• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Best approach for custom Authentication

#1
Hello all,

I'm migrating a phpBB3 forum to XenForo. The phpBB3 forum uses an external login page to sign the user in. It works somewhat like this:
- User clicks "login" and gets redirected to a portal to provide his credentials.
- If the credentials are valid the user is redirected back to forums authenticate.php passing along a sessionTicket.
- The sessionTicket is validated using an external API call. If it's valid, an account is either created or the user gets logged in.

I came across the Kotomi script, as well as the REST XenForo API and understand how they work, I was just wondering, is there a better approach to this? Are there hooks in place? Controllers I can extend to do it more gracefully in a XenForo accepted way, perhaps through an add-on?

Any pointers would be very appreciated as the amount of features available on this forum system is very overwhelming due to the lack of clear documentation.

Lennard
 

tyteen4a03

Well-known member
#2
Hello all,

I'm migrating a phpBB3 forum to XenForo. The phpBB3 forum uses an external login page to sign the user in. It works somewhat like this:
- User clicks "login" and gets redirected to a portal to provide his credentials.
- If the credentials are valid the user is redirected back to forums authenticate.php passing along a sessionTicket.
- The sessionTicket is validated using an external API call. If it's valid, an account is either created or the user gets logged in.

I came across the Kotomi script, as well as the REST XenForo API and understand how they work, I was just wondering, is there a better approach to this? Are there hooks in place? Controllers I can extend to do it more gracefully in a XenForo accepted way, perhaps through an add-on?

Any pointers would be very appreciated as the amount of features available on this forum system is very overwhelming due to the lack of clear documentation.

Lennard
I'm confused - is the actual user table accessible by you, or by APIs like OAuth only?
 
#3
When validating the sessionTicket, the API responds a special key to me which I can use in another API call to request user information on which basis I can either create an internal forum account or login an existing one.

EDIT: It's not OAuth or whatever, it's a very simplistic in-house system which does exactly as I described: Tell you - by validating the recieved sessionTicket with an API call - which user logged in.
 
Last edited: