MediaWiki  master
MediaWiki\Auth\SecondaryAuthenticationProvider Interface Reference

A secondary authentication provider performs additional authentication steps after a PrimaryAuthenticationProvider has done its thing. More...

Inheritance diagram for MediaWiki\Auth\SecondaryAuthenticationProvider:
Collaboration diagram for MediaWiki\Auth\SecondaryAuthenticationProvider:

Public Member Functions

 autoCreatedAccount ($user, $source)
 Post-auto-creation callback. More...
 
 beginSecondaryAccountCreation ($user, $creator, array $reqs)
 Start an account creation flow. More...
 
 beginSecondaryAuthentication ($user, array $reqs)
 Start an authentication flow. More...
 
 continueSecondaryAccountCreation ($user, $creator, array $reqs)
 Continue an authentication flow. More...
 
 continueSecondaryAuthentication ($user, array $reqs)
 Continue an authentication flow. More...
 
 postAccountCreation ($user, $creator, AuthenticationResponse $response)
 Post-creation callback. More...
 
 postAuthentication ($user, AuthenticationResponse $response)
 Post-login callback. More...
 
 providerAllowsAuthenticationDataChange (AuthenticationRequest $req, $checkData=true)
 Validate a change of authentication data (e.g. More...
 
 providerAllowsPropertyChange ($property)
 Determine whether a property can change. More...
 
 providerChangeAuthenticationData (AuthenticationRequest $req)
 Change or remove authentication data (e.g. More...
 
 providerRevokeAccessForUser ($username)
 Revoke the user's credentials. More...
 
 testForAccountCreation ($user, $creator, array $reqs)
 Determine whether an account creation may begin. More...
 
 testUserForCreation ($user, $autocreate, array $options=[])
 Determine whether an account may be created. More...
 
- Public Member Functions inherited from MediaWiki\Auth\AuthenticationProvider
 getAuthenticationRequests ($action, array $options)
 Return the applicable list of AuthenticationRequests. More...
 
 getUniqueId ()
 Return a unique identifier for this instance. More...
 
 setConfig (Config $config)
 Set configuration. More...
 
 setManager (AuthManager $manager)
 Set AuthManager. More...
 

Detailed Description

A secondary authentication provider performs additional authentication steps after a PrimaryAuthenticationProvider has done its thing.

A SecondaryAuthenticationProvider is used to perform arbitrary checks on an authentication request after the user itself has been authenticated. For example, it might implement a password reset, request the second factor for two-factor auth, or prevent the login if the account is blocked.

Since
1.27

Definition at line 41 of file SecondaryAuthenticationProvider.php.

Member Function Documentation

MediaWiki\Auth\SecondaryAuthenticationProvider::autoCreatedAccount (   $user,
  $source 
)

Post-auto-creation callback.

Parameters
User$userUser being created (has been added to the database now). This may become a "UserValue" in the future, or User may be refactored into such.
string$sourceThe source of the auto-creation passed to AuthManager::autoCreateUser().

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::beginSecondaryAccountCreation (   $user,
  $creator,
array  $reqs 
)

Start an account creation flow.

Parameters
User$userUser being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such.
User$creatorUser doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]$reqs
Returns
AuthenticationResponse Expected responses:
  • PASS: The user creation is ok. Additional secondary providers may run.
  • ABSTAIN: Additional secondary providers may run.
  • UI: Additional AuthenticationRequests are needed to complete the process.
  • REDIRECT: Redirection to a third party is needed to complete the process.

Implemented in MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::beginSecondaryAuthentication (   $user,
array  $reqs 
)

Start an authentication flow.

Note that this may be called for a user even if beginSecondaryAccountCreation() was never called. The module should take the opportunity to do any necessary setup in that case.

Parameters
User$userUser being authenticated. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]$reqs
Returns
AuthenticationResponse Expected responses:
  • PASS: The user is authenticated. Additional secondary providers may run.
  • FAIL: The user is not authenticated. Fail the authentication process.
  • ABSTAIN: Additional secondary providers may run.
  • UI: Additional AuthenticationRequests are needed to complete the process.
  • REDIRECT: Redirection to a third party is needed to complete the process.

