OpenID for CodeIgniter Apps - codeigniter

So I'm building a cloud platform to handle a bunch of CodeIgniter Apps.
The idea is to share credentials between those apps, so the user can purchase App1 and App2 with the same account.
One process can be described like :
The user view the Site : http://myapps.tld
The user creates an account on http://myapps.tld
The user browses apps on http://myapps.tld/apps
The user purchases App1 && App2
there is a registration form on the main site (let say 'http://myapps.tld')
The user enter his same credentiels (of http://myapps.tld) on http://myapp1.tld and http://myapp2.tld
The authentication on http://myapps.tld is coded from scratch (very basic one).
I think that a way of achieving this is to use an OpenID mechanism built on http://openid.myapps.tld and whenever a user have the need to authenticate with an app from the platform he will be redirected to openid.myapps.tld to confirm/verify his credentials and redirected back to his app completely identified.
Is OpenID the right choice for me ? can I rely on it to handle authentications on the main site and the different apps ?
If so, I've seen a library or two for implementing OpenID on CI 2 but if you have some tips/tutorials, I'll appreciate the sharing :)
I'm thinking also of adding the same OpenID mechanism for 'forum/wiki/blog' tools/services so again the user/client wouldn't have to create multiple accounts to use whatever service/app on the platform.
Thanks in advance !

OpenID is the way to go. There are a couple of sparks on getsparks.org:
The latest oauth2 is the probably the best option.
http://getsparks.org/packages/oauth2/versions/HEAD/show

Related

Multi Domain with single login,

I have been planning to create a laravel+vuejs apps stretching across subdomains (presentation creator, forms creator, polls creator etc.,each in a subdomain) and will have 2 version of the same web app (indian version with different languages and content and international with different language and content) in 2 different domain say domain.in and domain.com but I want users from any app or domain to login with the single user login say from passport.domain.com we have WAP versions of the websites served from wap.domain.in and wap.domain.com and also mobile apps for both.
Now, normal users based on the userid and password, the user from .com domain will
be able to access apps and content only from .com domain and .in
will be able to access only from .in
Users will be able to login using facebook, linkedin, google, etc.,
We will have only a single app for iOS and Android and based on the username and password the apps will be able to access corresponding domain.
wap sites will login using the same passport.domain.com
mobile app will be able to access data from the domain through an appID and Key.
others will be able to embed the presentations and forms into their website using an api key and secret.
certain users will be able to transfer data created in one domain to another user in the other domain
admin users will be able to transfer data from both domains.
other platforms may be able to login using the user id from this platform.
is all this part of SSO (Single sign on) ?
is this achievable in laravel ?
is it advisable to write the sign in server in a different framework ?
different tech like SAML Outh2.0 and Open ID with terms like Authorization, authentication and id provider make it all confusing and baffling for a start up.
can some one tell me what tech are involved in the above process. and what one should be aware before jumping in to start development.
That's a lot of questions :)
IS IT POSSIBLE?
OAuth 2.0 based technologies will give you the best options, since:
It has the most up to date app security options
It is designed to be web, mobile and API friendly
Access tokens are designed to cross domains
WILL OAUTH DO EVERYTHING?
No it will not - you will need to build most of the above behaviour yourself, and implement a software architecture, as for any other security technology.
An Authorization Server will externalise logins / passwords and issue tokens. Your apps will then need to implement 'flows' including:
Web token based security and session management
Mobile token based security and session management
API token validation and claims handling
Integrating third party security libraries
GUIDANCE
When new to OAuth tech the best choices and design patterns are not clear, as you indicate. If it helps, my blog has some details you may find useful, but it is not a simple journey:
Step by step tutorials and code samples
Design posts on the tricky areas
Blog Index
This is not a Solution but an article I stumbled upon which explain the terminologies involved in user authentication and SSO.
Laravel authentication an overview
Hope this helps others who are looking for an answer like me now or in future.

Login to my own webapplication with another website's credentials(eg: login with google)

I have developed a web application (spring mvc, spring security) which has a its own login.
Now I want to change the application to login with an another web site's (2nd web) credentials and also need to get some user details from 2nd website.eg: username, user role list for create authentication object.
Please help me to choose best way to do this.
Is openID or oauth2 better for my client application?
OpenID and oAuth are 2 different things.
Lately, Google announced it stops supporting OpenID, so maybe oAuth2.0 is a better option for you.
Note that if you choose oAuth of 3rd-party, you force your users to have account there. for example, if your application (the resource server) uses Facebook for authentication/authorization, your users will HAVE TO have account on Facebook (you want that?!).
If you work with OpenID, your users have several options of where to hold their account...
If you have another 3rd party (or in-house, it does not really matter) authentication server and you want to authenticate your users with it - you have to know what specifications it supports. For example, if it supports oAuth2.0, you can pretty easily configure your app to work with it.
Hope that helps...
If I understand you correctly, you are talking about using Social Networks like Google+, Facebook, to be able to login to your application (This is identity services, where you don't have actual password, but rather access token with limited scope).
For that there is a Spring Social, project, that provides set of abstractions, for such kind of integration, including additional Spring MVC Controllers, needed for proper authentication in this Social Networks.

Non installable application and new regulations for publishing on google apps marketplace

I’m new with the marketplace and I’m developing an application to replace google's login with my app, which uses strong authentication.
To use it you don’t need to install anything, it’s only a matter of configuration of your google app. When you try to access mail.google.com/a/yourdomain.com it will redirect to our application where the validation process occurs, and after validating it will return to google web site.
Same happens with logout and password change, you will be redirected to my app.
When a user needs to change the account password, we use google admin api to change it, of course, it requieres a previous authorization from a domain user with administration privileges.
Question is, how to publish an application like this on the market place?, I don’t see how to do it according to the new regulations from november 19th, for example, the application type and the fact that it should be an installable listing.
Someone who can give me a hint or example.
Thanks in advance.
Fernando.
--- EDITED --- to answer to Koma
The thing is, we already have the application, what we're doing now is to do some changes to make it ready to use it with google apps.
There’s an option in the security section called “set up single sign-on (SSO)” where you configure 3 URL’s for:
Sign-in page URL (URL for signing in to your system and Google Apps)
Sign-out page URL (URL to redirect users to when they sign out)
Change password URL (URL to let users change their password in your system; when defined here, this URL is shown even when Single Sign-on is not enabled)
When you a user needs to change your account’s password you will be redirected to our application (because google have delegated that responsibility to Us). There, through OAUTH and Google Admin API, we will change the password for your google user.
We want to be listed in google’s marketplace as a solution for strong authentication delegating that functionality to our application, but we don’t see how because the user that will use our solution doesn’t need to install anything, and according to what I understand we are forced to upload something to be listed
Does that make sense to you?
From what I read, you want to replace authentication with your own. That's not feasible with a market place app.
You need to implement a SAML identity provider
https://developers.google.com/google-apps/sso/saml_reference_implementation

Is possible to create ACAccount with just login and password?

In my application (for Mac OS), I need to login to Twitter and check for new posts directly with login and password, which user will specify in my application.
Is it possible to do it with Accounts framework?
Maybe, somebody can show some example?
The Twitter API does not allow you to connect to a user account with username and password. This is called "Basic Auth" and it was removed by Twitter in June of 2010.
Twitter now requires developers to implement a system called "OAuth" in order to securely access Twitter accounts. This is more secure for users than Basic Auth because it means that users never have to hand over their user credentials to a third-party application.
OAuth can be daunting for new developers, and I strongly recommend that you look into libraries written by other developers who have already implemented OAuth so that you don't have to.
If you look at Twitter's Open Source Examples Page you will see many such libraries in a variety of different languages and platforms.
Good luck!

OAuth or CAS for lots of domains but just one app?

We're about to start allowing our users to point their own domains at their profile pages on our website, but I've run into a problem that I can't seem to get around.
We need to make sure that when any user who is logged into the main domain visits one of these custom domains that they are going to be logged in on this site too. I've been reading about a few different approaches. SSO, CAS, OAuth... but I'm not really sure if any of these fits what I need.
I'd love to hear some opinions on it.
CAS is a SSO, it means that you will authenticate only once (just for the first app) and then you will access all app without re-authenticating.
For every app in the "CAS galaxy", you'll get the profile of the authenticated user (a set of user attributes defined according to the app).
The main advantages of CAS are its simplicity and its efficiency.
I think it meets your needs.
OAuth is about authorization : it means you will need to authenticate and authorize, which generally leads to login page for authentication and confirmation screen for authorization.

Resources