Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement Token Authentication #2432

Merged
merged 3 commits into from Nov 28, 2023
Merged

Implement Token Authentication #2432

merged 3 commits into from Nov 28, 2023

Conversation

splitbrain
Copy link
Collaborator

@splitbrain splitbrain commented Jun 21, 2018

This implements #2431. Users can set up the token in their profile. Requests that send the token in an authorization header will be authorized automatically:

Authorization: DokuWiki <token>

The token is two parts: the first part encodes the user (using MD5) the second part is the actual random token.

The PR also refactors the Profile-View into an UI class.

@phy25 phy25 added this to Triage in PSR-2 Finishing via automation Oct 21, 2019
@phy25
Copy link
Collaborator

phy25 commented Mar 9, 2020

Do we need a config option so that someone can disable this (like $conf['remote'])? Do we want to allow plugins to override this part? If user triggers a password change, should we invalidate the previous token?

@splitbrain
Copy link
Collaborator Author

All very good questions. In the meantime I forgot what I actually wanted to use this for ;-)

I guess it would make sense to split off the Profile UI changes from the token auth changes....

@glensc glensc mentioned this pull request Apr 25, 2023
@creatronics-de
Copy link

Hi, great to see it implemented, thank you!
We wanted to use it for example to export PDFs with the bookcreator Plugin.
Kind regards,
Michael

@splitbrain
Copy link
Collaborator Author

Please note that this PR has been updated to:

  • make compatible with current master
  • use JWT instead of a custom token format
  • use Authorization: Bearer header

splitbrain added a commit that referenced this pull request Apr 27, 2023
XMLRPC is a rather outdated and old-fashioned protocol not much in use
anymore. Developers prefer simpler, JSON based APIs.

This adds a new "JSONRPC" API. Basically it exposes exactly the same
method calls as the XMLRPC API but using JSON instead of XML. It's not a
classical REST API, but should be just as easy to use for developers.

Here is an example call using CURL:

  curl http://localhost/dokuwiki/lib/exe/jsonrpc.phs \
     -H 'Content-Type: application/json' \
     -H "Authorization: Bearer $token" \
     -d '["wiki"]'

Please note that the above uses the token auth implemented in #2432.
Authentication via basic auth or cookies would work as well.
@glensc
Copy link
Contributor

glensc commented Apr 28, 2023

Can you add to UI something to make it easier to copy the token? Copy icon would be nice, but selecting all textarea on focus would be nice too.

@glensc
Copy link
Contributor

glensc commented Apr 28, 2023

I'm trying to use this with oauth and oauthazure plugins and xmlrpc calls

and the code is skipped right in the beginning:

function auth_tokenlogin() {
    global $USERINFO;
    global $INPUT;
    /** @var DokuWiki_Auth_Plugin $auth */
    global $auth;
    if(!$auth) return false; // <- returns here

I've applied this patch directly against 2023-04-04 release, is there something else needed (i.e changes after 2023-04-04 release)?

EDIT: Nevermind, authorization header was lowercased for me:

inc/auth.php Outdated Show resolved Hide resolved
pld-gitsync pushed a commit to pld-linux/dokuwiki that referenced this pull request Apr 28, 2023
@glensc
Copy link
Contributor

glensc commented May 11, 2023

@splitbrain aside the lowercase headers problem this works fine for me with azure oauth.

This generates a JWT token for users. This token can be sent in a Bearer
authentication header as a login mechanism. Users can reset their token
in the profile.

Note: a previously suggested implementation used a custom token format,
not JWT tokens
@splitbrain
Copy link
Collaborator Author

Rebased on current master

@Klap-in
Copy link
Collaborator

Klap-in commented Oct 12, 2023

Looks logic at first sight, but I think @michitux and @micgro42 have more insight in this topic.

@glensc
Copy link
Contributor

glensc commented Nov 5, 2023

change case commit message has typo: d26e5a2.

@splitbrain splitbrain merged commit 7480001 into master Nov 28, 2023
10 of 12 checks passed
PSR-2 Finishing automation moved this from Triage to Done Nov 28, 2023
@splitbrain splitbrain deleted the tokenauth branch November 28, 2023 13:21
@haslersn
Copy link

Is it possible to disable token auth? Is there a config option?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

Successfully merging this pull request may close these issues.

None yet

6 participants