View Issue Details

IDProjectCategoryView StatusLast Update
0011219mantisbtauthenticationpublic2010-09-21 03:38
Reporteroberger Assigned To 
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status acknowledgedResolutionopen 
Summary0011219: Provide OAuth inter-application authentication "tokens" mechanism

OAuth is a protocol which describes (AFAICT) a way for an application to act on another application with specific privileges as granted by a user.

Supporting OAuth in Mantis may allow third party "clients" to connect to Mantis in order to retrieve/create/modify bugs in the name of a Mantis user, and depending on privileges that this user may have granted for this particular application.

More details at

TagsNo tags attached.


related to 0004235 closedvboctor Support Generic Authentication through Plug-ins 
related to 0011063 closeddregad Support OSLC-CM API to ease integration with ALM platforms 




2010-01-24 12:36

reporter   ~0024231

This may be also linked to 0004235



2010-02-07 08:05

reporter   ~0024338

A decent introduction to what is possible with OAuth:

This is no easy undertaking. I imagine we'd first have to implement proper access control into MantisBT like RBAC (role based access control). We'd also need to provide administrators the ability to limit the ability for users to create new accounts and what permissions those accounts can have. OAuth would then sit on top of that core MantisBT functionality providing the interface with external systems?



2010-02-17 02:35

reporter   ~0024401

We do intend to implement an OAuth "plugin" for Mantis (as part of the OSLC-CM REST API implementation support) that would allow to use OAuth for connecting to Mantis on behalf of a Mantis user.

It will be used for REST calls first, but may become generic enough to be used for other connections to Mantis, then.

It will make use of SimpleSAMLphp code most probably, for the protocol implementation.

It will add a few elements to the DB to manage Consumer identification, token requests, autjorizations, etc. and the related UI screens for admins and users to manage these.

If there was an access control infrastructure for Mantis, it may be coupled, but since then, it will just validate that a Consumer is acting on behalf of a user, and then just replace the auth and id phase.



2010-05-06 12:49

reporter   ~0025431

I have implemented the first bits of a Mantis plugin that supports some OAuth endpoints using the PHP OAuth library (and not(yet) SimpleSAMLPhp as previously mentioned).

It is not yet complete, but interested people may have a look at the SVN repo at :

Enjoy !



2010-05-10 05:06

reporter   ~0025445

Here's a first release :

Tests and feedback much welcome.



2010-05-10 12:05

reporter   ~0025449

Firstly, this is a fantastic idea and you've obviously dedicated a lot of time and effort to implementing OAuth into MantisBT.

When I get some more free time I'd be interested in helping to improve this plugin via testing, writing code, reading specs, etc.

I've had a quick browse through the code and the following are a few comments I have so far:

1) MantisBtDbOAuthDataStore::new_token is insecure because it uses an easily predictable PRNG. It'd be better to use the new crypto_api functions in MantisBT 1.3.x for generating nonces. Ref 0010730. If Zend OAuth can create nonces for you then it is probably preferable to use the library implementation... unless it too is insecure :)

2) I think we need to implement a better way of throwing exceptions that allows us to show translated error messages to the user. I'm not sure if this should be in the form of "throw new SomethingException( lang_get( 'ERROR_SOMETHING' ) )" or a more elaborate alternative.

3) Try to avoid SELECT * in queries. It's usually recommended that queries specifically select the required columns from a table. The reason is that if you add a column to one of the tables in the future, you don't want to return this new information if it won't get used.

Great start so far! :)



2010-05-12 03:47

reporter   ~0025482

@dhx: You'll be very much welcome to help ;) Thanks for the review. I'll try and add a few responses :

1) good point. In any case, there are also issues with DOS in terms of security if depending from some RNG methods too... so I'd better not reinvent the wheel here, and use Mantis standard mechanism. +1 for the TODO

2) the errors/exceptions mechanism was not really though of, so yes, that may be improved in a great way. +1 too

3) Again, here, it was a bit quick and dirty, and there may be better ways to do it. +1 too

Regarding the code in general, I'd like to reorganize it so that there's some more objects and a separate DB store, so that there can be some reuse for other PHP apps. I'm particularly thinking about FusionForge, so, having proper MVC/layers separation would allow the reuse of the same classes for both, wile the UI of the plugins would be implemented in different ways, and the backends using each PDO.
I'll try and improve that for the nex iteration.

Thanks again for your comments and support :-)



2010-05-14 05:38

reporter   ~0025499

Here's a new version :

I've reworked the DB access code to put it into a single file, in order to be able to reuse much of the code for other PHP web apps that would have a different DB access system/PDO.

The errors should be a little bit better handled and there much more comments/auto-docs



2010-05-29 10:22

reporter   ~0025624

Note that we're succesfully using it now for our OSLC-CM V1 REST server (0011063).

Still it misses control over specific permissions associated to the access tokens to allow controling which operations a Consumer is authorized to do on behalf of a user and which not.

At the moment, we use auth_attempt_script_login() in order to start a user's session, and that seems quite operational.



2010-08-29 08:47

reporter   ~0026498

Any plans in integration OAuth into Mantis core ?
Creating third party applications for Mantis would be so much easier.



2010-08-30 01:47

reporter   ~0026510

I'm not sure to whom the question is adked, but in any case, I'm sorry to say that it's unlikely I'll have some free time to work on this in the coming month, so I'd be happy to hand it over to anyone interested to continue th work. Everything is committed in our repo... just follow the links above.



2010-09-20 10:17

reporter   ~0026805

In case of doubt, this plugin provides an OAuth provider auth mecanism.



2010-09-21 03:38

reporter   ~0026825

The code is now available in Git at :;f=plugins/OauthAuthz;hb=OauthAuthz