I've been working on a "single sign on" framework for a company so that they can consolidate four copies of their employee database into one on their intranet server. I've got the functionality almost complete, but then I ran into one requirement problem.
When they go to https://secure.example.com, they want everything behind authentication and they MUST HAVE "remember me" functionality which is no problem. However, when they go to https://supersecure.example.com they want to force the user to "reauthenticate" for this single session.
I suppose it is also worth noting that https://supersecure.example.com and https://secure.example.com are two separate laravel projects.
A comparable example would be your phone making you type in your password every time you opened the store app.
TL;DR How do I disallow Auth::viaRemember() on specific routes?
What you need is something like OAUth2 server. May be check in to www.okta.com that will give you all the build in functionality for achieving this. Or alternatively write your own Authorization server and integrate your own custom api in Laravel 5. Google and Facebook also provide this type of SDK.
Related
I need to set up a single user registration and login page to work for separate Laravel applications or projects, such that if a user registers on the first application, he or she can use that profile to login into the other application without needing to register again on the second application.
The most basic approach would be to connect both projects to the same database, and make sure they both have the same application key (the APP_KEY entry) set in the .env file, as this is what is used for the EncryptionServiceProvider.
A more complete, and thought-through approach would be to implement some form of Single Sign On (SSO) in both projects. Something such as zefy/laravel-sso could be a good starting point.
Yet another option, if it fits your usecase, might be to implement Social Authentication instead. Each project would maintain their own record of users, but since authentication would happen via third parties, that might not matter. Socialite might be a good starting point for this.
A good approach is to ensure that in the other applications there is an authentication to the database or services warehousing the user credentials your application should be able to reach this endpoint and check if that user is already authenticated/validated/signed
you can check
https://www.cloudways.com/blog/setup-laravel-login-authentication/
Currently, I'm using laravel socialite to link between facebook and my first website. I have 2 website that is already published, let say first_web.com and second_web.com.
What I'm trying to do is, after user log in(using facebook acc) into first_web.com, at any time when the user wanted to go to second_web.com, he is automatically logged in using the facebook acc.
I did my research but there is no tutorial or sample that has done this. Any idea how to achieve this?
In my opinion, it could be solved like this:
(but I must warn to say that, personally, I don't like the way to login in multiple web-sites in one auth-call and there is a better way to make this by it's needs - to use call-to-auth way like Google, when you are redirecting to their website and selecting your google account - one redirect per one call):
First of all you must to understand that you must to save the token in both clients browsers - on both of your web-sites, there is no way to share the same JWT or Cookie between multiple websites - it's unsafe and unsecure and not logical, so you need to create two tokens. (I am not talking about one domain websites, I am talking about different websites on the different domains)
You can use the JSON Web Token JWT approach. For your project you can use Laravel Passport or tymondesigns/jwt-auth according to the installation tutorial.
After the successful socialite API-call - you must to create the JWT token (using the packages from the #1 point) and store it in the client browser for the first website - Cookie or JavaScript-local Storage - choose yourself what way is better for your needs. (you will find a tons of examples in the search about this).
Then from the first website make an AJAX-call (from the JavaScript client framework you are using) to an api with the already given credentials - you will be redirected, selecting your social account e.t.c.
And now, I would make some question with the modal window - "Do you want to share your data to our website #2" and in here there is a second call to socialite API with the redirect. There is no way to prohibit the usage of multiple redirect to your social site, because of the inner security of most socialite providers.
Redirect after your api for the second website and save the
second token into the second website client-browser.
Make your redirect to your first caller-website.
My personal advice - don't do that anyway.
It's not so problematic to make differential authentication in your websites. It's more unsecure to use the way you had questioned.
Good luck!
I'm currently working on a project, where the developer before me implemented the login into an intern tool via google Oauth 2.0
He does that, by just grabbing the user domain, after authenticating with google and checks if it is "ourCompany.com".
If yes, he renders the page, if not, he redirects the user to the login.
(So basically he does one oauth request per page view.)
I'm pretty new to Oauth 2.0 but as far as I understand it, this is not, how it should be used?
He wants to use Oauth, because his idea is to organize all our employees over google groups/organizations and thus have a central place to give and take permissions. (Which I have to implement now.)
He said I should "just also get the groups on each request" and that's it.
(Which I tried btw. as a "quick win" but couldn't manage to get them from google yet, not sure If it is even intended)
My understanding of how this should work is the following:
The user is redirected to the google Oauth 2.0 service with a scope to get his groups/organizations.
We get back an access Token, which I then would use to ask the google API for the users groups/organizations.
