Does anyone know a good and/or easy to use PHP library/class/whatever-it's-called for being able to do oAuth against a large amount of providers (Facebook, AIM/AOL, MSN, all the 'big boys', etc)? All it needs to handle is essentially authentication, there won't be any permissions or anything - it just needs to be able to pull a login-verified username and a realname (optional).
Google recently released their Google Identity Toolkit, that handles several auth providers, it maybe come in handy. There's a PHP sample.
Related
I'm writing an Android app that will require folks to identify themselves. We figured that the best course of action is to NOT have folks register with our server since practically everybody has an account somewhere else with a major service (Google, Twitter, Facebook, Yahoo! for example).
The REST API is being built around CakePHP. This in itself isn't a sticking point for what I need, but the issue is more on the Android app along with its communication to our API. Essentially what I'd like to see is a user with X number of devices having the ability to login to a service they already have access to.
This identity would then be known by our server as an identity for that user. My app would then need a way to tell our API that "I am John Doe from service example.com, and here's proof". The servers would also accept a new device for the same identity and tie it in to that user.
I am stuck on some issues here:
OpenID seems to be the way to go (though I'm not sure if Twitter supports OpenID). But how can I do OpenID from my device? I don't need somebody to point me to OpenID for Java. This is NOT 100% of the answer I am looking for. Where is the website going to redirect to?
What will the authentication piece be like between my webserver and Android app? I'm not logging in. I'm using an OpenID. Should I just take some/all of the OpenID information and pass it to the webserver for storage, and then pass it again to check against for every API call?
Twitter not only does OpenID, but they also have a dedicated page talking about what the flow is and what you need to store. Google has a similar page for their login. The OpenID login flows are (for the most part) OAuth2.
Q: How would you create a SSO? What would you do about authentication (separate app or same as sso) and user store?
Background info:
We have 40+ php apps, java apps and
Ruby apps.
Currently, we have a custom
SSO+authentication solution. It's an
app written in php that is now used as
SSO, while supporting
email/username/phone-number + password
as authentication. It works, but was
built for a few apps only, not
originally meant to be the SSO -
solution. It doesn't have a usable view, every app create their own login/register forms and use the API. They share context and we'd like a more universal design.
Now we know want to support Oauth and
openid solutions, as facebook connect,
google and more, (or do we really?), in addition to
existing authentications. We can
expand existing php-solution, but we
are considering alternatives.
If you were to do all this in Ruby, what would you do?
Some additional info:
All users exist in SSO, today.
The company does aquire other companies/systems at times, having their own users. Would you migrate or create some kind of mapper?
Customers in a Microsoft CRM, but I consider this unrelated. Or do I?
I've shallowly looked at RubyCAS and ClassyCAS, and don't know if they are suitable. Is CAS the way to go?
Would you keep going with php? What would you use?
As you see, I have a lot of questions. What would you suggest?
I a previous job we used Jasig CAS for SSO (several apps in Java and Python). After getting over some quirks in the configuration and my dislike of all things Java, it actually worked pretty well. At the time I found the wiki to be a valuable resource, but things might have changed in the last year.
Authentication was handled via a separate app (custom) using an OpenLDAP directory that was preinitialized with a script that got user info out of an AD server.
Regarding the actual server you might actually want to use the Jasig one, IIRC it's the reference implementation and is easy to customize via a Maven overlay.
Ruby-cas FTW.
I'm trying to understand the use cases for which implementing oAuth as a service provider is the way to go. It seems that implementing an oAuth service is a lot of work, so I don't want to go through the trouble just to discover I was barking up the wrong tree. Any examples of such use cases to help me wrap my head around when to use or not use oAuth?
This question is related to another question I asked but they deserved to be separate questions. I provide detail on my specific use case here:
Implementing access with oAuth or other
OAuth is typically used when you want to provide a single point of authentication for multiple services, or if you want to integrate an application with an existing authentication service; e.g., if you wanted your users to log in with their Twitter account information.
In my experience, the only time I've had reason to implement an OAuth authentication service was because we had 3 very different applications running on different platforms (JBoss, LAMP, and ASP.NET) on different servers. To compensate for different databases and different technologies, we settled on an OAuth implementation and centralized authentication to one point. It also provided an excellent means of securing user information between servers; data is encrypted between OAuth Server and Client, making it harder to jeopardize.
It really depends on what you're trying to do. If you're just talking about one application, then OAuth is definitely too much too soon. If you're talking about a few applications that run on the same technologies, then you may or may not have to go with OAuth; you could just use the existing data store to authenticate with. If you're looking to scale out to multiple systems, or you're thinking of implementing a single sign-in type of service, then OAuth is definitely a consideration.
OAuth has a few things going for it:
1) OAuth is a fairly well known standard, which means there is quite a bit of information available about it, code libraries in a variety of languages and platforms, etc. This may be the most important aspect if you are trying to get widespread adoption of your site/service (ala Twitter, FB, etc)
2) OAuth has been reasonably validated from a security perspective so you don't have to worry (too much) whether it is conceptually sound. Your implementation of course is another matter...
3) As mentioned by others, OAuth is well suited for distributed/federated scenarios. This allows you to outsource the authentication responsibility (for example, Microsoft's Azure can do OAuth authentication on your behalf) and/or share credentials across multiple services.
Hope this helps!
we're developing one service to be integrated with various social networks and would like to allow users to be authenticated with their facebook-google-twitter-etc accounts in a simple one-click way.
Most of the huge network providers permit to do it with their proprietary APIs, but for small group of programmers as we are to support all of them is very difficult problem.
We are searching for some community project which implements most of the proprietary API authentication methods to be included in our small website.
The developing language is not of huge importance, but it would be great to find one written in PHP.
Thank you.
Maybe this is something you're lookin' for:
https://rpxnow.com/
They also have a free priceplan, and a paid one to access the noticed API's for some cool data.
Recently I've found some more socialauth applications
The HybridAuth Lib: http://hybridauth.sourceforge.net/
The SocialAuth: http://code.google.com/p/socialauth/
The DotNetOpenAuth: http://www.dotnetopenauth.net/
I'm building a website that will require user registration and logon.
I would like to use the facebook connect to let people create a basic account and to log on without having to create a local account themselves - and let them fill in more profile details when they want to.
What other 3rd party authorizations systems are there? Clearly openid is one option. And google seem to have a system too for loging onto other sites with your google logon. Are there any other systems? Does microsoft have one for msn logons? I found some hints but was unable to find any details.
Anyway, the programming question is are there any php libraries that will do this for me across a range of providers? I see ones for facebook and OpenID but I've not seen any library in php that abstracts away the differences? Before I program my own solution are there any libraries for this that I've not managed to find?
Keep in mind that Facebook is likely to become an openid provider in the near future (for some value of near).
If you really want EVERYTHING abstracted for you, JanRain takes care of exactly that task for you as a hosted service. The free version provides enough functionality to get started, and then if your app takes off, you can pay a bit for more functionality down the road.