Authentication Plugin

Status
Not open for further replies.

ardyhash

Member
Jan 7, 2021
89
15
8
44
Hello world,

In an effort to outsource security I've placed a fusion installation behind an authentication proxy (oauth2-proxy). This works well, but being human I'm greedy and don't want to have to login twice so I plagiarized an msad_ldap plugin I found on this forum to use headers from the proxy to authenticate, but somehow despite returning authorized "true" I'm greeted with a password prompt. I wouldn't call myself a developer, certainly not a php developer, so was hoping for some pointers. It clearly knows my username based on the screenshot and also when I do a dump of the session variables I see my username and the correct domain. If I enter my password here it goes through but I'm trying to have a seamless login experience where after authenticating to microsoft (my oauth provider) the user gets dropped into a logged in session.

1707831606124.png




<?php
/**
* plugin_oauth2proxy
* Authentication plugin for authenticating using headers from oauth2_proxy
* By Ardy Hash based on plugin_msad_ldap found on pbxforums.com
*
* @method oauth2proxy uses headers passed by proxy to authenticate user
*/
class plugin_oauth2proxy {
/**
* Define variables and their scope
*/
public $debug;
public $domain_name;
public $username;
public $password;
public $user_uuid;
public $contact_uuid;
/**
* oauth2proxy checks proxy headers against database to authenticate the user
* @return array [authorized] => true or false
**/
function oauth2proxy() {
//save the database connection to a local variable
include "root.php";
require_once "resources/classes/database.php";
$database = new database;
$database->connect();
$db = $database->db;
//use headers to validate the user authentication
$user_authorized = false;
$headers = getallheaders();
if(array_key_exists('X-Access-Token', $headers) && array_key_exists('X-User', $headers) && array_key_exists('X-Email', $headers)) {
if($headers['X-Access-Token'] != '' && $headers['X-User'] != '' && $headers['X-Email'] != '') {
$sql = "select * from v_users where user_enabled='true' ";
$sql .= "and user_email=:useremail ";
if ($_SESSION["user"]["unique"]["text"] == "global") {
//unique username - global (example: email address)
}
else {
//unique username - per domain
$sql .= "and domain_uuid=:domain_uuid ";
}
$prep_statement = $db->prepare(check_sql($sql));
if ($_SESSION["user"]["unique"]["text"] != "global") {
$prep_statement->bindParam(':domain_uuid', $this->domain_uuid);
}
$prep_statement->bindParam(':useremail', $headers['X-Email']);
$prep_statement->execute();
$user_results = $prep_statement->fetchAll(PDO::FETCH_NAMED);
if (count($user_results) > 0) {
$user_authorized = true;
foreach ($user_results as &$row) {
if ($_SESSION["user"]["unique"]["text"] == "global" && $row["domain_uuid"] != $this->domain_uuid) {
//get the domain uuid
$this->domain_uuid = $row["domain_uuid"];
$this->domain_name = $_SESSION['domains'][$this->domain_uuid]['domain_name'];
}
//set the domain session variables
$_SESSION["domain_uuid"] = $this->domain_uuid;
$_SESSION["domain_name"] = $this->domain_name;
//set the setting arrays
$domain = new domains();
$domain->db = $db;
$domain->set();
$this->username = $row["username"];
$this->user_uuid = $row["user_uuid"];
$this->contact_uuid = $row["contact_uuid"];
}
}
}
}
$_SESSION["username"] = $this->username;
$result["plugin"] = "oauth2proxy";
$result["username"] = $this->username;
$result["user_uuid"] = $this->user_uuid;
$result["domain_uuid"] = $this->domain_uuid;
$result["domain_name"] = $this->domain_name;
if ($this->debug) {
$result["password"] = $this->password;
}
if ($user_authorized) {
$result["authorized"] = "true";
} else {
$result["authorized"] = "false";
}
return $result;
}
}
?>
 

ardyhash

Member
Jan 7, 2021
89
15
8
44
Digging some more I noticed that when I'm properly authenticated and everything works the session dump (plus phpinfo output) is about 7300 lines whereas when I get the password prompts its only about 4500 lines, seems the difference includes permissions and menus. Also, if I disable the 'database' authentication plugin so that mine is the only one enabled then it does autologin, but gives a very ugly blank white page a user with that email doesn't exist.
 

ardyhash

Member
Jan 7, 2021
89
15
8
44
Wouldn't we want to break out if authorized=true and just continue or do nothing if authorized=false? Maybe this is what's intended and I'm not getting it, but it seems to me even when an authentication plugin returns authorized=true the loop continues to check other plugins instead of breaking with authorized = true.

1707868854070.png
 
Status
Not open for further replies.