Uploaded image for project: 'OpenMRS Core'
  1. OpenMRS Core
  2. TRUNK-381

Support for alternate authentication schemes



    • Medium
    • Burke's Test Sprint


      In order to support LDAP and other authentication schemes (e.g., CGI-based authentication), UserContext should support a new AuthenticationScheme interface with the default implementation of BasicAuthenticationScheme (username and password) implemented out of the box. New authentication schemes could be introduced by writing a new implementation of AuthenticationScheme and then wiring it in through the API configuration files. Ideally, substitution (or addition) of the authentication scheme would be protected (e.g., limited to the configuration file setting or not easily done through the API) so that random code could not easily substitute a bogus authentication scheme to subvert proper authentication.

      public interface UserContext {
        /* Maintain support in API for simple authentication */
        public User authenticate(String username, String password)
          throws ContextAuthenticationException;
        /* Also support any future authentication scheme */
        public Authenticated authenticate(Credentials credentials)
          throws ContextAuthenticationException;
        // Registration or removal of authentication schemes are protected
        protected void addAuthenticationScheme(AuthenticationScheme scheme);
        protected void removeAuthenticationScheme(AuthenticationScheme scheme);
       * Authentication schemes define their own credentials.
       * Any client authenticating against a given scheme must
       * supply appropriate credentials.
      public interface Credentials {
         * Credentials will contains scheme-specific properties, but
         * all credentials must declare their scheme.
        public String getAuthenticationScheme();
      /* Defines an authentication scheme that can be used by the API. */
      public interface AuthenticationScheme {
         * Returns the authenticated user for the API, but may return
         * additional information (e.g., an authentication token that
         * can be used for subsequent authentication).
        public Authenticated authenticate(Credentials credentials)
          throws ContextAuthenticationException;
      /* Used to allow more than just a user to be returned by authentication */
      public interface Authenticated {
        // Scheme through which user was authenticated
        public String getAuthenticationScheme();
        // OpenMRS user account that was authenticated
        public User getUser();
        // ... any additional data return by scheme (e.g., token) ...

      Initial design discussions occurred in this thread. Additional notes on this developers forum.

      Talk thread: https://talk.openmrs.org/t/openmrs-and-sso/1757

      Gliffy Diagrams


          1. api-package-under-web.png
            136 kB
            Dimitri R
          2. Default Authentication.gliffy
            14 kB
            Burke Mamlin
          3. Default Authentication.png
            14 kB
            Burke Mamlin

          Issue Links



                ruhanga Nathan Ruhanga
                burke Burke Mamlin
                Daniel Kayiwa Daniel Kayiwa
                3 Vote for this issue
                11 Start watching this issue