Based on these informations I would then set the users rights in our application itself. (For example The user is in a google group "author", then I would give him the author role in our application)
The user then gets logged in via a "normal" PHP session, which takes over for the rest of the application, instead of always asking the Oauth service.
Does this approach make sense or is my colleague right with his implementation? The only benefits I see in his solution is, that we get "real time" information, if the user still is in a group or not.
But from what I've read about Oauth 2.0 so far, his implementation does not feel right for me, on the other hand I don't feel secure enough at this topic to say it's wrong.
So any explanations/opinions would be very welcome.
Additional informations about the project:
We use Laravel 5.4
I thought about using the "socialite" plugin (https://github.com/laravel/socialite) and for permissions (https://github.com/spatie/laravel-permission)
If the intended user groups in your application are the same as the Google groups configured for your domain, then I think it's OK to use the Google domain groups. If not, you could use new groups (possibly with some prefix like myApp-group1), but you could end up with many groups if multiple applications does it.
There is also a question who can modify the Google domain groups. Is it the same person/role who would have the right to modify permissions in your application?
I would consider creating a separate access management for the application if:
There is a chance of people outside of your company using the application.
You needed to modify existing Google groups (if there are some) just to make them fit your application.
It looks like you can read user's groups by Google Directory API with an access token containing scope https://www.googleapis.com/auth/admin.directory.group.member.readonly. But I have no experience with it.
I think it's common to use LDAP (or MS Active Directory) as an access management for in-company applications, so the idea of using Google groups is not strange.
The auth sequence you described looks correct.
I'm building a site that has two areas: the main site, and an admin area.
The main site has to have Facebook login functionality (I'm looking at using Sammy K's Laravel Facebook SDK) and the admin area is just going to have a database-based login; basically the Laravel login system.
I'm wondering how to approach this, and whether anyone's done this before. Some design considerations:
Should I have two separate user tables?
Should I use two route filters, one for each auth type?
If I only have one user table, should I use different groups (somehow - I'm not sure they'll built in?) or some indicator to let the system know whether it's a database-based, user/password login, or just a Facebook login?
since you are using facebook SDK,
you don't need a user table to begin with in most cases/projects.
if you indeed want to use two different authentication, then yes, use one for each auth type.
assign different routes for each of the case. don't need to bring all those different entities together and make a sandwich.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
Single Sign On - how to implement?
I have 2 different web sites, one for promotion purposes and the other for selling the products using cs-cart.
How do i add the feature that will log a user into their cs-cart website when they log in to the promotion website?
This is a well known requirement called Single Sign On, and there's a few standards for implementing it. The basic concept is that one website (the identity consumer) can delegate user authentication requests to another website (the identity provider), rather than evaluating requests itself. In your case, one of your sites would be the provider while all your other affiliated sites would be the consumers.
The first standard is SAML, maintained by the OASIS standards group. SAML is open and massive, and most real world examples only implement a small subset of the entire SAML specification. Google has a SAML SSO integration and there's a pretty good PHP library called SimpleSAML that covers most of the desirable use cases.
Another standard that solves this problem is OpenID. I've never dealt with it, but a good example implementation is Stack Overflow itself.
There's also Facebook Connect that solve similar problems and relies on Facebook to be the identity provider.
This is a hot topic right now as specialized service providers seek to integrate their platforms with other providers. Good luck.
Create page site.old/superlogin.php that send user authorization cookie and redirect him to site.promo
After site.promo login redirect user to site.old/superlogin.php?token=userUniqueTokenToAuthIt (and it will be auth and redirected back)
You can easily if the sites work off the server so they can share the same database. You could use cookiese but I can't see a way where they could easily be changed and it not cause problems. How I would do it is have whenever they register/login it puts their IP in the database with the user information so that you can check the IP whenever they go to both sites.
You have site1 and site2.
User has logged in on site1.
When he visits site2 - browser is redirected to site1-authorization-page where it checks if the user is already logged in.
This script marks (in database of site2 or the same DB) user "logged_in_at_site2"=True (or something like that).
Browser is redirected to site2. (At this stage user is already marked as logged)
also a cookie for site2 must be created, to identify user after last redirection.
Good practice for you in understanding all this will be making login with social networks. (Facebook for example)
I have done that using Java, but also possible with PHP, you have an option of using cookies but that only works for same domain, also you can use third party solution (which I recommend) you can find Opensource solutions at
http://code.google.com/apis/apps/open_source_projects.html#sso
lemme know if you need help with that, Good Luck
Yes, only if this two sited share same database