Single Sign On?

[MedicineStorm]

Is it possible to do single sign-on via the PHPBB_Auth extension? It appears it was a feature at one point, but it's not clear to me how to configure it... or if the new token system rendered it "too much trouble".

I realize this has been asked before, but it appears to have been asked years ago and regarding versions that are no longer applicable. There used to be other SSO options for PHPBB -> MediaWiki, but they are way out of maintenance and no longer function with modern versions of PHPBB nor MediaWiki. Having a single cohesive site that doesn't require my users to continually enter credentials on various facets of the site would be invaluable. I'm poor, but I'm motivated to find funds to compensate any who could get that to work.

P.S. I'm also a not-entirely-hopeless coder and am willing to contribute in that way, though this is feature currently beyond my abilities alone.

[JWPlatt]

I've found SSO more of a confusing bother than a help. Also, browsers fill in the credentials for me, so I barely notice the difference.

[MedicineStorm]

My users feel the opposite. Are you saying "no that's definitely not possible in the current version"?

[cpeel]

I think this is possible with a combination of Auth_remoteuser and some code to take the PHP session cookie and look up the user. It's not immediately clear to me how this fits into this extension but I'm still thinking about it.

[cpeel]

Basically what you want is to download the Auth_remoteuser extension and add this to your LocalSettings.php file. I got this to work on my MediaWiki (1.35) and phpBB (3.3.3) but I want to be clear that this code comes with major caveats:

• This doesn't enforce valid MediaWiki usernames! It makes sure the first letter is uppercase and that's it. The MediaWiki_PHPBB_Auth extension provides more robust ways of ensuring valid usernames.
• This code blindly accepts any valid phpBB session ID cookie that maps to a user in the database. It doesn't do any of the advanced checks that phpBB does on top of this.

// This script doesn't enforce valid MediaWiki usernames!
wfLoadExtension( 'Auth_remoteuser' );
$wgAuthRemoteuserUserName = function() {
    // customize these to fit your system
    $db_hostname = $GLOBALS['wgDBserver'];
    $db_username = $GLOBALS['wgDBuser'];
    $db_password = $GLOBALS['wgDBpassword'];
    $db_name = $GLOBALS['wgDBname'];
    $php_cookie_name = "phpbb_something"; // From cookie settings in the ACP

    $conn = new \mysqli($db_hostname, $db_username, $db_password, $db_name);
    $statement = $conn->prepare("
        SELECT username
        FROM phpbb_users, phpbb_sessions
        WHERE phpbb_sessions.session_user_id = phpbb_users.user_id
            AND phpbb_sessions.session_id = ?
    ");
    $statement->bind_param('s', $_COOKIE["${php_cookie_name}_sid"]);
    $statement->execute();
    $statement->bind_result($username);

    if ($statement->fetch()) {
        return ucfirst($username);
    } else {
        return null;
    }
};

I don't think the above "single sign-in" method fits into the MediaWiki_PHPBB_Auth easily. All of the current code is structured around the PluggableAuth extension and it would be a fair amount of work to decouple it enough to work with both extensions. Maybe I'll have some brilliant idea about a clean abstraction over the next couple of days.

[MedicineStorm]

Oh, nice. That is certainly a place to start. Thank you. I much prefer the security and group access features of this extension, but perhaps I'll be able to hack together a decent hybrid. Please let me know if you do get slapped by a muse about this, though. :)

[cpeel]

I don't see how we can cleanly support both modes without making two extensions in one. I see there's also been some feedback from the maintainer of https://github.com/multidimension-al/phpbbauth so perhaps they'll get that one fixed for you.