phpBB as an Identity Provider

Discussion forum for Extension Writers regarding Extension Development.
Post Reply
Ectoman
Registered User
Posts: 104
Joined: Sat Dec 15, 2001 3:53 pm
Location: Denver, CO
Name: AJ Quick
Contact:

phpBB as an Identity Provider

Post by Ectoman »

I am looking to move away from using phpBB's DB as an authenticator and instead using Keycloak as a centralized login system for all my various web apps (phpBB, Mediawiki, Wordpress, Piwigo). Currently my setup uses the phpBB system for everything and checks back into the phpBB code to see if a user is logged in or not. This works of course but I want to have a more robust single sign on system that can work independently from everything else. Forcing the other apps to also load the phpBB code base for authentication is very heavy.

The obvious solution is to use a phpBB extension or the LDAP authentication provider as a way to get login's from Keycloak. That won't be a problem I am hoping.

What I am looking at however is how to get the users from phpBB to the Keycloak login system. I am sure I will be able to copy the users manually from the database into the Keycloak database. However it appears there is another way to accomplish this and that is using phpBB as an Identity provider (IdP). The main idea being that if a user tries to login to Keycloak and the user is not found, it then delegates to the next provider to look for login credentials.

I believe an extension could be developed that allows phpBB to check if a user exists and their password is valid and then return that confirmation to Keycloak. That way if the user is not yet in the Keycloak database it would move them over and then take over the authentication the next time the user tries to login.

Has anyone ever tried to use phpBB to provide identities using LDAP, SAML, JWT or others? Would this be an extension that others would be interested in?

I imagine the workflow would look like this:
  1. phpBB relies on Keycloak through OpenID Connect or LDAP for authentication.
  2. Keycloak handles authentication and storing the user's main login data.
  3. If user does not exist in Keycloak, it checks the phpBB database for user as a delegated provider.
  4. If user exists in phpBB it moves user to Keycloak.
  5. If user does not exist in phpBB it creates the user in Keycloak and then creates a user in phpBB.
Basically the reason why I think this approach may be better than manually copying the database is because I have a rather old forum (19 years old). Some users have md5 password hashes, some have Bcrypt and some have password_hash (argon). phpBB is very well equipped at recognizing the password hash and ensuring the correct hash script is used. I am not sure if the process will be as straight forward as importing into Keycloak as I am not absolutely sure if I can assign hashing types on a user by user basis.

The extension would leverage phpBB's built in functions to check if the user exists, has the correct password and then return a valid login response, no user found or an error (wrong password). I imagine it wouldn't be overly complicated but would need to operate with security in mind to prevent bots from having an easy way to try and crack passwords of course.
User avatar
MarkDHamill
Registered User
Posts: 4885
Joined: Fri Aug 02, 2002 12:36 am
Location: Florence, MA USA
Contact:

Re: phpBB as an Identity Provider

Post by MarkDHamill »

Do you really need the ability to see if you are logged in to Keycloak? Or is sufficient for a provider to assert that the user's credentials are valid on Keycloak?

If the latter and if Keycloak has the ability to act as a OAuth authorizer, an extension could be written to check Keycloak using OAuth and if it authorizes allow the phpBB login to succeed.
Need phpBB services or a phpBB consultant? I offer most phpBB services. Getting lost managing phpBB? Buy my book, Mastering phpBB Administration. Covers through phpBB 3.3.7. eBook and paper versions available.
Ectoman
Registered User
Posts: 104
Joined: Sat Dec 15, 2001 3:53 pm
Location: Denver, CO
Name: AJ Quick
Contact:

Re: phpBB as an Identity Provider

Post by Ectoman »

Yes I believe either Oauth, ODIC or SAML could be leveraged as an authenticator.

The main thing would be migrating user data to KeyCloak, which I believe can be done through a federation plugin.

I'm at a skeleton stage with an extension for phpBB as an IdP but also for an external login via SAML. Both of which could be used in Keycloak or (possibly) any of the popular login systems.
User avatar
serek
Registered User
Posts: 79
Joined: Fri Jan 30, 2015 12:47 pm
Location: London
Name: Serge Victor
Contact:

Re: phpBB as an Identity Provider

Post by serek »

I think you should definitely forget about your concept. Stick to keycloak. If you browse the github you will find all required hashes as extensions to keycloak and keycloak will properly recognise them as phpbb does. I am not sure about keeping MD5 though, as it is inherently insecure and it will be a good opportunity for you to request forced password change from these users.
--
find me somewhere in SW London, 100 meters from Thames River
Post Reply

Return to “Extension Writers Discussion”