Currently I developing web application client using laravel 5.7. The web client is thin and mainly processing via REST API from AWS gateway. The user authentication also handle by Cognito user pool via AWS gateway (which returned access, refresh token upon username&password).
As described above, is this belongs good practice? I looking way to build the user controller methods (to validate and handle access/refresh token) and best way to store the client id and client secret. My view in laravel will pass the user data(in plain request) in form to controller.
I studied the laravel pasport which might useful but since my web client totally depends on API gateway. I don't think I should implement API again in my web client using Pasport. (correct me if I'm wrong)
Any example/article/tutorial/suggestion?
Related
I use firebase authentication in my laravel project and I am curious if there is such a way to give users roles/permissions.
Normally I use laravel authorization to get over it but now my user data are on the firebase.
Firebase Authentication (as its name implies) only handles authentication: verifying the user's identity. It intentionally does not provide any form of authorization: determining what the user's access permissions are.
Many of Firebase's other products have their own authorization mechanism that builds on top of Authentication, such as the server-side security rules of the Realtime Database, Cloud Firestore, and Cloud Storage.
You will need to do something similar in your own server-side code to implement authorization for your app. You'll typically follow this recipe:
Pass the ID token of the user from the client to your server-side code.
Decode and verify the ID token to securely determine who the user is.
Look up the authorization of the user, either in a data store of your own, and/or from the custom claims from their token.
Enforce that the user only accesses the data they're authorized for.
This is pretty much the same process that Firebase's own services also follow.
What's the different if I used a column in users table api_token for token auth, and if I used JWT or passport Laravel ???
My app is an e-commerce contains an API for mobile apps!
Token-based authentication is a protocol which allows users to verify their identity, and in return receive a unique access token. During the life of the token, users then access the website or app that the token has been issued for, rather than having to re-enter credentials each time they go back to the same webpage, app, or any resource protected with that same token.
JWT is aJSON web token (JWT) is an open standard. The finished product allows for safe, secure communication between two parties. Data is verified with a digital signature, and if it's sent via HTTP, encryption keeps the data secure
JWT has some limitations like,JWTs rely on a single key. If that key is compromised, the entire system is at risk and you can’t push messages to all clients, and you can’t manage clients from the server side.
Laravel Passport is native OAuth 2 server for Laravel apps. Like Cashier and Scout, you'll bring it into your app with Composer. It uses the League OAuth2 Server package as a dependency but provides a simple, easy-to-learn and easy-to-implement syntax.Passport exposes a JSON API for your frontend to consume to let you manage your clients and tokens.
Out of the box, Passport comes with Vue components that show how you might want to interact with this API in your app. You could use these components and call it done, or you could write your own tool to interact with the API.
You have to do long working Laravel Passport and it is time consuming and cinfusing.
Token-based authentication is better than JWT annd Laravel passport.
The scenario
So I am building an app that should display data from my Xero account to the users. Users should not be able to login via OAuth2 to my web app so that's why I need persistent auth token that is independent from the users login. The current API authentication implementation from Xero does not allow that and the token expires in 30 minutes so I need a way to do this somehow in the background or with any kind of persistent token (which is not available as I can see in their docs for Auth)
Stack
I am using Laravel with the package Xero Laravel and this one's using the XeroPHP package in its core as dependency. Currently I am using Postman to do refresh token requests and I am adding the token manually (for testing purposes of course). This should not be the case when it goes on production, though. So I need a way to somehow "store" or refresh the token globally for the whole app and using only my account as an Authorization to Xero.
Problem summary
My web app need to fetch data (invoices data in particular) from my Xero account and no OAuth tokenization is required for the users (since I am using the native Laravel Auth for this purpos) that are going to read this data in a GUI.
How should I accomplish this without OAuth2 (if there is any way) or how I can do this if only my account is the "global" one for the app?
The other comments are correct that there is an initial required step to have the user that you are calling API endpoints on behalf of to authorize your API application.
Once you have their valid token_set ( access_token, refresh_token, expiry, etc.. ) you can store that securely and continue making offline_access api calls on their behalf. Note that you must programmatically refresh the token_set at least once every 60 days for it to remain valid.
I'd also recommend checking out the Xero supported libraries for help getting started quickly:
https://github.com/XeroAPI/xero-php-oauth2
https://github.com/XeroAPI/xero-php-oauth2-starter
Thanks to #droopsnoot for linking the video explaining how this works:
https://www.youtube.com/watch?v=Zcf_64yreVI
I am having a PHP based application, that uses MySQL as the DB. I am currently trying to build a real-time messaging system for the users in the application. I have found Firebase to be a very good solution for building this. However, I am not sure if the architecture I am planning is compatible with the architecture am planning. Digging through the documentation didn't really get me the answers.
My Doubts are:
I don't want users to again login to use chat, so I want to
authenticated via the server (i.e from php).
I want, the further chat/messaging to happen from client to Firebase directly as I don't want to have unwanted overhead on my server, especially when a direct connection is not only supported but also efficient.
Can I authenticate via php and get some secret key or something and then use that to connect securely via Js?
I found this link which talks about custom authentication system. But am not sure, if this is what I have to use. And if the solution am planning is scalable and ok.
Firebase Auth persists the session on the client via localStorage/indexedDB and is a headless API that doesn't require a hosted server. So you are not required to authenticate the user via your server.
You can definitely build the messaging app entirely on the client with real-time database without routing traffic to your server. Here is an example of a chat app built with Firebase: https://github.com/firebase/friendlychat
If you already have an existing authentication system, you can use custom auth which requires that you mint a custom token after you authenticate a user with your system, you then send that custom token to the client and then signInWithCustomToken. Here is some code to create a custom token with PHP: https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_the_firebase_admin_sdk
If you don't have an existing auth system, you can entirely run the authentication on the client side. Another good library for authentication that is built on top of Firebase is FirebaseUI: https://github.com/firebase/firebaseui-web
I am creating an react-native-ios app that communicates with a php web app hosted on azure.
How I understand it works:
The user signs up to the app, the server communicates with auth0 server which then returns a JWT token to the php server, saves the token to the database and then sends the token back to the client-device where it is then stored on device.
The user must send the JWT token as a header whenever communicating with the server.
Whenever the user logs out the token is deleted and when signing in, a new JWT must be received.
The user can sign in via using credentials that match what is on the database or sign-in with Google or facebook.
Or is Auth0 just for signing-in with enterprises such as Google or can I use it to sign in to my app also that has login credentials on the database?
I have found the
npm react-native-lock-ios but it doesn't work the way I described above.
In summary, How should I go about this and is what I have explained above correct?
The main problem here is that you did not understand how to work with JWTs. I would advise you to take a deeper look on how this technology works and how Auth0 can help you. But, in summary, this is the workflow for authentication that you must aim:
Your user will choose one of the many identity providers supported by Auth0(e.g. Facebook, Twitter, LinkedIn, SAML, WS Federate and so on).
Your react native app will communicate directly to Auth0 API through the react native lock.
Auth0 will interface with the chosen provider and redirect the user to an authorization page in this provider (case it is needed and it is the first time the user logs in).
Auth0 will generate a JWT and send back to your react native app.
Your react native app will send this JWT to the server (usually on the Authorization HTTP header) when issuing requests to your endpoints.
Your PHP backend will check if this JWT is really valid. This is can be done with Auth0 PHP SDK.
In case the JWT sent has not been tampered (changed irregularly), your backend will accept it as the user identifier and respond the request as expected by your react native app.
As you can see the biggest issue in the approach that you thought you would follow is that the login process does not go through your backend server. It happens on your front-end app (react native) communicating with Auth0 and the identity provider chosen.
JWTs are tokens that hold information (claims) about a subject. These tokens can be validated by anyone that possess a key (public or private). That is, having this key you can validate the token and can rest assured that it has not been changed improperly.
Further more, to answer the question regarding the usage of Auth0 with credentials on your database, you can bet that you can use it. Auth0 provides ways to integrate with your own database to check the existence of a user. This is called a customer user store.
Happy studying.