Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-381

Support for alternate authentication schemes

    Details

    • Type: New Feature
    • Status: Ready for Work
    • Priority: Could
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Complexity:
      Undetermined
    • Sprint:
      Burke's Test Sprint

      Description

      In order to support LDAP and other authentication schemes (e.g., CGI-based authentication), UserContext should support a new AuthenticationScheme interface with the default implementation of BasicAuthenticationScheme (username and password) implemented out of the box. New authentication schemes could be introduced by writing a new implementation of AuthenticationScheme and then wiring it in through the API configuration files. Ideally, substitution (or addition) of the authentication scheme would be protected (e.g., limited to the configuration file setting or not easily done through the API) so that random code could not easily substitute a bogus authentication scheme to subvert proper authentication.

      public interface UserContext {
        /* Maintain support in API for simple authentication */
        public User authenticate(String username, String password)
          throws ContextAuthenticationException;
      
        /* Also support any future authentication scheme */
        public Authenticated authenticate(Credentials credentials)
          throws ContextAuthenticationException;
      
        // Registration or removal of authentication schemes are protected
        protected void addAuthenticationScheme(AuthenticationScheme scheme);
        protected void removeAuthenticationScheme(AuthenticationScheme scheme);
      }
      
      /*
       * Authentication schemes define their own credentials.
       * Any client authenticating against a given scheme must
       * supply appropriate credentials.
       */
      public interface Credentials {
        /*
         * Credentials will contains scheme-specific properties, but
         * all credentials must declare their scheme.
         */
        public String getAuthenticationScheme();
      }
      
      /* Defines an authentication scheme that can be used by the API. */
      public interface AuthenticationScheme {
        /*
         * Returns the authenticated user for the API, but may return
         * additional information (e.g., an authentication token that
         * can be used for subsequent authentication).
         */
        public Authenticated authenticate(Credentials credentials)
          throws ContextAuthenticationException;
      }
      
      /* Used to allow more than just a user to be returned by authentication */
      public interface Authenticated {
        // Scheme through which user was authenticated
        public String getAuthenticationScheme();
      
        // OpenMRS user account that was authenticated
        public User getUser();
      
        // ... any additional data return by scheme (e.g., token) ...
      }
      

      Initial design discussions occurred in this thread. Additional notes on this developers forum.

        Gliffy Diagrams

          Attachments

            Issue Links

              Attachments-Category-Modification

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    burke Burke Mamlin
                  • Votes:
                    2 Vote for this issue
                    Watchers:
                    5 Start watching this issue

                    Dates

                    • Created:
                      Updated: