I'm in the process of designing an API to service a browser web app. I want to design the API in a way where if the need arises, it can be used cross platform. For the first stage I want to implement user name and password authentication (I believe the terminology is grant_type = password). I've read up on OAuth 2.0 being a standard in practice and I have a few questions:
Is there a suggested way of binding tokens and token expiry dates to users in the database? Can this be done in one table, or is it better to keep them separate?
I want to polish up and verify username and password authentication works before exploring into having 3rd party authentication (Facebook, Google+, Twitter, etc...) Is there anything I should know ahead of time when creating the database tables and API to make sure it is extendable into these features?
I'm hearing a lot about JWT, is this considered a standard way of generating and returning tokens to the front end?
I am looking to build the api in PHP and I was going to use the implementation from https://github.com/bshaffer/oauth2-server-php but it looks like it is failing on php versions 7 and up. (I'm going to use 7.2 for this project) It may also be easier to create it myself one piece at a time.
Any direction or insight into the above would be greatly appreciated. This will be my first stab at implementing an extendable authentication framework in an app.
Related
I'm setting up around 4 Laravel 5.3 based apps at the moment, they are all part of one "ecosystem".
I plan to use a central Laravel app that will handle any user signup, user login and also hold all user details. These details will be used across the 4 separate Laravel web apps. I may also use these user details inside mobile apps in the future so I assume i'll need some sort of JWT based system to control this.
I've thought about using Laravel Passport to achieve this but I don't think this will work for this scenario. In all honesty, the documentation is not clear to me whether this is the sort of system it is designed for or if I need to use a different oAuth2 system. My understanding is it is for API authentication only, or am I wrong?
All my other Laravel apps will be on different servers so I can't share the database unfortunately. I need to implement a cross domain solution it seems.
Thanks in advance for any info on this, just to clarify that I am not asking you to code the script for me, simply to help point me in the right direction on how to do this properly - can't really show code on something I don't know!
I believe I have explained everything that I am trying to achieve here, and I have already done research but nothing seems to be clicking in my brain.
I think it depends on your business logic. Below is what i'm thinking:
If what you mean Multi Domains is the sub domains (as you mentioned login.site.com), i think the simplest way is to use site.com wide cookie with redis/memcached as the session storage solution.
If they do have different domain names, and beyond the central site, user when visit site A also want site B feature (or content, those sites are closely connected), i thought the JWT solution is the better choice.
Any other cases, choose OAuth
Well, maybe others have better ideas.
I have a Geoserver instance which serves my spatial data in WFS / WMS / WMTS formats that I then use within an Openlayers 3 application.
What I am now looking at is introducing authentication but I am struggling to work out the best way of doing it.
I want to be able to use my data within my OL3 applcation, but impost authentication if anyone wishes to access the data via desktop software such as QGIS.
Is the only approach I can take to introduce authentication on Geoserver, and then enable the layers to be used in OL3 through authenticating them? How would this be achieved?
I am thinking that PHP can be used here which would hold the username and password, that can then be passed to OL3 when a layer is requested?
This is a theoretical question and would like some advice on the best approach to take for this scenario.
Thanks
I have read a lot of document regarding this, Few of which are as follows
http://www.opengroup.org/security/sso/sso_intro.htm
http://www.authenticationworld.com/Single-Sign-On-Authentication/
http://merbist.com/2012/04/04/building-and-implementing-a-single-sign-on-solution/
https://wiki.queensu.ca/display/itsd/Single+Sign-On
I know the concept now but my client already has a systems build which has there own authentication system already in place and working and now i need to implement this concept for him all over his application
He has given me the access for only one of the main application where i can implement this but now the problem is, Client is not ready for the access of other application,
So is there any way where i can implement some plugging and ask the client to call this every time for the authentication and implement the single sign on.
It would be really helpful if anyone can give me the basic building block or Steps to implement this.
You can make SimpleSamlPHP as your IDP to implement Single Sign On to your client application. SimpleSamlPHP(IDP will take care of the authentication).This is light weight IDP Where you can store the user info and Payload as configuration file.
Refer the below link to configure the SimpleSamlPHP.
https://simplesamlphp.org/docs/stable/
I have a small web app written in php / mysql that stores customer information and does various things with it.
One of my users has expressed interest in integrating my app with the custom software (also web-based) that they use for setting up customer appointments.
Basically they want a system where, when they create a new customer account using their online software, that information is automatically relayed to my application, to create the customer account on my end as well. This would save them having to enter the same information twice.
I am wondering what your suggestions are for the easiest way to approach something like this? Do I have to create a full-blown RESTful API? (I have never done anything like that before and am not really sure where to start with such a thing.) Or is there a simpler way?
Any ideas or suggestions would be much appreciated. Thanks (in advance) for your help!
In order for another application to communicate with yours, you will have to create some type of API, whether it be RESTful or not.
Personally, I recommend REST as it is fairly trivial to setup and there are LOTS of tutorials on the internet to show you how. If you use Zend Framework, it's 10x easier as they have a REST controller you can extend and quickly build an API with.
Something very simple, which has worked for me is to simply accept the information as a POST. The other application will send the information via POST, which you process in your php, and store it in mysql. if the data is sensitive, you can set up a cert and go over ssl.
I am creating a little flash game for the facebook platform, but I am finding it very difficult to get any decent documentation on the graph api and the PHP SDK, so if anyone has a decent resource for a beginner to go and learn the basics, I would appreciate it very much, as I am struggling to grasp the concept.
Thanx!
I agree that the docs can be pretty hard work for facebook. If you are looking to use the Graph API tho, bear in mind that it is just a REST API that uses oAuth for authentication, much the same as Twitter, SoundCloud etc.
The most awkward bit I found was authenticating properly so I would suggest checking out the oAuth website
http://oauth.net/
They also have some PHP samples which were what I used as a starting point. I'd definitely recommend starting from these rather than trying to build your own setup from scratch.
http://oauth.googlecode.com/svn/code/php/
I also found it handy to refer to the docs on some of the other sites that use oAuth, such as Twitter and SoundCloud as it helped build my overall understanding of what is going on, even if there were a few small differences from one site to another
http://apiwiki.twitter.com/Authentication
http://wiki.github.com/soundcloud/api/02-authentication
Personally I would suggest just trying to do a basic oAuth-authenticated request to begin with. Facebook Graph has a few extra options such as using scope for extended permissions. Whilst you will probably need to use these in the end, once you get your head round the signing mechanism its easy enough to add in these extra details.
Once you have got the hang of signing requests, it is just a case of requesting the appropriate endpoint for what you want using either curl or any other method that takes your fancy.
Hope this is of some use