Table of Contents
With Remote Authentication enabled, users can login to your site via any authorized external service and act as a regular user.
This allows you to disable anonymous comments and make it easier for people to comment (they don't have to sign up on yet another site (yours) they can use a pre-existing central account to make comments).
glFusion allows your site users to login using their favorite social media system. For example, a Facebook user can simply choose the Connect with Facebook button and log into your site. glFusion currently supports social logins from Facebook, Twitter, Google, Microsoft, LinkedIn, and GitHub. The technical term for this is OAuth login.
To enable OAuth login support, you must enable OAuth support in the glFusion Configuration Section: Configuration → User and Submissions → Users.
Set User Login Method[oauth] to True
Then, configure each OAuth provider you wish to use. Each provider will need to have a Consumer Key and Consumer Secret defined. See the list below for details on how to obtain the OAuth key / secret for each of the supported providers.
glFusion allows you to authenticate users from an external source, such as LDAP or Active Directory.
To enable Remote Authentication:
- Install One or more Authentication classes in /private/system/classes/authentication (glFusion ships with a class for LiveJournal.com and an LDAP class)
- In glFusion 1.0.0 or later:
- In the Configuration, go to “Users and Submissions” > “Users” and set “User Login Method[3rdparty]” to “True”
- (optional) On the same Configuration panel under “User Submission”, set “User Submission Queue?” to “False”
With Remote Authentication enabled, the user is presented with a select box on the login screen to choose the login service. This will default to your site, but allow them to choose an external service. Users are authenticated via their remote username and password, and if they pass authentication a local account is created on your site that is slaved to that remote account. These local slave accounts can be banned, have special permissions, etc. just like any regular site user. The account creation process is the same as for local accounts, so all custom functions and plugin notifications are carried out as normal. In addition, the user is added to the group 'Remote Users' allowing you to automatically grant/deny specific permissions to all remote users.
When a new account is created, the local username for that account is set to the remote username. However, if there is already a user in the system with the same username a call is made to CUSTOM_uniqueUsername passing in their remote username. This allows the admin to supply a custom function to ensure unique usernames for all users.
It is not necessary to have unique usernames. This does not break the security of a local user or remote users login, as the full remote username and service are stored locally to avoid collision and internally users are identified by a unique number. However, if you want to ensure it is clear who has posted a comment or article by the name displayed, this function allows you to ensure uniqueness.
To disable a specific service, simply remove the (servicename).auth.class.php file from /private/system/classes/authentication and that remote service will no longer be available to your users.
Currently authentication modules are available for:
If you wish to add further services you will have to write custom modules to do so. This can be done by creating a PHP file named ServiceName.auth.class.php which declares a class called ServiceName with a method called authenticate. Authenticate takes username and password as arguments and should return a boolean. The class should expose an 'email' property and attempt to provide the users valid email address if this can be aquired from the remote server. If that information is available, the class can also provide the user's full name ('fullname' property) and homepage ('homepage' property).