Folks,
I'm experiencing a very odd issue with a custom plug-in using the authenticate hook. Here at our university we use a Web based single sign on authentication called CAS (http://www.jasig.org/cas). I am trying to write a plug-in to allow CAS to work with Roundcube proxying a connection through imapproxy (http://www.imapproxy.org/).
The normal operation for authentication for IMAP by CAS service is to get a one time use CAS ticket for every authentication. Since RC stores and reuses the initial password CAS cannot work in direction connection to the IMAP server. This is not an issue because when we proxy through imapproxy, it holds open the imap connection by password/username combination.
So everything should be working great and superficially it seems okay, that is until you try and delete an e-mail. It seems that a delete will call the authenticate hook again and grab a new CAS ticket. The new CAS ticket breaks the imapproxy connection identifier because the password is now different. In turn this causes rc to have a "lost imap connection" error.
The way I look at it I have 2 possibilities:
- Figure a way out to only request the CAS ticket once in the plugin.
I'm guessing do a check for existing ticket before requesting.
This is the quick fix, but feels like a "duct tape" solution for what might be a larger issue in extending RC for alternative authentication mechanisms.
- Extend RC so that instead of caching a password, it uses a password
recall function that can has an exec handler for custom plug-ins
$rcmail->auth->getpass() returns a clear text password and has an exec handler for password return. Default it would be an abstraction of the decrypt session password to keep current functionality
The value with option two is it would allow plug-in authors to authenticate to peripheral services like managesieve with out limiting alternative authentication methods.
I've included the current sort of working plugin for anyones interest.