Feb 8

Using Context Login with GMail and Google Apps for your Domain

Context login is a new concept that I’m introducing in 1.5.4 that features a new login module called “mod_contextlogin” and support from both the Advanced LDAP and Advanced GMail plugin. I’ll focus on today the GMail plugin and how you can use both context login and the Advanced GMail plugin to connect to two different Google supported domains (e.g. GMail and a Google Apps for your Domain site).

The first step in all of this is to install JAuthTools. The Context Login bit is mostly self contained so once you’ve got my Advanced Tools extensions installed you should be able to install the extras package. You can grab the 1.5.1 version of the Advanced Tools extension off Joomla!Code at http://joomlacode.org/gf/download/frsrelease/6797/22390/com_advancedtools.tgz and install directly in Joomla!. The next item we’re going to need is the helper package, the best way to grab this is to install the JAuthTools Core Package from http://joomlacode.org/gf/download/frsrelease/9530/36171/pkg_jauthtools_core.tgz which will also give you SSO and User Source libraries as well. The JAuthTools Extras Package contains both the context login module and the Advanced GMail authentication plugin. The extras package also has the LDAP user plugin and the Advanced LDAP plugin but we’re not going to use that today. The current version of the extras package is 1.5.4 (just released!) and you can grab it off JoomlaCode at http://joomlacode.org/gf/download/frsrelease/9530/36195/pkg_jauthtools_extras.tgz and you can also install this directly into Joomla!.

Once you’ve got everything installed, you can get to work. The first place we need to go into the Module Manager in the Administrator and look for Context Login. It’ll be there but it won’t be published by default. Opening it up we’ll see a lot of the params that we know and love from the core built in login module but we’ll also see some params immediately below the caching option called “Contexts”, “Require Context” and “Default Context”. The “Contexts” param is a text field that allows you to enter a per line entry of contexts. In this case we’re going to have two different contexts: one for the main GMail domain (gmail.com) and another for a Google Apps for your Domain (say “yourdomain.com”). Perhaps you’ve got a few of these domains that you want to limit people to so what you can do is enable the “Require Context” option. This will enforce a given context upon the module and remove the ability for the user to be flexible. Keep in mind that this isn’t added with the request, only a context ID is sent which is then looked up and found on the remote site. The last option is the default context to use which is set to -1 initially but can be set to the index of the context (starting from 0). This changes the context select box with the default selected and is purely a cosmetic setting. Once you’ve put in a few domains, you can enable the module and position it somewhere. If you want to put in some extra settings you can also do this like you would do with the normal login module.

The next step is to configure the Advanced GMail plugin. The Advanced GMail has all of the features of the existing GMail plugin and then some. If you’re currently using the GMail plugin, disable it first before you switch to the Advanced GMail plugin. The Advanced GMail plugin has a few configuration options such as “Apply Suffix” (similar to contexts but limited to only a single domain), “Username Suffix” (used with Apply Suffix, a single domain name such as “gmail.com”) , “Verify Peer” is a SSL configuration option that should be left on unless you’re having seriously strange issues (at this point, change host!) and that leaves us with “Use Contexts”. This is a simple option that has “Yes”, “No” and “Require”. What this then causes it to do is look for a context in the request and then apply the context if it finds it. The “Require” option will then enforce the use of contexts and will fail the user if the contxt doesn’t line up properly. The last option is a ‘username’ blacklist. This is a list of usernames that the plugin should never authenticate for which is useful for accounts that you may not control (e.g. ‘admin’) to prevent people logging in using it. This is an extra security feature that I’ve introduced and is certainly recommend using. Enable the plugin and we’re off!

Once both the module is configured and enabled as well as the plugin you should be able to see it in the front end. From here you can see the form and log into to it, selecting your context and then logging in appropriately.


40 Comments so far

  1. William May 2nd, 2009 5:48 am

    Great information. Thank you.

    I have Google Apps, and want to authenticate my Google Apps users and Joomla users only. I have installed based on the information above, but I can not restrice gmail authentication. How can this be done?

    Is there a way to assign roles to the Google Apps users once they log in? Based on the user, not context?

    Thank you

  2. pasamio May 3rd, 2009 12:53 am

    If you only have one Google Apps domain you can use the suffix field to add a specific suffix instead of using context login (context login is useful for multiple domains and a few other things with LDAP). So I’m not quite sure what you mean, do you want to ensure that users are in Google Apps and in Joomla! at the same time? If so you can disable autocreation for the authentication system (in the User – Joomla plugin) and then it won’t authenticate users who don’t have a Joomla! account (e.g. their login will fail with no account).

    There isn’t a way by default you can assign roles to users once they log in, I’m not entirely sure what your use case is there. You could conceivably write a user source plugin that knew what group mappings you wanted to assign since I assume you have to know that some where. I need to write a user source synchronisation plugin for the user system as well, I guess I’ll put that into the 1.5.5 release with some other stuff.

  3. Kirk McGinnis July 6th, 2009 4:24 pm

    How would one go about applying Google Apps authentication to the CB login and user system?

  4. pasamio July 6th, 2009 7:12 pm

    To be honest I wouldn’t have a clue. Last time I looked at CB it worked by avoiding the Joomla! authentication system and directly looking at the Joomla! user table so you couldn’t use any custom authentication plugins. They might have updated it, but I haven’t been that interested in it to check to see if they’ve decided not to reinvent the wheel. I haven’t had the time to look at their latest software and since they require a subscription to look at it I’ve not really been concerned. If CB uses the Joomla! authentication system, all you need to do is enable the GMail authentication plugin – if not you will have to hack CB to get it to work. Better to ask on the CB forums perhaps.

  5. Omar Severino July 12th, 2009 12:43 am

    I also run Google Apps for my Domain and a Joomla! Site with JomSocial – will like to be notify when new development/enhancement is made to your CONTEXT LOGIN.

  6. pasamio July 12th, 2009 1:42 am

    JomSocial I might be able to work with, I’ll have a chat with them.

  7. pasamio July 13th, 2009 11:41 pm

    I had a chat with Azrul from JomSocial and he remarks that you should be able to use the standard login module and system with it without issue, which means you should be able to pick up the context login module and use it with JomSocial perfectly fine (unlike with CB where it won’t work properly).

  8. Cozza November 27th, 2009 9:39 pm

    Need to know if, with this method, is possible to make connect the user when they make the login into my site (with the gmail account) to Google (so they’ll result logged in also in the Google site).
    Tnx for the answers.
    Best Regards.

  9. pasamio November 28th, 2009 12:37 pm

    Hi Cozza,

    There is no easy way of doing it in a secure manner. It isn’t that it is impossible (it would be with some sleight of hand) but it isn’t easy or secure. The better method would be to use an SSO system so that the user directly logs into Google first. Even then Google’s SSO infrastructure across products is fragmented anyway (the number of times I log into each web service is amazingly annoying, some work well together (GMail/Google Cal/Google Docs) but most don’t.



  10. Dusty December 22nd, 2009 10:53 am

    I am trying to install the extras package and it says it is not available. Is it no longer available, or is this a temporary issue?


    Is there another location to download it from?

  11. pasamio December 22nd, 2009 11:19 am

    Can you give it another go? JoomlaCode seems to have been having issues but it is fine now.

  12. Dusty December 22nd, 2009 1:16 pm

    You have a great package here!

    I am now authenticating my users through Google Apps. I have turned off the Auto Create Users so that only users in Joomla with the Google Apps Suffix can login (allowing me to set user levels on the Joomla side prior to their login.)

    Now, for the users to change their password, they need to go to the Google Apps Domain. Is there a way to disable the password reset on the Joomla side, but still allow the users to edit their email address and time zone?

  13. pasamio December 22nd, 2009 2:49 pm

    The users shouldn’t be able to change their password if their password is blank. Joomla should be preventing them. I’d have to double check but presuming the password field isn’t set on a user, I thought Joomla!’s user manager wouldn’t let you change the password. Everything else should be fine to change (email, timezone).

  14. Dusty December 23rd, 2009 9:34 am

    I checked and the option to change the password is prevented if the password is not present.

    To delete the password, I had to do it manually in the Database. With 1500 users to create, is there an efficient way to create the users in Joomla with NO PASSWORD without manually deleting them in the database? Only admins will hae Joomla passwords.

  15. pasamio December 23rd, 2009 10:26 am

    The easiest would be to do a quick query on the database blanking their password fields.

    Something like the following (take a backup first!), should do the trick:

    UPDATE jos_users SET password = ” WHERE usertype = ‘Registered’;

    Presuming “jos_” is your prefix, change it to match otherwise. I should add a feature on my user loader not to set a password, might do that quickly later.

  16. Dusty December 23rd, 2009 11:07 am

    Thanks, I will try that. That would be a great option on the user loader.

    Another possibility would be to turn on Auto Create in Joomla if Joomla fetched the actual FIRSTNAME and LASTNAME from Google Apps. As it is, with auto create on, it puts the USERNAME&SUFFIX in the name field of Joomla and leaves the password blank.

    Not sure if that is even possible.

    (I have add suffix turned on to limit authentication to my Google Apps domain.)

  17. pasamio December 23rd, 2009 11:21 am

    We can’t easily fetch the first name and last name from Google Apps, their API’s are rather fragmented around user data. It is actually a PITA from my perspective, there is no API that permits me to just find out information about the user.

  18. Dusty January 12th, 2010 7:08 pm

    I tried to run your suggested SQL:
    UPDATE jos_users SET password = ” WHERE usertype = ‘Registered’;

    to remove the password from the “Registered” users (not admins)

    I get ther MYSQL Error:
    #1054 – Unknown column ‘‘Registered’’ in ‘where clause’

    The Prefix and the names are correct.

    Any idea what is causing this? Suggestion?

  19. Steven June 9th, 2010 9:33 am

    Hi maybe I got something wrong but i like to autenticate users and create users by their google apps account I installed all packages from above used advancend gmail autentification with the suffix of my domain “abcd.ef” but when i try to login it says the username or password is wrong or the account is not created yet.

    any ideas?

    regards Steven

  20. pasamio June 9th, 2010 9:38 am

    If you use the built in GMail plugin with the full email address as the username does it authenticate the user properly?

  21. Steven June 10th, 2010 1:08 am

    No it doesn´t but i dont know why cURL is installed

    And i found no other requirements…

  22. pasamio June 10th, 2010 2:39 am

    Why curl is installed? I’m not sure what you mean, the system requires curl to operate properly to set some special items otherwise we can run into issues. cURL is usually available to most instances and I believe is the only significant dependency.

  23. Steven June 10th, 2010 4:27 am

    oh no you missunderstood me “No it doesn´t but i dont know why. cURL is installed…”

    I mean i have curl installed so it should work proper but it doesn´t

  24. pasamio June 10th, 2010 4:35 am

    If you enable the logging plugin the system should be dumping errors into the log path with the actual cause of the error not the generalised error message that is displayed.

  25. Steven June 10th, 2010 10:33 am

    the log says “user does not exist”

    but I thought he would create them when they come from gmail…

    in the plugin user – joomla the automatically creation is enabled

  26. Chris July 9th, 2010 9:48 am

    I am having the same issue has Steven. I can get Joomla to create a user account against one of my standard gmail accounts, however when I try to log in using one of my Google Apps accounts I get “Username and password do not match or you do not have an account yet.”

    Is there anything I have to configure on the Google Apps side of things?

  27. pasamio July 10th, 2010 12:15 am

    If you put in your full GApps email and password (e.g. username@yourdomain.com) into the login does it work properly? Is it just the context login that doesn’t work properly?

  28. Chris Bowers July 10th, 2010 5:59 am

    No, I attempted to log in with myaccount@mydomain.com and it gives the error message I listed above.

  29. Chris Bowers July 10th, 2010 6:01 am

    I did not attempt to do context login.

  30. pasamio July 10th, 2010 10:29 am

    Can you try it against http://sammoffatt.com.au/os/forum/ and see if this makes a difference? Does the GApps account have a mailbox as well?

  31. Chris July 11th, 2010 1:47 am

    Yes, works perfect on your site. The account does have a mailbox, that is pretty much all we use our GApps for.

  32. Steven July 28th, 2010 12:18 am

    Finally I made it after reinstalling Apache2, cURL, PHP5, PHP-cURL and so on it worked 🙂

    Now I can say great tool *ThumbsUp*

  33. Joe September 3rd, 2010 6:16 am

    Superb! Love it. Just one question – when I use my Google apps user details I can log in no problem. However, when I change my password I can now log in with either the old password or new password! Is this something I’m doing wrong?

  34. pasamio September 6th, 2010 10:41 pm

    If you change your password in Google apps or if you change your password in Joomla!? If you change your password in Joomla! (shouldn’t be possible unless the account was first created in Joomla!) then both your Joomla! password and the Google Apps password will be valid. If the account is automatically provisioned from Google Apps it shouldn’t have a password set and Joomla! shouldn’t let you change the password.

  35. maritza September 11th, 2010 2:53 am

    Sorry if my English is not good, is I installed the packages you mentioned and also check that the library is installed cURL, but I get the error “Username and password do not match or you do not have an account yet” I might be missing some configuration

    I greatly appreciate you help

  36. pasamio September 11th, 2010 12:41 pm

    Enable the log plugin in the plugin manager and there should be a log file created in the logs directory which will give you more detailed error messages.

  37. maritza September 14th, 2010 12:52 am

    I installed the following packages
    It is activated the plugin “Authentication – GMail Advanced”, I left the default plugin settings both in the module “Login Context” and the cURL library is installed.
    the message coming out is “The username and password do not match or you do not have an account yet. You must login first.” enabled or disabled plugin displays the same message, seems not to recognize him, another configuration that is not taken into account?

    I await your prompt response; thanks very much for your atension

  38. maritza September 15th, 2010 12:59 am

    it was the proxy
    can see this article for people who have the restriction of a proxy



  39. guver June 24th, 2011 11:28 am

    my next problem
    i see this is a little bit outdated

    but when i add the contex login module i see

    instead of the normally text but when i add
    the normal login form
    the variables ar filld in annyone has the same problem ??

  40. x3digital June 12th, 2012 4:14 am

    guver – I am having the same problem. What I have noticed though is that when you login for the first time and the user is created the username shows up and the logout button is correct, but as soon as you go to another page the username changes to HINAME and the logout button changes to BUTTONLOGIN. Not sure why it only changes once you leave the logged in page.

Leave a comment

%d bloggers like this: