write a suitable auth.class.php file and drop it into the $_CONF[‘path_system’]/classes/authentication folder. Each class must have an email property and an authenticate method that takes two arguments, username and password, and returns a Boolean true if the login succeeds.
If a user login succeeds, a new account is created for that user, storing their remote username and the service used to authenticate, along with a secure hash of the password. In future, authentication will only be made with the remote server in the case that the user gets their password wrong, in which case the “incorrect” password is checked with the remote service again to see if the “incorrect” password is in fact the new password for that service.
The username for the local account will be initially the username for the remote account, however, if that username has already been registered with the local Geeklog instance a call is made to custom_uniqueRemoteUsername passing in the username and the service used. This function may return an altered username, and it is up to the webmaster at a given Geeklog site to write a version of this function that meets their needs.
However, Geeklog does not require the username to be unique, indeed, if the $_CONF[‘show_fullname’] variable is set to 1, the username is not in fact displayed. Geeklog also allows you to set $_CONF[‘show_servicename’] to true. In this case, remote users will be displayed as username@remoteservice rather than just username (assuming $_CONF[‘show_fullname’] is 0).
So to recap usernames. My Geeklog site has me registered as THEMike. If THEMike, a Blogger.com user (myself incidentally) logs in to my site with his blogger.com account using Geeklog’s Remote Authentication, a new user will be created, also with the username THEMike, unless that is, I implement custom_uniqueRemoteUsername in lib-custom.php to make it unique. However, if I set $_CONF[‘show_fullname’] to 1, then instead of seeing two THEMikes, I will see a “Michael Jervis” from my Geeklog account which is configured with my full name, and a THEMike from the blogger.com account (as full name is not retrieved from blogger.com on login). Alternatively, I may set $_CONF[‘show_servicename’] to true, in which case I will see one THEMike (local account) and one THEMike@Blogger (Remote Authentication account).
This gives a site admin full control over who can authenticate with their site, and how their name is displayed. A system administrator has full and flexible control over whether or not to use this feature, and how the usernames are created. You could even deactivate new user registrations on your site (set $_CONF['disable_new_user_registration'] to true), and only allow remote users.
One further trick in Geeklog’s new system, is the Remote Users user group. All users registered via Remote Authentication are added to this group. You can use this to disallow remote users access to certain aspects of your Geeklog system.
Enjoy the new feature.