I'm building an SaaS application with octoberCMS. Basically, I want our client to be able to point their domain to our name servers and effectively the application will load their website template (which will vary from client to client).
It will also allow our clients' members to login to their account through their website and load all of their personal details.
How I can do that with https://laravel-tenancy.com/ ?
Related
I was planning to build a multi tenant (Saas) by using laravel. In my application context, every stores that created from my application will automatically be issued a sub domain with the SSL for that sub domain and users are allowed to user their own domain with their own SSL.
But there’s one issue here, how I am going to generate that sub domain free SSL automatically and also allows users to upload their SSL certificates files. My current tech stack is using NGINX, laravel and NextJS.
I have broken down my Saas platform to become completely isolated frontend and backend. In fact, the sub domain is served by the NextJS.
In my project, there is a mobile app, an angular web app, 4 micro services and one api gateway. The users with role 'agent' can enroll customers using the mobile app. The web app is for users with role 'manager' to see the customer data and finalize on the customer enrollment.
Here, if I want to set up Keycloak for authentication, should I add
every micro service as a separate client ?
Should I add mobile app and web app as separate clients in keycloak ?
CLIENTS
The web and mobile app must be registered as separate OAuth clients. They will have a client ID but no client secret since they are public clients. They will use PKCE and have different redirect URIs, eg:
Web: https://www.example.com/callback
Mobile: com.example.app:/callback
APIs
By default APIs do not need to be registered as clients. In most setups related microservices can just forward JWT access tokens to each other, as explained in the scopes article. This is a secure way to maintain the user identity.
APIs sometimes act as clients though, eg if they need to do something like create users in Keycloak programmatically. Identity systems provide User Management Endpoints to enable this.
So one of your APIs, eg a Users Microservice, may need to be registered as a client. It would use the client credentials flow to get an access token with a SCIM related scope.
GATEWAY
It is common, and recommended, for a gateway to act as an introspection client. This enables data in access tokens returned to internet clients to be kept confidential. Read more about this in the phantom token pattern.
I have a vps, where my spring boot backend is running on. The frontend is a mobile app built with the ionic framework.
The backend is built this way: in the front there is an so called resource server, which is an graphql server, which redirects the requests to rest microservices which are behind the resource server. Every microservice has is own task, which he's responsible for. (e.g. an fileupload-server which uploads/downloads files to a database). The whole application, including the frontend is secured by an keycloak instance, which is running as an docker container like the whole application, except the frontend.
Now my questions is, we dont have a domain and for some reason they wont buy one, but we wont to secure the communications over ssl/lets encrypt. But lets encrypt isn't able to create ssl certificates for ip adresses. So finnaly my question is: do you guys, know a solution to my problem which fits?
So far,
Daniel
I have a request to restrict the access (access control) to a small user community in GCP.
Let me explain the question.
This is the current set up:
A valid GCP Organization: MyOrganization.com (under which the GCP project is deployed / provisioned)
Cloud DNS (To configure domain names, A & TXT records, zones and subdomains to build the URL for the application).
Oauth client set up (tokens, authorized redirects URIs, etc.).
HTTPS load balancer (GKE -managed k8s service- with ingress service), SSL certificate and keys issued by a trusted CA.
The application was built using python + Django framework.
I have already deployed the application (GCP resources) and it is working smooth.
The thing is that, since we are working in GCP, all IAM users who has a valid userID#MyOrgnization.com can access the application (https://URL-for-my-Appl.com).
Now, I have a new request, which consists in restricting access (access control) to the application only for a small user community within that GCP organization.
For example, I need to ensure that only specific IAM users can access the application (https://URL-for-my-Appl.com), such as:
user1#MyOrganization.com
user2#MyOrganization.com
user3#MyOrganization.com
user4#MyOrganization.com
How could I do that, taking into account the info I sent earlier ?
thanks!
You can use Cloud IAP (Identity Aware Proxy) in order to do that.
Identity-Aware Proxy (IAP) lets you manage access to applications
running in App Engine standard environment, App Engine flexible
environment, Compute Engine, and GKE. IAP establishes a central
authorization layer for applications accessed by HTTPS, so you can
adopt an application-level access control model instead of using
network-level firewalls. When you turn on IAP, you must also use
signed headers or the App Engine standard environment Users API to
secure your app.
Note: you can configure it on your load balancer.
It's not clear in your question if your application uses google auth (but considering that you talk about org-restricted login I think so) - if that's the case you should be able to enable it without virtually touching anything in your application if you are using the Users API.
The best and easiest solution is to deploy IAP (Identity Aware Proxy) on your HTTPS Loadbalancer
Then, grant only the user that you want (or create a gsuite user group and grant it, it's often easier to manage)
I have a web app which uses a business network model to read from the blockchain and display the assets + execute transactions.
I have already defined my ACL file. Using the playground, as admin, I can create new ID cards and then use these cards to restrict the access in transactions and assets to participants, but how can I associate these ID cards to my web application so the users can see only what they are allowed to see?
I used the generator-hyperledger-composer to generate my angular project.
Thanks
Use REST services from your application. Your angular project can connect to the REST server.
Set up REST server authentication and choose a Passport-based authentication mechanism/strategy that best suits your setup -> https://hyperledger.github.io/composer/integrating/enabling-rest-authentication.html and configure REST server multi-user mode -> https://hyperledger.github.io/composer/integrating/enabling-multiuser
The latter shows how (given that you've created business network cards that contain a user's blockchain identity) you can configure multi-user mode and interact witih the REST server - using a browser and Wallet in this example.
Info on deploying a REST server is here -> https://hyperledger.github.io/composer/integrating/deploying-the-rest-server