How can I get my users from my Drupal 9 website (where my users sign in) to my OSTicket 1.17 website in another (sub)domain and get them logged in (SSO).
I can pass the userData object by posting it and transfer it with a CSRF token in the URL. The receiving website receives all data correctly. I can read the Array/Object now. How can I use this data to get logged in to OST?
If the user does not exist i can add him to the OST database so a valid ID can be used for the tickets but to get the user logged in is my only concern right now.
I have some data like this within my object:
id (Drupal ID)
username (Drupal username)
email (Drupal email)
password_hashed_encrypted (Drupal password)
I use an CSRF Token to keep things safe.
p.s. my OOP is the worst.
Any help is appreciated
Related
What I'm trying to do is implement a "log in with Facebook button" on my site. I think I have understood most of the Facebook JS API, yet I am not certain of how I securely can tie information in my own databases up against a Facebook user. My current theory is:
1. Register Facebook's UID for the user in database for further reference.
2. Tie all further information from the user (the infromation inputted by the user in the application) up to the user ID after verifying the Facebook access token (in the backend), to prevent user from adding/removing information on behalf of another user.
3. When the user makes a query for information, you verify the access token issued by the JS API in your backend up against Facebook's APIs before returning any information related to the user, to prevent the user from spoofing his own ID
Side note: Not sure if Stack Overflow is the correct place to post this question.I know that there is an enormous number of sub sections on Stack Exchange. If this isn't the place then let me know :)
I implemented a login with Facebook module in my recent node project. When the user logs into Facebook successfully, it usually returns a unique Facebook ID (along with a lot of other data). You could then create a relation table in your database that relates the unique Facebook ID with a special user ID for your site.
If you have facebook info you are going to need frequently like profile image... I would grab the url every time and store it in a session variable when the user logs in simply because it can change.
Users details are held in database table called user where I have fields username and password among others. Now, I need to give users additional option to login using facebook and twitter.
I know how to handle these authentications but what I can't think is -
How to identify which FB user account relates to which local user account? How do I do this?
I'm not looking for code but the process. The process in my mind is somewhat as below -
User logs in using username and password of my website. then they can add FB or Twitter as external authentication and when they do it I ask them to login to FB. On successful FB login I save some unique fb id (i don't know which as haven't checked yet) in the users table. Next time they can just login using FB as I'd be able to identify which local record they belong to. Is this how you would do this?
What would you suggest? Thanks for your inputs in advance.
PS - I'll be adding multiple networks (like linkedin and others) but at the moment fb and twitter only.
One way you can do this is :
#Registration
1. Allow the user to register with Facebook, Twitter
2. Once the process has completed, redirect the user to create a username on your site
3. Using the email obtained from Facebook, Twitter, and username from local form, insert all this information into a db table.
4. This will allow referencing between FB, TW, and local usernames
create a interrelated table which will hold userid, facebook or twitter userid, authentication type (facebook or twitter).
I'm building a Website (PHP), API (PHP) and a native iPhone app. I want users to login with their Facebook account so they can post reviews / upload photo's via the Website or iPhone app to our server/database. This will also save me time to create a complete user registration system.
I'm trying to figure out how to create a uniform architecture for this kind of a solution. I'm thinking about the following thing:
Registration:
Create a database table containing my users (table will have these fields: id, facebook_uid, firstname, lastname)
iPhone App login scenario: user logs in via Facebook; presses on allow to give permission for my app; returns to App with access_token (which is stored on his phone). After that makes an call to my own API to register the user (if not registered yet in database) with these information: facebook_uid, firstname and lastname.
Website login scenario: user login via Facebook; redirects to my configured return url and registers the user (if not yet in database) with these values facebook_uid, firstname and lastname
Posting a product review
Iphone App: Make an call to my API with the following parameter input: review_text, facebook access_token. My API will then make server side the API call to facebook to get facebook_uid. When I have retrieved the facebook_uid I insert into to the database the review record for this facebook user. (Instead of sending the Facecbook access_token I could have sent directly also the facebook_uid value to my API. But I thought this may be less secure, because anyone could then insert review on behave of other user if they know their facebook_uid)
Website: With help of the Facebook Connect PHP library FB login session is available so I can insert server side directly the review by reading the sessions facebook_uid.
Is this a correct and safe way of using Facebook as login for your own platforms? Or are there any other PHP modules/libraries I could use to simplify this?
Facebook has an existing api here
http://developers.facebook.com/docs/guides/web/
The page also contains a tutorial on how to implement this
For iPhone specific facebook login please look here
https://developers.facebook.com/docs/mobile/ios/build/#implementsso
I am in a similar scenario. Keeping the access_token on the phone seems like a good idea, then passing this via your API to verify the user on your own database seems like a good idea as well.
