(re)writing Auth.php


We’re trying to write our own authentication module for Matomo 3.14.1 (with the idea of moving to 4.x within the year).

  1. Everyone who authenticates into our system should automatically be logged in when they open Matomo.

  2. Everyone should be able to view data for all sites.

  3. Authentication should occur by an item in the client’s session header, which Matomo then sends to an authentication service, which replies with a true (allowed in) or false (nope).

I’ve been mucking around plugins/Login/Auth.php . I can get to the authorized==true in our system, but I’m not sure what the authentication module is supposed to return to authenticate a user.

Hi, as an example, you can also have a look at the codebase of the Login LDAP (https://plugins.matomo.org/LoginLdap) or Login OIDC (https://plugins.matomo.org/LoginOIDC) plugin.

1 Like

I’ve looked at the interface Matomo/core/Auth.php and in the Matomo developer docs. I think Auth.php is supposed to return a string with login, token_auth, and authorized (true or false).

We had the three items working on an older Matomo/Piwik, but that plugin (in-house) no longer works in Matomo 3.14.1 and Matomo 4.

So we’re trying to decipher the authentication code and figure out how to rewrite it for our system.


Just one quick note: I’d recommend you to never modify a Matomo file, but instead always create a plugin. This way things won’t be overwritten after an update.

Maybe this helps you too (even though it is generated from core/Auth.php)

I know the basics of creating a plugin, but don’t know how I’d create one to authenticate in place of Auth.php.

It looks as though the LDAP plugin does some stuff, then calls Auth.php. How would a plugin know to do to, say MyAuthMethod.php instead of to Auth.php?


I don’t know much about Auth in Matomo, but I thought that enabling another auth plugin deactivates the default Login plugin and therefore then uses the Auth class of your plugin (which probably inherits from \Piwik\Plugins\Login\Auth)