eZ Components - Authentication, Requirements
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:Author:   Alexandru Stanoi
:Revision: $Revision: $
:Date:     $Date: $


Introduction
============

The purpose of the Authentication component is to provide support for different
means of identification and authentication of users using different providers and
protocols.


About authentication
====================

What is authentication?
-----------------------

Authentication is a process of verifying the identity of an user and enabling
access for that user based on stored permissions.

The steps of the authentication process are: 

Identification
  Fetch the user credentials (eg. username + password, IP address, tokens).

Authentication
  Check user credentials with a security provider (eg. LDAP, database, htpasswd
  file).

Validation
  Check if user is valid for the current context (eg. time of day).

Authorization
  Check if user has permissions for the current context (eg. printer access).

The new Authentication component will implement only the Indentificaton and
Authentication stages. Validation and Authorization will be implemented at a
later point in time.


Authentication examples
-----------------------

Login
  The user enter their username (sometimes email address) and password.
  Websites usually have a "Keep me logged-in" or "Remember me" checkbox to
  avoid entering credentials everytime the user starts the application. The
  application will compare the user's credentials against a database or another
  provider, and allow the user access to the application. If user credentials
  are not recognized, the application will deny access to the user. Sometimes
  websites use other credentials in addition, like banks requiring users to use
  a code generator (calculator) in response to the code generated by the
  application.

CAPTCHA
  Not a proper authentication, it is just a way to secure certain features of
  an application against scripts. The server generates a code and displays it
  to the user in a scrambled image, and the user must enter the code in the
  image to gain access to the secured feature (post comment, send email, etc).

Confirmation ticket
  Similar to CAPTCHA. The server generates a code and keeps it in a database
  (or another storage), and sends an email to the user with the code. The user
  uses this code in the application (usually by clicking a link in the email).
  This is usually done to confirm the user's email address. The code is usually
  deleted from the database after being used.


Requirements
============

The Authentication component should support adding filters (plug-ins) to the
authentication process. These filters will be processed in order, and only if
the previous filters allow the process to continue. If one filter fails (for
example if the password is incorrect), then the whole authentication process
stops and the status of the authentication can be used by the application
(for example to display "Password incorrect").


Authentication filters
----------------------

A list of filters which are to be supported in the initial release of the
component (this list might be changed later):

Group
  A generic filter which is used to group two or more filters. Depending on
  configuration, at least one filter needs to succeed in order for the group
  to succeed, or all filters need to succeed in order for the group to succeed.
  Example: grouping one LDAP and one Database filter and configuring that at
  least one of the filters needs to succeed for the group to succeed.

Htpasswd file
  Uses a Unix htpasswd file to authenticate users. Basic filter and not too
  secure as the htpasswd file can be accessible to someone who has access to
  the server. Should not be employed on critical application. It is used mostly
  as an example.

Database
  Uses an existing database to authenticate user credentials. Should use
  database abstraction to be able to authenticate against different database
  providers (MySql, Oracle, etc) - this can be achieved with the Database and
  DatabaseSchema components.

Token
  Support for authenticating against a user generated code. The code is stored
  in a database (or other storage), and is deleted after the user has
  authenticated against it. It is usually used for confirmation of the user's
  email address.

OpendID
  Uses the OpenID protocol to authenticate users. The central idea of this
  distributed protocol is that users login only once using their own URL.
  (blog, personal website). Info: http://openid.net

TypeKey
  In many ways similar with OpenID, in that users login only once. Info:
  http://www.sixapart.com/typekey

LDAP (Lightweight Directory Access Protocol)
  Protocol for querying and updating directory services. Compatible with
  other protocols (Novell eDirectory, Oracle Internet Directory, Windows Server
  2003 Active Directory). RFC: http://www.faqs.org/rfcs/rfc4510.html


Session support
---------------

Uses the PHP session to make information about the authenticated user
persistent across requests. This information includes if the user is
authenticated and authentication timestamp (to be used to expire the session).


Design goals
============

The authentication process is divided into filters (plug-ins). The developer
can decide which filters the application should employ and their order.

The list of filters can be extended by developers, and creating new filters
should not affect existing code.

The session is optional and is used to make the authentication persistent
across requests. If the session is enabled, the authentication process starts
at the session, where it will check if the user is already authenticated. If
the session expired or if the user is not authenticated, the other filters in
the authentication process will be run. If the authentication process was
successful, then the session will save the authentication information to be
used in subsequent requests.

The logging of authorization attempts will not be done by the Authentication
component, but by the application (eventually using the EventLog component).


Authentication process
----------------------

The filters run in sequence. Based on the return status of each filter, the
authentication process will continue or stop as follows:

Continue
  The next filter will be run. If all filters are run and positive answer
  is received from all of them, then the user is granted access to the
  application.

Error
  The authentication process will stop (or not, depending on the options), and
  a status object will contain the error. The application will decide, based on
  the error status, what to do (for example display an error message like
  "Password incorrect").

Stop
  The authentication process will stop regardless of what filters are still in
  the queue, and the user is granted access to the application.

Schematic: ::
                                       START
                                         |
                                         V
                   NO (Error)       ----------- 
          -------------------------|  Session  |-------------------
          |                         -----------                   | YES (Stop)
          |                              | YES (Continue)         |
          |                              V                        |
          V        NO (Error)       ------------                  V
           ------------------------|  Database  |-----------------
          |                         ------------                  | YES (Stop)
          |                              | YES (Continue)         |
          |                              V                        |
          V        NO (Error)       ------------                  V
           ------------------------|    LDAP    |-----------------
          |                         ------------                  | YES (Stop)
          |                              | YES (Continue)         |
          V                              V                        V
  ===================            ======================================
 ( not authenticated )          (            authenticated             )
  ===================            ======================================

This behaviour can be changed with an option for each filter, which specifies
if the filter stops the authentication process if it is successful, or allows
the authentication process to continue.


Session
-------

The use of a Session object is optional (but enabled by default). Developers can
specify the provided Session class or extend it to implement their desired
functionality.

If a Session object is specified, then it will be checked before the
authentication process, and it will save the authentication information for
future requests, after the process.

The Session class is responsible for:
 - saving and checking the timestamp (based on options)
 - starting and ending the PHP session
 - regenerating the session ID


Grouping of filters
-------------------

The developer of the application can group similar filters together, where at
least one filter needs to succeed for the filter group to succeed, or all
filters need to succeed for the filter group to succeed.

For example: the user credentials can be checked against the local database or
an LDAP provider, but it needs not be present in both providers. In this case
the LDAP and Database filters will be grouped together, and if at least one
filter succeed, then the group filter will succeed.


PHP requirements
================

Extensions needed for the authentication:
 - TypeKey: bcmath or gmp
 - OpenID: openssl
 - LDAP: ldap; oci8 (plus Oracle enviroment) is required for OracleLDAP
 - parsing of XML documents: simplexml (usually enabled by default)


Security considerations
=======================

Due to the nature of this component, care must be taken to ensure secure
handling of resources.

Session attacks will be prevented with these methods:
 - prevent session fixation (http://en.wikipedia.org/wiki/Session_fixation)
 - regenerate session id if not authenticated




..
   Local Variables:
   mode: rst
   fill-column: 79
   End:
   vim: et syn=rst tw=79 nocin