Implemented in MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider, MediaWiki\Auth\EmailNotificationSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::continueSecondaryAccountCreation (   $user,
  $creator,
array  $reqs 
)

Continue an authentication flow.

Parameters
User$userUser being created (has been added to the database). This may become a "UserValue" in the future, or User may be refactored into such.
User$creatorUser doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]$reqs
Returns
AuthenticationResponse Expected responses:
  • PASS: The user creation is ok. Additional secondary providers may run.
  • ABSTAIN: Additional secondary providers may run.
  • UI: Additional AuthenticationRequests are needed to complete the process.
  • REDIRECT: Redirection to a third party is needed to complete the process.

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::continueSecondaryAuthentication (   $user,
array  $reqs 
)

Continue an authentication flow.

Parameters
User$userUser being authenticated. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]$reqs
Returns
AuthenticationResponse Expected responses:
  • PASS: The user is authenticated. Additional secondary providers may run.
  • FAIL: The user is not authenticated. Fail the authentication process.
  • ABSTAIN: Additional secondary providers may run.
  • UI: Additional AuthenticationRequests are needed to complete the process.
  • REDIRECT: Redirection to a third party is needed to complete the process.

Implemented in MediaWiki\Auth\ResetPasswordSecondaryAuthenticationProvider, MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, and MediaWiki\Auth\ConfirmLinkSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::postAccountCreation (   $user,
  $creator,
AuthenticationResponse  $response 
)

Post-creation callback.

Parameters
User$userUser that was attempted to be created. This may become a "UserValue" in the future, or User may be refactored into such.
User$creatorUser doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationResponse$responseAuthentication response that will be returned

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::postAuthentication (   $user,
AuthenticationResponse  $response 
)

Post-login callback.

Parameters
User | null$userUser that was attempted to be logged in, if known. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationResponse$responseAuthentication response that will be returned

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::providerAllowsAuthenticationDataChange ( AuthenticationRequest  $req,
  $checkData = true 
)

Validate a change of authentication data (e.g.

passwords)

Return StatusValue::newGood( 'ignored' ) if you don't support this AuthenticationRequest type.

Parameters
AuthenticationRequest$req
bool$checkDataIf false, $req hasn't been loaded from the submission so checks on user-submitted fields should be skipped. $req->username is considered user-submitted for this purpose, even if it cannot be changed via $req->loadFromSubmission.
Returns
StatusValue

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::providerAllowsPropertyChange (   $property)

Determine whether a property can change.

See Also
AuthManager::allowsPropertyChange()
Parameters
string$property
Returns
bool

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::providerChangeAuthenticationData ( AuthenticationRequest  $req)

Change or remove authentication data (e.g.

passwords)

If $req was returned for AuthManager::ACTION_CHANGE, the corresponding credentials should result in a successful login in the future.

If $req was returned for AuthManager::ACTION_REMOVE, the corresponding credentials should no longer result in a successful login.

Parameters
AuthenticationRequest$req

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::providerRevokeAccessForUser (   $username)

Revoke the user's credentials.

This may cause the user to no longer exist for the provider, or the user may continue to exist in a "disabled" state.

The intention is that the named account will never again be usable for normal login (i.e. there is no way to undo the revocation of access).

Parameters
string$username

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::testForAccountCreation (   $user,
  $creator,
array  $reqs 
)

Determine whether an account creation may begin.

Called from AuthManager::beginAccountCreation()

Note
No need to test if the account exists, AuthManager checks that
Parameters
User$userUser being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such.
User$creatorUser doing the creation. This may become a "UserValue" in the future, or User may be refactored into such.
AuthenticationRequest[]$reqs
Returns
StatusValue

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider.

MediaWiki\Auth\SecondaryAuthenticationProvider::testUserForCreation (   $user,
  $autocreate,
array  $options = [] 
)

Determine whether an account may be created.

Parameters
User$userUser being created (not added to the database yet). This may become a "UserValue" in the future, or User may be refactored into such.
bool | string$autocreateFalse if this is not an auto-creation, or the source of the auto-creation passed to AuthManager::autoCreateUser().
array$options
Returns
StatusValue

Implemented in MediaWiki\Auth\AbstractSecondaryAuthenticationProvider, and MediaWiki\Auth\CheckBlocksSecondaryAuthenticationProvider.


The documentation for this interface was generated from the following file: