dsbj66959 2017-12-24 14:45
浏览 30
已采纳

搜索有关如何在Symfony中登录到集中登录服务的多种服务的方法

I was already looking for quite some time for my issue:

  1. have Several Independend Apps implemented in Symfony
  2. Each uses an centralized API
  3. Login should be handled by an own central Application

My Idea is

  • domain security.xxxxxx.xxx handles the login form and app
  • domain frontend.xxxxxx.xxx handles the working customer stuff
  • domain cms.xxxxxx.xxx is the non loged in users stuff
  • domain backend.xxxxxx.xxx handles staff administration stuff
  • domain support.xxxxxx.xxx handles user support related stuff
  • domain api.xxxxxx.xxx handles the central database related stuff for internal and third party applications
  • domain reg.xxxxx.xxx handles new user registrations
  • domain job.xxxxxx.xxx handles the job worker stuff
  • domain monitoring.xxxxx.xxx handles the monitoring of app data etc.

the main idea is that each system is handles by an unique server. All are connected within the same network but each have different resources and services connected to it.

I tried to use lightSaml for symfony. But don't get the point in how to implement the server component for providing identities. The security should be provider and authentication interface.

Kind of handling like my.atlassian.net. This is an Service like I would love to implement.

Any hints are appreceated.

  • 写回答

1条回答 默认 最新

  • drxm5014 2017-12-24 15:30
    关注

    SingleSignOn can ba achieved in many ways and protocols:

    • SAMLv2
    • Oauth2
    • JWT
    • OpenID
    • etc

    There is two considerations:

    • Work with tokens
    • Work with users

    For business constraints I could not use a third party provider (Auth0, Okta, etc) which I really encourage.

    Implementations: https://en.wikipedia.org/wiki/List_of_single_sign-on_implementations

    Work with tokens in symfony

    You store the access and refresh token (It may change the name on each implementation). This has the limitation that as the Symfony app is not constantly running only when you have a request you have to reload/refresh the user per request (Request to the Identity Provider server).

    Benefits:

    • Single sign out as once you logout to the Identity Provider you invalidate the sessions.

    Risks:

    • You will get a request to the Identity Provider for each request in your app.(You can make workarounds there it is a Symfony implementation limitation)

    Working with users

    You authenticate and authorize the user on the Identity provider and create a user in the microservice you have.

    Benefits:

    • Full control of the user data you store. Once authenticated you do not need access to the identity provider.

    Risks:

    • Once you logout of your app if you have not logged out from your SSO/Identity provider the user will automatically logged in back.
    • You have to keep user details in sync or do not allow the user to update their personal details that comes from the Identity provider in your microservice.

    My case: OAuth2

    I've personally choose working with users on the symfony services as I want to have more freedom on how I store the user details, which details I store and keep most of the traffic on the service.

    Ideally I wanted to use SAMLv2 but I could not find any solution that I was willing to carry over for a long time implemented in PHP, there is many in JAVA.

    Technical stack on the Identity Provider

    Technical stack on the Microservice

    If you decide to work with OAuth2 I recommend you this guide: https://alexbilbie.com/guide-to-oauth-2-grants/

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥35 平滑拟合曲线该如何生成
  • ¥100 c语言,请帮蒟蒻写一个题的范例作参考
  • ¥15 名为“Product”的列已属于此 DataTable
  • ¥15 安卓adb backup备份应用数据失败
  • ¥15 eclipse运行项目时遇到的问题
  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 自己瞎改改,结果现在又运行不了了
  • ¥15 链式存储应该如何解决
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站