Feature #19033
closedRefine Typo3 authentication in QFQ
0%
Description
Overview¶
In order to authenticate a user in Typo3 two sip stores must be created in QFQ and then a redirection triggered via JavaScript. The desired behavior is to achieve that with one column, though.
Current situation¶
- Create a sip store
authUserSip
with user data:username
(required)first_name
last_name
email
- any other fields of the
fe_users
table
- Optionally create a sip store
authConfSip
with authentication features: |_. Feature |_. Description | |storage
| The id of the page on which FE users are stored. | |create
| A local account is created when none exists. | |unlock
| A local account is unlocked if disabled. | - Use JavaScript to trigger a redirection to an URL with query parameters
authuser={authUserSip}&authconf={authConfSip}&logintype=login
- Typo3 triggers the authentication process and the
QfqAuthenticationService
service uses theauthuser
query parameter to deliver a user to be authenticated.
Desired situation¶
One SQL statement should create both sips and trigger an immediate redirection. Suggested column name: authenticate
Related issues
Updated by Krzysztof Putyra 10 days ago
- Related to Feature #18731: QFQ Doc: Add documention for 'authentication', use cases added
Updated by Krzysztof Putyra 9 days ago
Idea: choosing a username when multiple potential accounts are known
This idea is dropped due to minimal usage
QFQ have no direct access to fe_users
table and it might be non clear, what is their username. For instance, we may found several accounts in math_db
: UZH shortname, I-MATH, T3 local, ...
Multi-row query
Assume that the usernames are fetched in a desired order of preference. Then evaluating the rows one-by-one stops at the first match, because a redirection is triggered.
10.sql = SELECT name AS _authenticated FROM Account WHERE pId = {{personId:R}} ORDER BY (CASE WHEN source = 'math' THEN 0 WHEN source = 'uzh_shortname' THEN 1 WHEN source = 't3_local' THEN 2 WHEN source = 'eduid' THEN 3 END CASE AS priority) ASC
Multi-username mode
Instead of trying all of them one-by-one, we can allow to specify several usernames at once and let QFQ to pick the best choice. This process can be configured by specifying how the usernames should be prioritized.
10.sql = SELECT 'user1,user,user@email.ch' AS _authenticatedThere are three types of usernames:
- non-existing
- locked
- unlocked
- drop locked users if local accounts cannot be unlocked (parameter
u:[0|1]
) - drop non-existing users if local accounts cannot be created (parameter
c:[0|1]
)
Then the parameter p:<value>
(preference or priority) specifies which username is picked. The following modes can be implemented.
Mode | Value | First choice | Second choice | Third choice |
---|---|---|---|---|
none | 0 | All usernames | --- | --- |
existing | 1 | Existing usernames | Non-existing | --- |
unlocked | 2 | Unlocked or non-existing | Locked usernames | --- |
available | 3 | Unlocked and existing | Locked usernames | Non-existing usernames |
The value of the p:
parameter can be either the number or the mode string.
Updated by Krzysztof Putyra 8 days ago
General usage
- On a successful authentication an HTTP redirection is triggered and the rendering of the page stops
- Errors are passed via the
{{authResult:V}}
variable:LOCKED
if the account is disabled, i.e.disable = 1
INACTIVE
if the account will be enabled in future, i.e.starttime > CURRENT_TIMESTAMP
EXPIRED
if the account is no longer enabled, i.e.endtime < CURRENT_TIMESTAMP
and non-zeroNOT_FOUND
if no account with the desired username exists
User data
User data: fe_user fields provided as a query string and used when a user is created or modified:
user1|first_name=Joe&last_name=Doe&email=joe.doe@email.com&zip=1234
Internally this string will be encoded in a sip store
Authentication features
create
- a user record is created if none is foundunlock
- a user record is unlocked if disabled[removed because disabled an inactive accounts are not accepted by Typo3]force
- authenticate an existing user even when inactive or locked, but does not activate or unlocks them. This might be useful for the switch user feature.update
- the fe_user record is updated with provided dataactivate
- an inactive user is activated for a provided time (default in settings)enableUntil
- the new expiration timestamp (takes precedence)enableBy
- for how long an expired account will be valid
Rendering
Theauthenticate
column extends link
with the following syntax<username>|<user data>|<auth features>|<link parameters>...
The rendering mode is picked as follows:
- if the link generates a text, image, button, then the default rendering mode is 0
- otherwise the default rendering mode is 9
Note: the authentication column adds extra parameters once the link URL is already generated. Hence, these extra parameters are not taken into account in rendering mode 8 (pure sip).