I’m using Azure AD to authenticate users on our site, current flow looks like this:
OnBeforeManagerLogin and OnBeforeWebLogin I check if the user is in the correct group. (in the future, I’l probably hook in the usernotfound event and manually create it on some conditions).
If the user exists, and they don’t have a session token, I redirect them to "https://login.microsoftonline.com/".$tennantid."/oauth2/v2.0/authorize"
with a redirect_uri parameter
On successful auth, they get back to the redirect_uri page, where I check the session token, and validate it using Microsoft Graph. If it’s valid, I sign want to make the user logged in.
Current approach is:
set long random hash for the password, and run the processor \MODX\Revolution\Processors\Security\Login. This works, but I’d like to keep my user passwords intact, if there’s ever any outage regarding Azure, I can still fallback to the classic login.
Any ideas? This guide by @bobray seems to create a “fake” user but I’m not sure this would help me.
After re-reading my article, I’m not sure it’s good for anything as is.
I think you might be able to use some of the code to do what you want, though.
I don’t recommend creating a user with the User/Create processor. It’s doable, but fairly difficult, since it assumes that you’ve filled out the Create User form in the Manager.
If you’ve already authenticated the user outside of MODX, you can save the password hash and write code in MODX to authenticate the user the regular way, but with your own code to check the hash.
I did this in GoRevo based on some of OpenGeek’s code to authenticate Evo users in Revolution. IIRC, if the user can’t be authenticated the usual way, it tries the custom method (cribbed from Evo). If that works, it creates a new user with a Revolution-style hash and the given username and password.
A bit confused regarding your answer - why the need to create aditional users, if they already exist in MODX?
Shortly, the only thing I’m currently after is - manually logging in a user, without knowing it’s password. Only solution I could think of - I guess you already mentioned it - was saving the hash in another field, overwriting the password with some long random unguessable hash, and using that field as “fallback” when authenticating him? e.g. normal auth → if fail, check that field as well.
Why exactly are you overwriting the value in the user’s password field?
Can’t you run some code on the event OnWebAuthentication / OnManagerAuthentication, do your custom authentication there, and let MODX handle the login as usual when your code can’t authenticate the user?
I have to redirect the user to the Microsoft page, where they authenticate. I provide a redirect url, where they get back. Therefore, I have to “run” the Login process again, but I have no way of knowing the password.
Aaah, I understand now.
It does introduce a bit more code, but I believe that would work
So if I understand your correctly:
my snippet on my redirect url page (where successful auth. users get redirected to) I just call the Login processor, and then my plugin just catches the OnManagerAuthentication event and authenticates them?
This topic was automatically closed 2 days after discussion ended and a solution was marked. New replies are no longer allowed. You can open a new topic by clicking the link icon below the original post or solution and selecting “+ New Topic”.