Wouldn't it be just as safe to encrypt the access_token and store it in your own database and check against that as opposed to constantly pinging the Facebook API i.e.:
Login via Facebook, get Facebook UID and access_token.
Store both the UID and/or access_token in your database encrypted via md5 / sha.
Each time your API makes a call, pass the access_token and check it against the one stored to verify the call?
I have a problem of thinking of how to integrate 3rd party login (also do silent register) on website where already is used regular login/register system.
Basically current login is quite regular:
As user enters website session
class determines if he need to
re-login.
When user login all kind of sessions and cookies are set and
user get access to restricted areas.
Users table in mysql has quite a lot fields also password fields.
What i wondering is how you create user entry in the same database table if it's not there and do full (silent) register for that facebook user.
Well i'm not sure what you mean by silent register, but you can simplify your regular signup process if the user is connected to Facebook.
This is what we do:
When a user comes to our website (unauthenticated - no cookie set in browser), we check to see if this user is connected to Facebook
If the user is connected to Facebook and has connected before, we "sign them in" to our website
If the user is connected to Facebook and has not connected before, we do a call to the Facebook Graph API to grab some user details (name, email, etc), redirect the user to our signup page and fill in most of the details using the Facebook info we just received.
We have a seperate database table for Facebook users - we store the Facebook Unique ID and the user's email address.
The email address is very important - this is what we use to perform a single sign on, as the user's Facebook email address should match the email address for the website.
OpenID is a safe, faster, and easier way to log in to web sites.
:D
use open id ...
there is many lib in this address http://wiki.openid.net/w/page/12995176/Libraries
each user can login with user in facebook and gmail and you must give each user id and relation models for access
I am also new to this but got some idea how to do and i would like to share it.
You can use the Javascript API provided by Facebook, Google+ etc to make login into the site. The API has in-built methods which invoked for authentication and pulling data from the user's account(which is customizable what user data to pull). In between the javascript code you can write ajax call to your server script with user data(got from the third party server) for making the user signup or login into your system, what ever want to do.
Yes the configuration of all these are bit headache :-(
I am developing a PHP/MySQL e-commerce site with some social aspects, and am looking to integrate it with Facebook. I already have a native user registration/session handling system. I have managed to include the iframe "Social Plugins" such as a "Like" button. But I really would like to offer users the option of registering with the site via Facebook over the native registration process.
I understand the idea of getting an access token via the OAuth protocol, and eventually getting a user ID. My concerns are two-fold:
Is this method secure? This is an e-commerce site, but I am not storing any credit cards or any other sensitive data. I can't think of how this could be exploited, but I am only one head!
I understand how to retrieve the initial token and get the user ID during the registration process. But how do I recognize a return (session) user? Do I have to implement the Javascript SDK for that (something I want to avoid)? Or, do I handle the sessions just like they already are handled natively, but replace a normal user ID in the session cookie with a Facebook user ID when appropriate?
I apologize if the answers are obvious. I have scoured Google and the Facebook documentation, but half the links I find are to deprecated FBConnect wiki articles, and the new docs are helpful, but sparse on the examples. I have no idea what is still supported, what is new, and how to do this!
Yes Oauth is very secure. Many many applications rely on it and there are no known ways to exploit it.
One way you could do this is store the Facebook id's of users so when they come back you can see that their id already exists in your records and know it is a returning user. Their session may be different (expired since last visit for example) so you don't want to store their access token; but their Facebook user id is always be the same.
How I basically integrated Facebook registration/login on my site is I added a facebook_id column in my users table and a "Register with Facebook" button. If the user clicks, authenticates with Facebook and I get back a session and the user is new, I redirect to the registration page, prefill as many fields as I can with data from Facebook (like their name), and add the Facebook id as a hidden input field. Therefore when they register, their facebook_id will be filled in the database. This is the same registration page as the standard one, so the only difference with a non-Facebook user is that the facebook_id field will be empty. If you want, you can also not require a password for Facebook users.
For the user to log in, the user would just click a "Login with Facebook" button and authenticate with Facebook. Once Facebook gives me the session, I log the user in as whatever user has the facebook_id as the one in Facebook's session. Since you are worried about security, I'll note that this session cannot be forged as it is signed with the application secret key that only you and Facebook know. If you use Facebook's SDK (which you should) you do not have to worry about the signing and signature verification. The fact that you can read coherent information from the session means that Facebook's SDK has verified it.
This Facebook page is a great guide on integrating registration with Facebook.