Bakery provides single sign-on between Drupal sites using browser cookies. It's possible you can integrate non-Drupal sites (e.g. MediaWiki) into the single sign-on by replicating how Bakery validates cookies. The other site should probably be built on PHP or else you may have significant difficulty decrypting and accessing data structures of the cookie.

Some understanding of Drupal code is recommended and you should familiarize with Bakery's cookie metaphors. The code to study on Bakery (1.x and 2.x branches) is _bakery_taste_chocolatechip_cookie().

Overview

A valid CHOCOLATECHIP cookie identifies a user who has correctly authenticated on the master site. The cookie contains username and email (among other properties, detailed later) that must exactly match a user account on the subsite (non-Drupal site in this case) for SSO to work.

General steps for validating the identification cookie (CHOCOLATECHIP):

  1. Detect cookie presence in the user's HTTP request
  2. Decrypt the cookie's data using the shared Bakery secret key
  3. Rebuild the hashed signature using the cookie name, mail, and stored timestamp
  4. Validate that the locally generated signature matches the cookie's stored signature

General authentication steps once cookie is valid:

  1. Detect if cookie name and email match a local account
  2. If account exists, execute local authentication routines*
  3. If no local account exists, run further checks and then create local account**

* If the account exists and matches the cookie username and email you should also check whether any other accounts locally match either (but not both) username or email, and whether any other accounts have an init property that matches the cookie init (see section on cookie fields). You'll want to reconcile these accounts to avoid future login problems.

** If no local account matches both the username and email you should check one and then the other. Bakery requires username and email to be in sync, but if your user migration process wasn't accurate you can provide some mechanism for correcting unsynchronized accounts.

Cookie fields

The CHOCOLATECHIP cookie is an encrypted PHP serialized array with the following fields:

name
The username of the user
mail
Email address of the user
init
URL of the Drupal edit page on the master site e.g. http://example.org/user/91990/edit
master
Integer whether the cookie was created on the master site or not (0 or 1)
calories
Unused property
timestamp
Server request time cookie was created
signature
SHA256 hash of string username/mail/timestamp using the secret key

You should look at the function bakery_mix() to fully understand the encryption, but it uses the PHP mcrypt library and does a AES-128.

Requirements of non-Drupal site

  • Decrypt cookie data
  • Unserialize stored data
  • Store Bakery shared secret key
  • Match username and email address
  • Store 'init' property for an account (see cookie fields)