|
The technical forum of the NBN Trust for use by the Network. It includes discussions and announcements on the NBN Atlas, Recorder 6 and Indicia |
You are not logged in. Please login or register.
Forum → Indicia Development → User authentication
Hi,
I want to build a very simple data-entry page, but with user authentication. For this I need to know tow thinks:
- How to check if a user is allowed to access the page? Meas if the user has at least the role user on a website and the password is correct
- How to send the user together with the entered data? In the tutorial all entries are associated to the "admin" user
I don't want my entry page to be integrated in a cms like drupal or joomla.
Regards
Daniel
Hi Daniel
Sorry for the late reply, it is a bit difficult to find time to fit everything in! First thing I would say is that in the UK we are generally using a content management system such as Drupal to provide user authorisation on the client website, and as Indicia is designed to fit into another existing website or CMS providing user authentication as part of the framework has not been a priority. Having said that it would still be useful to have a method of authenticating a user login against the Warehouse. This should use the same digest authentication method as the website login to the web services.
Once you have a user logged in, you should be able to put hidden inputs into your form e.g. sample:created_by_id and occurrence:created_by_id if you are posting a single record in the sample. If you are using the species_checklist then you will need to modify data_entry_helper::wrap_species_checklist so that it treats occurrence:created_by_id in the same way as the record status, and uses the single value for all the occurrence records. If you do this then please submit a patch.
Best Wishes
Hi,
first a happy new year.
Do I understand it right, that even if I use a cms I have to maintain the users twice: in the cms and in indicia?
The reason not to use a cms was that this should be just a prototype to see if indica fits, so if it will be less work with user maintaining I have problem using a cms.
Regards
Daniel
Hi Daniel
Indicia does not try to impose how you approach these things on you so if you wanted to duplicate accounts then it could be done, though it would help to build a "bridge" module between the Cms and Indicia. But in the projects I have worked on we add a custom attribute called CMS User ID to the sample data and store the ID of the user in the CMS in that field. In fact the created_by fields are only then used to track changed made in the Warehouse itself and are less relevant.
In the only non-CMS based project I have worked on, we simply let the user enter their name against each record as a custom attribute, though this approach is OK for data entry but not so good if the user needs to re-access their own data.
I do agree though - there is a need firslty for clear guidance on the possible approaches to associating records with users with information on the pitfalls of each. Also it would be great to have a bridging module in Drupal (or any other CMS) which synchronises the logins. Finally for the non-CMS method there should be a login helper class which has controls for user registration and login authentication against the Indicia users list. I'll put these notes into the issues list.
Hi Don
I think you can safely assume I will check any patches you submit, but would also be grateful for anyone with the time to review any changes as they arrive at http://code.google.com/p/indicia/source/list.
Daniel, if you are still following this thread, Don has now contributed a very handy user login and forgotten password control to the Indicia code. This will be released in v0.6 but is already available in the SVN trunk. User registration will follow at some point.
Hi
Just for info, I am looking in to the possibility of a mobile application for submitting records to an Indicia warehouse. As every mobile user would have to authenticate to submit a record this is highly relevant and a user registration service would be essential.
Since a mobile app would just be an alternative interface to a survey and there would likely be a website too, using the Indicia warehouse for user tracking would be much better than a CMS User ID.
Jim Bacon
Hi Don
I was definitely thinking in terms of direct communication with the warehouse. What is it that makes you think an intermediate website would be needed? I wonder how you are seeing a user registration service working.
Presumably a user registration service would allow me to exchange a name and password with the warehouse and to indicate for which website I want to be a user. And I guess that would mean using https.I'm wondering if all users are automatically accepted. And I'm wondering if we should watch the pattern of record submissions from users to ensure that they are behaving like humans.
Jim
Hi Don
Thanks, this is very useful for clarifying my understanding.
I was thinking that we could abstract the idea of website so, although it might be an umbrella for surveys, it might not necessarily require a website to exist for samples to be recorded.
I realized that distributing a website id and password to many mobile devices would be insecure and, therefore, I thought that each device (user) would have to have a unique id and password.
