So we have an Admin Portal web app, a Client Portal web app, and an API app.
Admin Portal is built in Laravel 5.x
Client Portal is built in Laravel 5.y
API is built in Lumen 5.z
Admin Portal:
Acts like a CMS for our 100 employees to interact with customer data
This app sits on its own repo “admin_portal”
This app has its own sub-domain admin.company.com
Has an admin database schema, with employees table used for authentication (this table has login email and password of our 100 employees)
Has pages like reports, tickets etc.
Client Portal:
Acts like a Customer-facing portal where our 1,000 clients login and
perform actions like submit information requested and see status of
their current case
This app sits on its own repo “client_portal”
This app has its own sub-domain client.company.com
Has an customer database schema, with clients table used for authentication (this table has login email and password of our 1,000
clients)
API:
Acts like an API for outsider to interact with our 2 DB schemas
This app sits on its own repo “api”
This app has its own sub-domain api.company.com
Pretty much all pages, UIs, features in Admin Portal and Client Portal are different.
However, there are some repeated codes in Admin Portal and Client Portal: models, helper functions (i.e. both apps need to talk to some third-party API or need to generate similar PDFs) etc.
A developer in our team suggested combining Admin Portal, Client Portal, and API into 1 giant multi-tenant Laravel app so we can have less code-base and eaier to maintain.
We’re trying to research:
Whether we should do this? (in what use-case to implement a multi-tenancy app vs single-tenancy app)
What are the Pros and Cons (development, deployment, debugging, security, and maintenance)
Whether it’s doable with Laravel, or what would be the side-effects.
I’d like to have the community to give us your opinions and experiences. A few things to consider though:
We may want to eventually to lock down Admin Portal to our office IPs only
API is using OAuth while Admin Portal and Client Portal are not
We are exploring micro-services like Lambda functions to off load a lot of logic from PHP
Each app may need a different set of PHP packages/versions (defined in composer.json)
We are using Bitbucket Pipelines and AWS CodeDeploy, listening on each repo
Highly appreciated and cheers!
Related
I have a Teams application (Tab). I am an ISV provider, and provide a multi-tenant application that is installed by customers via Teams App Store in their organizations.
How do I save settings for my application organization-wide for the customers? For example, CustomerA has installed the app and then CustomerB. I want some storage that would be unique for CustomerA and CustomerB and the app, and located in customer's environment. The settings I want to save are not per-user, but per-organization (tenant).
Somewhat similar to "App Data" folder you have in Windows Desktop for example.
Does such a storage exist? Does API for this storage exist?
A tab app is a simply a web application that you render inside of Teams. As a result, what the app does, and where and how it does it, is totally up to you. This includes any data storage you choose to have behind the scenes. For example, your tab could be built in PHP and use MySQL, or built in ASP.Net and use SQL Azure or CosmosDB. It's totally up to you, but you need to implement it yourself, as an ISV.
The important piece to differentiate clients, however, is being aware of the TenantId for each user, so you can look up which client's settings you need from the database. The most simple way to do this is simply the tid property on the Teams tab context. You can read more about that here. Unfortunately, because it's just accessed via Javascript, it's not entirely secure - for a more secure mechanism, you should be creating an Azure Application, and generating jwt tokens that you can authenticate against in your backend. It's a much more complex topic, but hopefully this answer at least gives the background you need. For more info on the security aspects (validating the token etc.), please see this question: How to restrict access to Azure Function to only allow requests from a custom Microsoft Teams App?.
My enterprise application is developed in .net framework 4.5 and is using windows authentication. In which case, as we all understand, it is the underlying AD(active directory) that authenticates the user.
I have to replace windows authentication with token based authentication, keeping the .net framework 4.6 and AD(active directory). I guess oAuth is a possible solution, could you please share some thoughts on other possible solutions and as how could I get started.
