OpenMRS Core
  1. OpenMRS Core
  2. TRUNK-381

Support for alternate authentication schemes

    Details

    • Type: New Feature New Feature
    • Status: Ready for Work
    • Priority: Could Could
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Complexity:
      Undetermined
    • Sprint:
      Burke's Test Sprint

      Description

      In order to support LDAP and other authentication schemes (e.g., CGI-based authentication), UserContext should support a new AuthenticationScheme interface with the default implementation of BasicAuthenticationScheme (username and password) implemented out of the box. New authentication schemes could be introduced by writing a new implementation of AuthenticationScheme and then wiring it in through the API configuration files. Ideally, substitution (or addition) of the authentication scheme would be protected (e.g., limited to the configuration file setting or not easily done through the API) so that random code could not easily substitute a bogus authentication scheme to subvert proper authentication.

      public interface UserContext {
        /* Maintain support in API for simple authentication */
        public User authenticate(String username, String password)
          throws ContextAuthenticationException;
      
        /* Also support any future authentication scheme */
        public Authenticated authenticate(Credentials credentials)
          throws ContextAuthenticationException;
      
        // Registration or removal of authentication schemes are protected
        protected void addAuthenticationScheme(AuthenticationScheme scheme);
        protected void removeAuthenticationScheme(AuthenticationScheme scheme);
      }
      
      /*
       * Authentication schemes define their own credentials.
       * Any client authenticating against a given scheme must
       * supply appropriate credentials.
       */
      public interface Credentials {
        /*
         * Credentials will contains scheme-specific properties, but
         * all credentials must declare their scheme.
         */
        public String getAuthenticationScheme();
      }
      
      /* Defines an authentication scheme that can be used by the API. */
      public interface AuthenticationScheme {
        /*
         * Returns the authenticated user for the API, but may return
         * additional information (e.g., an authentication token that
         * can be used for subsequent authentication).
         */
        public Authenticated authenticate(Credentials credentials)
          throws ContextAuthenticationException;
      }
      
      /* Used to allow more than just a user to be returned by authentication */
      public interface Authenticated {
        // Scheme through which user was authenticated
        public String getAuthenticationScheme();
      
        // OpenMRS user account that was authenticated
        public User getUser();
      
        // ... any additional data return by scheme (e.g., token) ...
      }
      

      Initial design discussions occurred in this thread. Additional notes on this developers forum.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            Michael Downey added a comment -

            Auto-advancing imported tickets to assessed status.

            Show
            Michael Downey added a comment - Auto-advancing imported tickets to assessed status.
            Hide
            Harsha Kumara added a comment -

            Burke Mamlin I'm very interest with this task. Is it OK for me to take this?

            Show
            Harsha Kumara added a comment - Burke Mamlin I'm very interest with this task. Is it OK for me to take this?
            Hide
            Daniel Kayiwa added a comment -

            Harsha Kumara no need to ask for permission when a ticket is ready for work.

            Show
            Daniel Kayiwa added a comment - Harsha Kumara no need to ask for permission when a ticket is ready for work.
            Hide
            Harsha Kumara added a comment - - edited

            Thanks Daniel Kayiwa. Looking forward to work on this ticket. RecentlyI really interested with security related tasks.

            Show
            Harsha Kumara added a comment - - edited Thanks Daniel Kayiwa . Looking forward to work on this ticket. RecentlyI really interested with security related tasks.
            Hide
            Suranga Kasthurirathne added a comment -

            Harsha Kumara, it might be important to look at this ticket in terms of our oauth work.
            Instead of coming up with a use-once approach for the core to support just oauth, we could make an oauth authentication scheme using this ticket.
            On the plus side, this schema can also be used for other authentication approaches that we might want later...

            Show
            Suranga Kasthurirathne added a comment - Harsha Kumara , it might be important to look at this ticket in terms of our oauth work. Instead of coming up with a use-once approach for the core to support just oauth, we could make an oauth authentication scheme using this ticket. On the plus side, this schema can also be used for other authentication approaches that we might want later...

              People

              • Assignee:
                Unassigned
                Reporter:
                Burke Mamlin
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Development

                    Agile