Since known users can log in to the warehouse website, I could imagine known users being authenticated to access web services. In fact I thought that was what you were doing. Having taken a look at your (beautifully written) code, I can see now that you are using the existing website authentication to access user information on the warehouse.
So, yes, an intermediate website could well be simpler.
Jim
Hi all,
I was also thinking about some mobile device for data entry and just bumped into this thread. At the moment, I have a prototype for an Android App, which allows the collection of data. All data is pushed onto my private website via HTTP POSTs (on a couchdb).
Question: if I understood the conversation correctly, I cannot (or shouldn't) push the data directly into the indicia warehouse (since the App would need the full context about the survey and the website), but store it on my website and then propagate it into the indicia warehouse.
Is this correct?
What do you think would be the ideal setup for such a site: e.g. a public site based on drupal et al to offer access to the data. And an additional (invisible) site that simply queues the entries from mobile devices (and does all the user specific authentication) and pushes them into the warehouse (providing the needed context like website and survey).
Does this make sense?
thanks and regards
markus
p.s. where can I find an example for the usage of the data-services - particularly useful would be an example of an HTTP POST or PUT.
Jim is correct in saying that a website is a rather loose term. Effectively in our context it is a data custodianship tag - which is normally associated with a physical website but not necessarily. Each "website" contains a collection of surveys and also can have ownership of things like custom attributes and species lists.
One model is for the mobile device app to play the role of both the user interface and the "website" and therefore communicate directly with the Warehouse. Although we use digest authentication to ensure that the website ID and password don't get passed around Don is right in pointing out that the website ID and password would have to be configured somehow within the mobile app and there is an element of danger in this. Though perhaps it could be embedded in the app somehow so the user does not need to know it - meaning that each website would effectively have to publish its own app on the app store/market/world.
Don's idea is to present a proxy on the website itself. This is a web address which would receive requests from the mobile apps and attach the website ID and password digest tokens to it, making the request acceptable to the warehouse. The proxy sends the modified request to the warehouse and forwards the response back to the caller. This means the website ID and password tokens don't go in the mobile app at any point, but it does also mean that this URL gives free access to the webservices since it would merrily attach authentication details to any request from anywhere and send them on to the Warehouse!
A possible solution to this problem is to expect the user to login to something first and make the proxy aware of this authentication system. This means it would be able to reject requests from any unauthorised users. In fact, the Drupal modules for Indicia already include a sub-module called iform_ajaxproxy which does exactly this - it sends requests from Ajax code running on web pages for logged in Drupal users on to the Warehouse and attaches authentication tokens, so the Ajax code can be completely separated from the authentication process.
Markus, your best bet for examples of using the data services is to look at the PHP code in the client_helpers folder. In particular the data_entry_helper.php file contains a get_population_data method, used to do simple things like fill a select control with the results of a data services call. For posting the data, look for the forward_post_to method.
Hi All,
Various thoughts.
My requirement was super simple: "To be able to submit records to an Indicia survey from a mobile device."
I took it for granted that if there were a client website and a mobile app submitting data to a survey there would be cooperation designed in so there would be not be the kind of problems you describe, Don. We can make that a requirement. That does imply that a generic solution would have to submit via a client website.
As John points out, the mobile device really needs to authenticate itself in some way, even if it is submitting via a client website. Moreover I think each mobile device needs a unique login and I think the only way to secure this is with https. I played with that once, a long while ago, and I recall it being pretty simple but there is usually a fee to be paid for a certificate.
The way I can see it working is that the mobile user authenticates with the warehouse via https and is returned a token. This token is then included in a submission to a client website. The client website can check the token is valid with the warehouse and process it if it found to be so. A couple of upshots of doing it this way are that
- only warehouses need certificates, not client websites,
- the warehouse remains in control of its own security and does not depend on client websites,
- the mobile device could use the same login for multiple client websites (and OpenID comes back to mind if this is to be possible across multiple warehouses)
- records can be tied to an Indicia warehouse user however submitted.
For Markus's information, I have my eyes on an existing mobile application called EpiCollect. This creates forms on a mobile device from an xml description. I can imagine a Drupal module that generates the xml automatically from the same information that the dynamic form retrieves from the warehouse.