HISTORY
It was common some years ago for apps to be developed for a corporate intranet, in which case Windows Authentication was a good solution. When token based authentication came along the benefits typically were:
Extend reach so that apps could be used over the internet
Support cross domain scenarios, eg APIs in a different domain
Support multiple authentication methods / policies depending on user location and device type
Write less security code and make new security features available to multiple apps
IMPLEMENTATION
An OAuth migration is a major architectural change and needs to be managed in terms of costs and benefits, though once done your apps will be quite cutting edge. Here is how Windows Authentication typically works in an OAuth 2.0 / Open Id Connect world, which requires a more complex setup:
Your UI redirects to a Cloud Authorization Server (AS), such as Azure Access Control
The AS redirects to an identity provider - such as an on premise version of ADFS (Active Directory Federation Services) - that is configured to use Windows authentication
When in the corporate intranet the user is automatically signed in and ADFS posts tokens to the AS
The AS posts different tokens to your UI
Your UI calls the API with the AS token and the API validates it
GETTING STARTED
If you decide that the effort is worthwhile then there are 2 parts to the job. Note that your application code will only ever interact with the AS and doesn't need to know or care about the authentication method:
Infrastructure migration
Updating the code in your UIs and APIs
If it helps, my blog and code samples are designed to help people deal with some of the challenges of OAuth tech. Maybe have a look at my first tutorial to get set up.
We want to build SAAS platform based on ms botbuilder. Specifically now we want to have many telegram bots on one backend (web app), instrumentation such as creation Bot Registrations, if needed, should be automated (prob except of creating a bot in telegramm).
I can't find any docs on how to address that but i guess theres 3 options:
1) Use directline api and create own adapter to speak with telegram api.
2) Use Azure script to create Bot registration. But i can't find a place where in web app configure app id and secret, these now are written in env vars on azure.
3) somehow deploy varios middlewares or enviroments (or slots) for each such registration. Lacking info on this aproach too much.
Maybe also some other options i'm not aware of?
I am integrating my SAAS application to Microsoft Teams. Right now integrated as Tab in teams. I am using my own API endpoint to authenticate and authorize the user. I have got some specific information about the user I am getting from API. How can I store it in Team context? Right now I used local storage in the web app. In Teams web app it seems working but I don't think it is working in Desktop app. Is there some API available in teams which helps to maintain the user state with Tabs? similar to userstate in Bots? Please help.
I would think local storage would be troublesome across devices anyway, perhaps consider server-side storage instead.
We are trying to migrate a legacy intranet ASP .NET web app from "Forms" based authentication into a "Windows" based one so that the user doesn't have to enter the credentials again after logging into the PC, we just want to read the current logged-in identity and use that for authenticating and authorizing the user in the application.
Doing windows authentication in ASP .NET is pretty straight forward, what i wanted to check though was how the user's and their groups should be managed within AD or ADAM.
The same user can have rights on multiple environments of the same application like Dev, UAT, LT, Prod etc. so the same domain account needs to be authenticated in multiple environments (different URL). Also, once authenticated into an environment the user might belong to multiple roles which decide what actions are available for the user to perform.
I was looking for some recommendations here in terms of how we set this structure up in AD, we are thinking of creating groups in AD for the different environments like App_Dev, App_UAT, App_Prod etc. and have nested groups within each of them for the different roles in the application like App_Dev\Role1, App_Dev\Role2, App_UAT\Role1 etc. for each of the environments and add the users inside it.
What do you guys think?
You have to rememeber that Authentication and Authorization are two different things. You have combined them in your logic.
For example, your authentication mechanism is AD. So yes, use AD for authentication of credentials and group membership to ensure they can authenticate with a specific instance.
However, you can still use the classic RolesProvider and use a SQL backend to store roles and user to roles assignments per instance within the database. This is easy and uses the built-in feature of ASP.NET without having to go overboard with creating groups in AD. You can do various searches on the web about ASP.NET AD Authentication and SQL Roles Provider. I think ScottGu even has an old article about how to do it.
Lastly, what you have described here is not SSO or Single Sign-On, I'll update your question to reflect this. SSO refers to creating a token that is trusted and shared amongst many applications. It doesn't seem like you need that with the example provided, but if you do, you would be investigating ADFS and the Windows Identity Foundation (WIF). Just because you use AD does NOT mean you have SSO, it simply means you have a single Authentication Provider, but you still don't have a token based system that actually only requires an initial Authentication and Authorization request to a central authentication service, usually ADFS.