dsbj66959 2017-12-24 14:45
浏览 30
已采纳

搜索有关如何在Symfony中登录到集中登录服务的多种服务的方法

I was already looking for quite some time for my issue:

  1. have Several Independend Apps implemented in Symfony
  2. Each uses an centralized API
  3. Login should be handled by an own central Application

My Idea is

  • domain security.xxxxxx.xxx handles the login form and app
  • domain frontend.xxxxxx.xxx handles the working customer stuff
  • domain cms.xxxxxx.xxx is the non loged in users stuff
  • domain backend.xxxxxx.xxx handles staff administration stuff
  • domain support.xxxxxx.xxx handles user support related stuff
  • domain api.xxxxxx.xxx handles the central database related stuff for internal and third party applications
  • domain reg.xxxxx.xxx handles new user registrations
  • domain job.xxxxxx.xxx handles the job worker stuff
  • domain monitoring.xxxxx.xxx handles the monitoring of app data etc.

the main idea is that each system is handles by an unique server. All are connected within the same network but each have different resources and services connected to it.

I tried to use lightSaml for symfony. But don't get the point in how to implement the server component for providing identities. The security should be provider and authentication interface.

Kind of handling like my.atlassian.net. This is an Service like I would love to implement.

Any hints are appreceated.

  • 写回答

1条回答 默认 最新

  • drxm5014 2017-12-24 15:30
    关注

    SingleSignOn can ba achieved in many ways and protocols:

    • SAMLv2
    • Oauth2
    • JWT
    • OpenID
    • etc

    There is two considerations:

    • Work with tokens
    • Work with users

    For business constraints I could not use a third party provider (Auth0, Okta, etc) which I really encourage.

    Implementations: https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations

    Work with tokens in symfony

    You store the access and refresh token (It may change the name on each implementation). This has the limitation that as the Symfony app is not constantly running only when you have a request you have to reload/refresh the user per request (Request to the Identity Provider server).

    Benefits:

    • Single sign out as once you logout to the Identity Provider you invalidate the sessions.

    Risks:

    • You will get a request to the Identity Provider for each request in your app.(You can make workarounds there it is a Symfony implementation limitation)

    Working with users

    You authenticate and authorize the user on the Identity provider and create a user in the microservice you have.

    Benefits:

    • Full control of the user data you store. Once authenticated you do not need access to the identity provider.

    Risks:

    • Once you logout of your app if you have not logged out from your SSO/Identity provider the user will automatically logged in back.
    • You have to keep user details in sync or do not allow the user to update their personal details that comes from the Identity provider in your microservice.

    My case: OAuth2

    I've personally choose working with users on the symfony services as I want to have more freedom on how I store the user details, which details I store and keep most of the traffic on the service.

    Ideally I wanted to use SAMLv2 but I could not find any solution that I was willing to carry over for a long time implemented in PHP, there is many in JAVA.

    Technical stack on the Identity Provider

    Technical stack on the Microservice

    If you decide to work with OAuth2 I recommend you this guide: https://alexbilbie.com/guide-to-oauth-2-grants/

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 对于相关问题的求解与代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
  • ¥15 保护模式-系统加载-段寄存器
  • ¥15 电脑桌面设定一个区域禁止鼠标操作
  • ¥15 求NPF226060磁芯的详细资料