This is a sample authentication plugin showing how a MantisBT authentication plugin can implement its own authentication and control authentication related flags on a per user basis.
The authentication mechanism implemented by this plugin works as follows:
- If user is administrator, use standard authentication.
- If user is not registered in the db, user standard behavior.
- Otherwise, auto-signin the user without a password.
Users that are auto-signed in, can't manage or use passwords that are stored in the MantisBT database.
The plugin can be easily modified to redirect to an identity provider and validate the token returned or validate a username and password against a database or LDAP.
The authentication flags events enables the plugin to control MantisBT core authentication behavior on a per user basis. Plugins can also show their own pages to accept credentials from the user.
password_managed_elsewhere_messagemessage to show in MantisBT UI to indicate that password is managed externally. If left blank or not set, the default message will be used.
can_use_standard_logintrue then standard password form and validation is used, false: otherwise.
login_pageCustom login page to use.
credential_apgeThe page to show to ask the user for their credential.
logout_pageCustom logout page to use.
logout_redirect_pagePage to redirect to after user is logged out.
session_lifetimeDefault session lifetime in seconds or 0 for browser session.
perm_session_enabledFlag indicating whether remember me functionality is enabled (ON/OFF).
perm_session_lifetimeLifetime of session when user selected the remember me option.
reauthentication_enabledA flag indicating whether reauthentication is enabled (ON/OFF).
reauthentication_expiryThe timeout to require re-authentication. This is only applicable if
reauthentication_enabledis set to ON.
If a flag is not returned by the plugin, the default value will be used based on MantisBT core configuration.
The plugin will get a user id and username within an associative array. The flags returned are in context of such user. If user is not in db, then user_id will be 0, but username will be what the user typed in the first login page that asks for username.
If plugin doesn't want to handle a specific user, it should return null. Otherwise, it should
AuthFlags with the overriden settings.
Native Login Page for Username
Native Credentials Page for Password (skipped for non-administrators)
User My Account Page
MantisBT v2.3.0-dev once auth plugin support is added.