Kanboard provides a flexible and pluggable authentication architecture.
By default, user authentication can be done with multiple methods:
- Username and password authentication (Local database and LDAP)
- OAuth2 authentication
- Reverse-Proxy authentication
- Cookie based authentication (Remember Me)
More over, after a successful authentication, a Two-Factor post authentication can be done. Kanboard supports natively the TOTP standard.
To have a pluggable system, authentication drivers must implement a set of interfaces:
Interface | Role |
---|---|
AuthenticationProviderInterface | Base interface for other authentication interfaces |
PreAuthenticationProviderInterface | The user is already authenticated when reaching the application, web servers usually define some environment variables |
PasswordAuthenticationProviderInterface | Authentication methods that uses the username and password provided in the login form |
OAuthAuthenticationProviderInterface | OAuth2 providers |
PostAuthenticationProviderInterface | Two-Factor auhentication drivers, ask for confirmation code |
SessionCheckProviderInterface | Providers that are able to check if the user session is valid |
- The default Database method implements
PasswordAuthenticationProviderInterface
andSessionCheckProviderInterface
- The Reverse-Proxy method implements
PreAuthenticationProviderInterface
andSessionCheckProviderInterface
- The Google method implements
OAuthAuthenticationProviderInterface
- The LDAP method implements
PasswordAuthenticationProviderInterface
- The RememberMe cookie method implements
PreAuthenticationProviderInterface
- The Two-Factor TOTP method implements
PostAuthenticationProviderInterface
For each HTTP request:
- If the user session is already open, execute registered providers
that implements
SessionCheckProviderInterface
- Execute all providers that implements
PreAuthenticationProviderInterface
- If the end-user submit the login form, providers that implements
PasswordAuthenticationProviderInterface
are executed - If the end-user wants to use OAuth2, the selected provider will be executed
- After a successful authentication, the last registered
PostAuthenticationProviderInterface
will be used - Synchronize user information if necessary
This workflow is managed by the class
Kanboard\Core\Security\AuthenticationManager
.
Events triggered:
AuthenticationManager::EVENT_SUCCESS
: Successful authenticationAuthenticationManager::EVENT_FAILURE
: Failed authentication
Each time a failure event occurs, the counter of failed logins is incremented.
The user account can be locked down for the configured period of time and a captcha can be shown to avoid brute force attacks.
When the authentication is successful, the AuthenticationManager
will ask the user information to your driver by calling the method
getUser()
. This method must return an object that implements the
interface Kanboard\Core\User\UserProviderInterface
.
This class abstract the information gathered from another system.
Examples:
DatabaseUserProvider
provides information for an internal userLdapUserProvider
for a LDAP userReverseProxyUserProvider
for a Reverse-Proxy userGoogleUserProvider
represents a Google user
Methods for User Provider Interface:
isUserCreationAllowed()
: Return true to allow automatic user creationgetExternalIdColumn()
: Get external id column name (google_id, github_id, gitlab_id…)getInternalId()
: Get internal database idgetExternalId()
: Get external id (Unique id)getRole()
: Get user rolegetUsername()
: Get usernamegetName()
: Get user full namegetEmail()
: Get user email addressgetExternalGroupIds()
: Get external group ids, automatically sync group membership if presentgetExtraAttributes()
: Get extra attributes to set for the user during the local sync
It’s not mandatory to return a value for each method.
User information can be automatically synced with the local database.
- If the method
getInternalId()
return a value no synchronization is performed - The methods
getExternalIdColumn()
andgetExternalId()
must return a value to sync the user - Properties that returns an empty string won’t be synced