Jim
thanks for the fast replies,
I guess that for my use-case I will first check, if I can use the Indicia Drupal modules to have the following:
- access by the same users via the website and mobile devices
- have authorizations done at a unique place
I'll check out the php-modules John pointed out above and see if I get it running. In a next step I'll probably
put all that behind an https proxy to avoid sending plain text passwords.
thanks a lot
Markus
Jim/Don,
Have you considered using digest authentication which removes the need for https? In this, the client hashes the password in combination with a public key and a token sent by the warehouse. The hash is sent to the warehouse with requests and compared with a hash generated on the warehouse from the same data. This way the password is never sent and even if you intercept a hash token (called a nonce) it can only be used once so becomes useless straight away.
This is how the client websites authenticate their website ID and password onto the Warehouse.
John
Point taken, I hadn't thought about the dependency on not salting the password. So as far as I understand it, the ideal is https and digest authentication would be a second option where https is not available though it is less secure because of password storage been not salted. Therefore they are not compatible so we can't easily turn switch between the 2 methods with an option.
As I've mentioned before Don, rather than try to think through these issues too hard and get something wrong I'd prefer to look for established design patterns to handle the security. This way there is far less chance of us making a mistake.
Threat analysis has only been an informal discussion of the appropriate level of security. We are aware that this is not an industrial strength banking application, but we are also aware that there can be sensitive data stored in the database and that some projects could be quite high profile so being subject to "record spam" would not be a good thing. But if we can find good design patterns for authentication and stick to those, the burden on the project should not be very high.
Hi
I didn't follow that bit where John says "Consider digest authentication...this is how client websites authenticate." and then Don says "I don't see that we can use it."
Is the explanation that user passwords are stored differently from website passwords? Is it also true that the method of salting passwords on the server cannot be duplicated on the client?
Whatever the case, the problem I see is that you require a shared secret and, if you want to create a new user from a new instance of a client application, that does not exist.
Jim
Website passwords are not salted because this allows the digest authentication to work - as we did not want to pass the website passwords with requests over non-encrypted http. Though I guess they should probably be encrypted.
Hi
If we needed https to establish recording from mobile devices, it would make a good case for us to buy a security certificate. It is very variable but around £100 a year is the kind of cost.
I started trying to summarise our discussion and ended up grappling with a separate question really which was, "How and where do we manage website users?" The reason I ended up asking that question was because I was trying to figure out what creating a new user from a mobile application would mean.
If a user has a login to a client website and then acquires a mobile application for submitting records via that client website then a shared secret does exist and you can use digest authentication. You can't create a new user from the mobile application but is that a bad thing? It doesn't feel bad and it sounds simpler.
This means the mobile device would be authenticating against the client website, not the warehouse, so the client website has to provide that service. A Drupal services module exists for this very purpose and libraries for application developers to connect to the service.
That doesn't help the non-Drupal users but a variation of the warehouse authentication service could be added to the client helpers I suppose.
I feel like I've almost gone round in a circle. Does this make any sense?
Jim
Yes it makes sense. But, bear in mind recent discussions on the fact that users ought to be authenticating on the warehouse when submitting records. This is because we can then allow cross-discipline recording, e.g. 1 user can submit records to multiple schemes and still keep track of all their records. My recent thinking is that this could be quite important. But if the user creates a login on the client website, does it make any difference if the authentication provider is running on the warehouse? You may not be aware but Don has already written a helper for adding login and forgotten password controls to a client website which uses the warehouse to authenticate. User registration is not done yet though.
Hi
Don, at present we are creating Drupal-based client websites where user data and credentials are managed by Drupal. The warehouse has no knowledge of the users so could not authenticate them. That is what led me to that previous line of thinking.
I can see there is a bright new future where users are managed by the warehouse and creating a new user on a client-website creates a new user on the warehouse (or links to an existing warehouse user).
Once this is the case, the warehouse shares the user's secret and, so long as it is encrypted rather than salted on the warehouse, I can imagine a central user digest authentication service would be possible.
Is the following reasonable?
