13
votes

I'm thinking to develop a full-fledged Identity System in Laravel 5 with Passport.

Following is my requirement:

  1. I should have main identity management app like identity.mysite.com where all of my users are stored.
  2. I have 2 other applications APP1, APP2.
  3. When user request restricted resource on APP1, (s)he should get authenticated by identity.mysite.com
  4. Once authenticated, let user access resources on APP1
  5. Meantime, if user decided to access restricted resources on APP2, (s)he should not be asked to put credentials again.

Things I've tried:

  1. simpleSAMLphp - SAML is an option which does these things for me. But it is not as mature as OneLogin and I'm not thinking to go in SaaS model at this stage unless it is necessity.
  2. Laravel Passport - oAuth 2.0 seems tempting. I can even use, Passport Grant Tokens but I'm unsure on how reliable it is over SAML. Also, Laravel Passport is being widely used to authenticate API. Is it going to be useful while authenticating traditional session based apps? I haven't seen any example where the proper SSO is implemented with more than one application and laravel passport.

I know OAuth 2.0 is not an authentication protocol. Rather it uses something called Authorization but we probably can make it work to support Authentication protocol as mentioned here. Is it something, that Laravel passport supports?

2
Have you had any success, if yes please post it here.Nouphal.M

2 Answers

4
votes

This is what I call a resource oriented approach where all the clients(app1, app2...) want to know weather requesting user is authorized to access the resource or not...

Here we need to shift all the authenticating logic to oauth and make all our requesting apps dependent on OAuth. This way if user request app to access resources then if:

  1. Token is present then app will request oauth server to validate given token and if found true then app will provide access to user.

  2. If token is not present then you can solve it by asking for credential and app will transfer user data to oAuth server and validate it respond with the token.

As per my experience I use to implement this approach and I think Laravel Passport is an abstraction layer over top of your authenticating system. You can mold it however you need. There are few more enhancement and advancement can be done but this would work as a basic layer over top of your SSO.

2
votes

You can achieve this with passport however you are right about the examples as there are not many or lacking on some steps.

You could to create a new middleware in App1 and App2 side that communicates with identity.mysite.com and gets the user data (token, scopes, etc, id) then it will verify if the token is valid.

On the passport server side you need an endpoint to return whether the token is valid or not and any additional info.

To avoid making too many requests to your passport server i would recommend to create a service that get the TTL of the access token and set it as the time on cache on App1 or App2 for the user data.