We're planning a new project which will feature an API available to customers to interact with our app from their own web sites and systems. However never having built anything close to an full-fledged API in the past, I am not aware of any standards or recommendations that are available and could be used to make the API more easily adapted by our customers.
We will build the API using PHP and some parts of the API will need authentication while others don't. As of today, I have read a little about Oauth, SOAP & REST, but I have no idea on what is good practiec.
What technology/standard is recommended to base an API for 2011+ upon?
There are a number of options, but I would suggest that you may find publishing a SOAP API from PHP quite tricky to maintain.
The reason for this is that there is no inherent WSDL generation within PHP, so you'll either have to roll your own (and modify it each time), or experiment with one of the 3rd party tools - none of which I have found particularly satisfactory in the past.
I would suggest that a more straightfoward method for implementing an API in PHP would be to go down the RESTful route.
I would check out the choices made by successful APIs that are available through sites like Mashery or Programmable Web. By focusing on the successful API patterns before choosing a technology you will have a better chance that the API will work and be successful.
Related
Using Laravel for PHP and DBMS. How do I make an app? (for social networking).
I have googled most of the things but I am really an Amateur and need help.
There are many kinds of apps, so before you start to work on your app, you need to carefully determine what exactly you need. You could write desktop apps for various operating systems, or native mobile apps, or hybrids, or a web application... You name it. Anyway, Laravel is the server-side and it should be as agnostic to the apps as possible. You need to create an API and handle the following things:
CRUD for the database
session (log in, log out, register, password change, user settings)
logical API functions
file transfer protocol usage
push notification (if needed)
As per your requirements, you will need to implement the server-side API in Laravel, which is a PHP-based framework and use an RDBMS, which could be MySQL, SQL Server, Oracle, or a NoSQL database, for instance MongoDB.
Before you implement any apps, you should have a proof-of-concept for the API. You should not invest too much time working out the details of the API, as when you are going to work on a real app, you will notice things to be changed anyway. The API should be accompanied by a playground for testing, maybe a very small app without design where you could send requests to the API. Or you can implement a WebSocket API to have a single, duplex connection. It is up to you.
As about how to write an API, there are many tutorials.
Story is that I need to make my website act as Identity Provider (read: IDP). Website itself is on Zend platform. Idea is making a IDP controller by which Service Providers (read: SP) contacts IDP. As it must be part of the website, I would need to include some extension, which could be easily used for responding SAML requests from SP.
I have found list of PHP extensions from:
https://wiki.surfnetlabs.nl/display/OSP/RFC+-+OpenSAMLphp,+a+new+PHP+library+for+SAML+2.0+support
All of these extensions have little documentation or are too complex. For example I haven't found a way to use SimpleSamlPHP in my application and also extracting useful code out of it looks very time consuming (which I really don't have anymore). Also I find all of them hard to implement into website.
I have been googling and checking github for days now, trying to find easy way to use some library (right now I'm trying to implement Lasso, which seems reasonable, but unfortunately lacks good examples / information how to use it as IDP).
Any kind of criticism, ideas, help or tutorial/code examples would be useful.
I wrote a guide about how deploy on an open source software (Tiki-wiki) an IdP using simplesamlphp, and how to connect the IdP to google or salesforce. Take a look:
https://github.com/pitbulk/tiki-saml/blob/master/doc/tiki_wiki_as_idp.rst
SimpleSAMLphp seems intimidating at first but it can handle all the SAML responses for you.
Have you looked at creating custom authentication module - http://simplesamlphp.org/docs/stable/simplesamlphp-customauth
You can tie this module to your existing login mechanism pretty easily.
Check out PingFederate and the PHP Integration Kit from Ping Identity. Alternatively there is the Agentless Integration Kit (instead of PHP) which allows you to integrate using a RESTful API call to the PingFed server instead of embedding any PHP libraries.
HTH,
Ian
Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.
I have no idea how to access a PHP based WebService from a BlackBerry.
Can anybody guide me in accessing one?
Your options are either use a proper API interface as suggested by snowflake (like REST, JSON/XML RPC etc.) or to scrape the HTML (very painful -- especially on mobile devices). The language in which the service is implemented shouldn't matter. If you are targeting OS6, there is a new communication API that makes consuming webservices easier (A sample can be found at http://devblog.blackberry.com/2011/01/communication-api-2/), but it's not too difficult on OS5 or below either. If you need to use JSON in OS5, your can find the org.me.json package online and use that.
If the webservice is under your control, you should add RPC support, the difficulty of which depends on the framework (if any) you're using for your project. Your question's a little scant on that information, so I can't provide any specific details.
See this Web Services in BlackBerry J2ME Application article. Here clearly described how to use Web services in Blackberry. And also you can refer Web services overview documentation.
I'm trying to understand the use cases for which implementing oAuth as a service provider is the way to go. It seems that implementing an oAuth service is a lot of work, so I don't want to go through the trouble just to discover I was barking up the wrong tree. Any examples of such use cases to help me wrap my head around when to use or not use oAuth?
This question is related to another question I asked but they deserved to be separate questions. I provide detail on my specific use case here:
Implementing access with oAuth or other
OAuth is typically used when you want to provide a single point of authentication for multiple services, or if you want to integrate an application with an existing authentication service; e.g., if you wanted your users to log in with their Twitter account information.
In my experience, the only time I've had reason to implement an OAuth authentication service was because we had 3 very different applications running on different platforms (JBoss, LAMP, and ASP.NET) on different servers. To compensate for different databases and different technologies, we settled on an OAuth implementation and centralized authentication to one point. It also provided an excellent means of securing user information between servers; data is encrypted between OAuth Server and Client, making it harder to jeopardize.
It really depends on what you're trying to do. If you're just talking about one application, then OAuth is definitely too much too soon. If you're talking about a few applications that run on the same technologies, then you may or may not have to go with OAuth; you could just use the existing data store to authenticate with. If you're looking to scale out to multiple systems, or you're thinking of implementing a single sign-in type of service, then OAuth is definitely a consideration.
OAuth has a few things going for it:
1) OAuth is a fairly well known standard, which means there is quite a bit of information available about it, code libraries in a variety of languages and platforms, etc. This may be the most important aspect if you are trying to get widespread adoption of your site/service (ala Twitter, FB, etc)
2) OAuth has been reasonably validated from a security perspective so you don't have to worry (too much) whether it is conceptually sound. Your implementation of course is another matter...
3) As mentioned by others, OAuth is well suited for distributed/federated scenarios. This allows you to outsource the authentication responsibility (for example, Microsoft's Azure can do OAuth authentication on your behalf) and/or share credentials across multiple services.
Hope this helps!