Table of Contents
Kanboard provides a flexible and pluggable authentication architecture.
By default, user authentication can be done with multiple methods:
More over, after a successful authentication, a Two-Factor post authentication can be done. Kanboard supports natively the TOTP standard.
To have a pluggable system, authentication drivers must implement a set of interfaces:
|Base interface for other authentication interfaces|
|The user is already authenticated when reaching the application, web servers usually define some environment variables|
|Authentication methods that uses the username and password provided in the login form|
|Two-Factor auhentication drivers, ask for confirmation code|
|Providers that are able to check if the user session is valid|
For each HTTP request:
PostAuthenticationProviderInterfacewill be used
This workflow is managed by the class
AuthenticationManager::EVENT_SUCCESS: Successful authentication
AuthenticationManager::EVENT_FAILURE: Failed authentication
Each time a failure event occurs, the counter of failed logins is incremented.
The user account can be locked down for the configured period of time and a captcha can be shown to avoid brute force attacks.
When the authentication is successful, the
AuthenticationManager will ask the user information to your driver by calling the method
getUser(). This method must return an object that implements the interface
This class abstract the information gathered from another system.
DatabaseUserProviderprovides information for an internal user
LdapUserProviderfor a LDAP user
ReverseProxyUserProviderfor a Reverse-Proxy user
GoogleUserProviderrepresents a Google user
Methods for User Provider Interface:
isUserCreationAllowed(): Return true to allow automatic user creation
getExternalIdColumn(): Get external ID column name (
getInternalId(): Get internal database ID
getExternalId(): Get external ID (Unique ID)
getRole(): Get user role
getUsername(): Get username
getName(): Get user full name
getEmail(): Get user email address
getExternalGroupIds(): Get external group ids, automatically sync group membership if present
getExtraAttributes(): Get extra attributes to set for the user during the local sync
It’s not mandatory to return a value for each method.
User information can be automatically synced with the local database.
getInternalId()return a value no synchronization is performed
getExternalId()must return a value to sync the user