1. Mobile application sends username to warehouse.
2. Warehouse sends nonce to mobile application.
3. Mobile application sends data, username, nonce, and auth_token to client website.
4. Client website may processes data based on username (e.g. mark record as verified if it comes from an expert) but does not trust it.
5. Client website forwards data, nonce and auth_token to warehouse.
6. Warehouse responds with success or failure to client website.
7. Client website may further process data now it has been authenticated.
8. Client website responds with success or failure to mobile application.
How do you think OpenID could fit in? It has been used successfullly by iSpot which is a Drupal site.
Jim
In your suggested steps, the "client website" is effectively just a proxy script sitting on the website that forwards requests but also allows some level of data manipulation. I can see the value of this, but also perhaps the option of direct communication with the warehouse when manipulation is not required. This would save a hop and make things a bit more performant.
As you know I had written some thoughts on adopting OpenId in Indicia recently though they don't encompass a thorough thinking through of how this fits with secure submissions, digest vs https etc. To open this up for discussion I am pasting them here:
Common authentication in Indicia
When Indicia is running with multiple websites on a single warehouse, there are many potential benefits to cross site reporting and analysis which come from the data being held on a single database. For example, if websites are set up with a regional focus, verifiers can log in to the database with a species group focus and view the relevant data no matter which website the data was sourced from. Users could also view reports on all their own data, but only if there is a mechanism for recognising a single user across all the websites. In fact having the ability to uniquely identify a person across other Warehouses, the NBN Gateway and other biodiversity information systems such as Recorder could bring benefits in communication across the wider network. Obviously a name or username is not sufficient for unique identification and a user may have several emails, so that is also not sufficient without further guidance.
User Registration on Drupal
Website owners would need to enable the Open ID module in Drupal. In addition it is suggested that they install the Libraries & OpenId Selector modules since the default OpenID implementation in Drupal is quite clunky. The OpenID autoregistration module is an alternative that makes OpenID registration simpler. Note that OpenID Selector is the same library that is used on ISpot so this would give some consistency.
If OpenID is enabled on a Drupal installation with an existing user base, those users need to assign one or more OpenIDs to their account before they can log in using an OpenID. This is accomplished by each user editing their OpenID identity under their user profile. Attempting to login with an OpenID that is not yet linked can easily lead to the creation of a new user if error messages aren't read or understood - and can be confusing to exiting users.
User Registration on the Warehouse
When logging into the Warehouse for the first time, the OpenID Selector JavaScript library can be used to allow the user to enter their OpenID URL. This would let them create a User record though the user would initially have no access to the Warehouse until explicitly granted by an administrator.
There would be a new table for storing Open ID authentications, user_auths. This would contain the User’s Warehouse ID and the associated Open ID.
As for Drupal, if the existing user base wants to start using OpenID then they would need to add their OpenID authentication(s) to their own user profile.
Saving Data
1) The authmap table can be used to get the current user’s OpenID URLs in Drupal. These can be sent in the submission (perhaps using metafields).
2) When a submission is received containing Open ID authentication, the authentication is used to lookup the Warehouse user. If the Warehouse user exists, then their user ID is stored in the created_by_id and other metadata fields for the submitted records. If the Warehouse user does not exist then a stub user record is created in the Warehouse and the OpenID authentication is saved in the user_auths table. The response from the Warehouse includes a token requesting that the user’s login is updated. This would cause the iform module to send the user’s Drupal profile to the Warehouse to be stored in the Warehouse user record. The user would not be aware of this.
On this same topic, I've added a Wiki page that overviews the different setups possible for user authentication on client websites at http://code.google.com/p/indicia/wiki/U … tification. It is not complete, mainly because Indicia does not yet have the user registration control or OpenId capabilities, but gives us something to work from.
Hi
Several years on but, just in case anyone finds their way to this thread, I thought it worth adding that there is now a Drupal module in the Indicia repository, iform_mobile_auth, that creates an interface to allow a mobile app to post records to a warehouse via a Drupal site.
Jim Bacon.
Forum → Indicia Development → User authentication
Powered by PunBB 1.4.6, supported by Informer Technologies, Inc.