I have a Shopify store that uses a custom application for handling the checkout. So this custom application is hosted on another server and the functionalities are accessible via endpoints. The authentication to the Shopify store is handled by another SSO application.
So what happens is that the endpoints to the custom application are not completely secured. This is because since the user authentication is handled by another 3rd party application we don't have any control over it. So we are unable to retrieve the auth token whenever a user logs in.
This is restricting me from implementing a token-based authentication for the API endpoints. Is there any way to make the API's secure in this case? Any help is much appreciated.
FYI: The custom application is implemented using Laravel!
Related
Currently I developing web application client using laravel 5.7. The web client is thin and mainly processing via REST API from AWS gateway. The user authentication also handle by Cognito user pool via AWS gateway (which returned access, refresh token upon username&password).
As described above, is this belongs good practice? I looking way to build the user controller methods (to validate and handle access/refresh token) and best way to store the client id and client secret. My view in laravel will pass the user data(in plain request) in form to controller.
I studied the laravel pasport which might useful but since my web client totally depends on API gateway. I don't think I should implement API again in my web client using Pasport. (correct me if I'm wrong)
Any example/article/tutorial/suggestion?
I am having a PHP based application, that uses MySQL as the DB. I am currently trying to build a real-time messaging system for the users in the application. I have found Firebase to be a very good solution for building this. However, I am not sure if the architecture I am planning is compatible with the architecture am planning. Digging through the documentation didn't really get me the answers.
My Doubts are:
I don't want users to again login to use chat, so I want to
authenticated via the server (i.e from php).
I want, the further chat/messaging to happen from client to Firebase directly as I don't want to have unwanted overhead on my server, especially when a direct connection is not only supported but also efficient.
Can I authenticate via php and get some secret key or something and then use that to connect securely via Js?
I found this link which talks about custom authentication system. But am not sure, if this is what I have to use. And if the solution am planning is scalable and ok.
Firebase Auth persists the session on the client via localStorage/indexedDB and is a headless API that doesn't require a hosted server. So you are not required to authenticate the user via your server.
You can definitely build the messaging app entirely on the client with real-time database without routing traffic to your server. Here is an example of a chat app built with Firebase: https://github.com/firebase/friendlychat
If you already have an existing authentication system, you can use custom auth which requires that you mint a custom token after you authenticate a user with your system, you then send that custom token to the client and then signInWithCustomToken. Here is some code to create a custom token with PHP: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk
If you don't have an existing auth system, you can entirely run the authentication on the client side. Another good library for authentication that is built on top of Firebase is FirebaseUI: https://github.com/firebase/firebaseui-web
I have two applications running under the same base domain.
docs.application.com goes to the documentation and it's written with PHP (Grav CMS).
www.appliation.com goes to my application which is written with Node and React.
Grav CMS has a Google oauth plugin that I am using and my application also uses Google oauth to login.
I would like to centralize the login on a way that I could login to any of the applications and be automatically logged in to the other one.
I've been reading about Central Authentication Service and Cross Domain Login but so far I wasn't able to manage a solution.
Any thoughts?
You have tagged this question with OAuth2 so I am telling about that.
Technically speaking OAuth2 is not Authentication tool but Authorization tool. However you can tweak it in such a way that you can use it for authentication.
Ideally you should create another application only for Authentication, say sso.example.com. All two application will go to that for Authentication.
In any SSO tool you use, your both application will become you 'service provider' and the sso application will become your 'identity provider'. You can use Shibboleth too for that matter.
If you use OAuth2 than only thing you will have to manage on client side is the token.
While shibboleth does that for you. Shibboleth act as authorization server too. You can configure it in such a way that, all two application will be not accessible unless user has active session in the SSO application.
I am creating a Restful server using Codeigniter, that will be accessed via a PhoneGap mobile app. I am not sure how to properly secure the API.
I am using this REST library: https://github.com/chriskacerguis/codeigniter-restserver
This post was helpful, but I have questions: Security PHP RESTful API
I setup codeigniter to store sessions in a table. I have secured using SSL.
Is a Session ID the same thing as a Token?
Do I need to set anything manually in a Auth Header? If so whcih side? On the REST server or in Angular?
I should point out that there are two facets to the app. One part behind a login, and one not.
Assign a token(random-string) to each user account. User should request all web services with a token.
Validate token on behalf of each user and then expose data.
I have a B2C application coded in Symfony2. Users arrives on my homepage and then signup. Once signup, my application authenticate this user, using the Authentication of Symfony 2. The authentication is persistent, so after the signup the user will be loggedin "forever".
But my users can interact with my application not only directly under my domain: there are websites, partners of my application, that allows their users to interact with my application. During this, the user remains inside the pages of the third party website.
In order to make this possible I've created, in Symfony, a set of API that allows third party websites to interact with my application. The API calls are made by Jquery.
Here comes my question: would my Symfony Controller who replies to API Calls, be able to recognize if the user who is on the third party website which is doing the API call is loggedin on my application or not?
I tried to check this:
if($this->get('security.context')->isGranted('ROLE_USER')){
But it always replies me with false.
If the API Call would have been made by PHP, I know it would be impossible. But it is made in JavaScript, so from the client (the user). That's why I think I would be able to recognize if the client who is calling my API from a third party website, is already loggedin on my application.
Thanks
I think you are looking for a SSO Solution. I've just implemented SSO in one of my projects using SamlSPBundle and SimpleSamlPhp. You would have to setup SimpleSamlPhp as an Identity Provider and all the participating Websites who want to use SSO as Service providers.