I'm currently working on a project that has other projects (mini-projects) connected to it. The project is developed using CodeIgniter PHP framework and the mini-projects are developed in different technologies.
A simple example could be a main site that is hosted in its domain (www.mainsite.com). The other mini-projects are hosted in individual sub-domains like forum (forum.mainsite.com) and blog (blog.mainsite.com).
The user will be directed to the same authentication server whether he is on the mainsite or forum or blog. He will be directed to the same Login form and Registration form.
Taking that scenario into consideration, what approach has to be taken to have a single login credential (username and password) to be used for the main project and mini-projects?
Some resources I came across:
OpenID
OAuth
Related
So, Suppose we have a site (let's call it site A). A user can log in on site A using one of OAuth providers or with site As' credentials. I want to fetch some user related data from cite A, but i don't want to ask for users' credentials, instead I want the user to authorize my site using OAuth provider, so that I can access data on site A. Is there a way to implement such a system? I'm using Spring Boot to develop my website.
I've been thinking about storing users credentials, but realized that it is a terrible idea.
I have been planning to create a laravel+vuejs apps stretching across subdomains (presentation creator, forms creator, polls creator etc.,each in a subdomain) and will have 2 version of the same web app (indian version with different languages and content and international with different language and content) in 2 different domain say domain.in and domain.com but I want users from any app or domain to login with the single user login say from passport.domain.com we have WAP versions of the websites served from wap.domain.in and wap.domain.com and also mobile apps for both.
Now, normal users based on the userid and password, the user from .com domain will
be able to access apps and content only from .com domain and .in
will be able to access only from .in
Users will be able to login using facebook, linkedin, google, etc.,
We will have only a single app for iOS and Android and based on the username and password the apps will be able to access corresponding domain.
wap sites will login using the same passport.domain.com
mobile app will be able to access data from the domain through an appID and Key.
others will be able to embed the presentations and forms into their website using an api key and secret.
certain users will be able to transfer data created in one domain to another user in the other domain
admin users will be able to transfer data from both domains.
other platforms may be able to login using the user id from this platform.
is all this part of SSO (Single sign on) ?
is this achievable in laravel ?
is it advisable to write the sign in server in a different framework ?
different tech like SAML Outh2.0 and Open ID with terms like Authorization, authentication and id provider make it all confusing and baffling for a start up.
can some one tell me what tech are involved in the above process. and what one should be aware before jumping in to start development.
That's a lot of questions :)
IS IT POSSIBLE?
OAuth 2.0 based technologies will give you the best options, since:
It has the most up to date app security options
It is designed to be web, mobile and API friendly
Access tokens are designed to cross domains
WILL OAUTH DO EVERYTHING?
No it will not - you will need to build most of the above behaviour yourself, and implement a software architecture, as for any other security technology.
An Authorization Server will externalise logins / passwords and issue tokens. Your apps will then need to implement 'flows' including:
Web token based security and session management
Mobile token based security and session management
API token validation and claims handling
Integrating third party security libraries
GUIDANCE
When new to OAuth tech the best choices and design patterns are not clear, as you indicate. If it helps, my blog has some details you may find useful, but it is not a simple journey:
Step by step tutorials and code samples
Design posts on the tricky areas
Blog Index
This is not a Solution but an article I stumbled upon which explain the terminologies involved in user authentication and SSO.
Laravel authentication an overview
Hope this helps others who are looking for an answer like me now or in future.
There are four Laravel 7 projects, Project A going to use project B some routes. For sure project B needs to check if the request is authenticated or not. So there is a need to have a specific auth server for that handle authentication of all 4 projects.
Any idea or implementation of this pattern?
This is a very opinion based question, but what you're describing is similar to a microservice or distributed architecture for your projects.
If you need the ability to have one login or one point to authorise all of these projects, then one OAuth service sounds like the right way to go.
I am currently working across 12+ projects at the moment that are all interconnected, Laravel based, microservices.
We use one Laravel OAuth service to handle logins across all of the projects.
To login to Project A, you are directed to the Login service to login and redirected back.
For API or machine-to-machine communication, we still use the Login service. To do so, we setup a personal access client inside the Login service and then create user accounts for the projects. We then generate a personal access token for each project.
When Project A makes an API request to Project B, Project B takes the authentication token and verifies it is valid against the Login service by calling an api/user endpoint.
If they don't all need one single login, then you may be able to get away without one and just generate local API tokens that consuming projects need to use to authenticate against that project.
At the moment we have a React application that uses OAuth2 for authentication and a second application that uses Laravel with Backpack. Is there any viable way to share the login between the two apps, as they are just two parts of the same system.
[UPDATED]
Additional information: both the Laravel project using session auth (https://laravel.com/docs/5.7/authentication) and the React application using OAuth 2 (https://laravel.com/docs/5.7/passport) will be running in the same browser. The intention is to make a seamless transition between these two parts.
Both Session auth and OAuth are using the default implementations provided by Laravel.
Short story behind the requirement - we have a system where the user can order products, but some of the users are also sellers. We have the Laravel project as the front-end shop part and the React app as a panel for moderating the products that you sell.
We have implemented SSO (Single Sign-On) for a group of websites with different domain names using passive federated identity (C#, ASP.Net MVC 3, WIF). The setup works fine as it follows the standard passive federation with login page hosted on STS.
www.brand1.com
www.brand2.com
...
www.sts.com (login page hosted here)
Now the client wants that login pages are implemented on each relying party so that the user does not get redirected to STS. The reason is that each relying party is a known brand therefore redirecting to a different domain name (hosting STS) is not acceptable for the respective brand. Customizing login pages on STS for each brand is not acceptable either.
Is there a way to move login pages to relying parties?
There are two routes you could go with this:
You can create a login page on each relying party that uses active federation to authenticate your users. This is dependent on the STS offering a WS-Trust endpoint.
If you have control over the STS code, you can simply have your relying parties POST the login credentials (username/password) to the STS, and the STS site would process the authentication request as before. This is an approach I've used successfully in the past.
Hopefully this helps.