I would like to integrate two web application (share users) both based on Zend Framework. Where would you start?
Identify all the possible URLs in each application
Write a small routing application
Have your small routing application identify which URL belongs to each application, and then manually "include" the index.php file for each application after manually setting up the environment that the application's .htaccess would normally send
(also, Magento uses components of the Zend Framework, but it's not a Zend Framework application)
If all you need to do is share users, you just need to have each web application map users to one another whenever you do your regular authentication mechanism -- if you log in to WebAppA, then whenever WebAppB checks credentials it should look to see if you're logged into WebAppB, which should be existing functionality, but then if you're not logged into WebAppB, check if you are logged into WebAppA...
If usernames line up, this is easy to medium difficulty depending on the authentication schemes, otherwise just prompt the user once to authenticate to their other account and store the mapping on a successful authentication.
Related
I'm not really interested in API authentication - all I want to do is authorize a user who has access to one or many applications from a kind of portal I am designing. We are hosting the all the web applications, some are just Javascript and HTML, some are MVC.
I have created a diagram below with a user called Bob. He is a valid user and is allowed to use an application called "JS" but not MVC. How can this be implemented using Identity Server. Obviously when inside the JS application it still needs to talk to the Identity Server to make sure the current user is valid or else somebody could just copy the url of the app and use the application.
NOTE - the JS application is just a plain old HTML5 and Javascript application it is nothing fancy like an .NET MVC app.
One way to achieve this is by registering individual applications (JS and MVC app) as separate clients in IdentityServer (assuming each application has different redirect URI’s) and restricting access between those clients.
In order to restrict access between clients for an authenticated user, you need to use ICustomRequestValidator interface.
More details in this discussion board and a similar post in SO thread
I'm try to implementing SSO in my existing web applications with using OpenAM by refer following link
http://fczaja.blogspot.com/2012/06/idp-initiated-sso-and-identity_21.html
PS. my web applications have their own login page already
Now what is got after implementation is, openAM login page are protected in my web applications and i need to make login again to my application
what i need is, want to skip the login page of my application to become single sign on.
so, can anyone tell me what tasks need i do left?
do i need to revise my Login page of my application?
do i need any database or datastore to keep user login information?
Now that an OpenAM agent is in place on top of your app, your web app can work under the assumption the there is already a valid logged-in user - you need to remove the login page from your web app.
To get the current user details just alter your OpenAM agent config to set HTTP headers with relevant fields like username, full name, etc. Then instead of a web app login page you just check HTTP headers (should be safe from spoofing as long as the only route into your web app is coming through the OpenAM agent).
Another way is to grab the OpenAM cookie and use it to make REST calls directly to the server. Makes things a little more fragile though because you now need to maintain additional config.
You don't necessarily need any additional user tables / datastores for your web app, only if you need to map their login name to whatever it is your web app is doing (saving preferences, etc) in which case you need to check that the username you've been given already exists inside your app. If not then add it.
We were able to implement single sign on using openam with a JSF web application using Spring SAML extension and Openam.
Instead of agent we used fedelet that way we can port to ant application server
Please see my articles on generic info related to Openam concepts
http://reddymails.blogspot.com/2013/03/sso-for-java-or-net-web-based.html
Steps to integrate JSF 2 web application with Openam using Spring SAML extension and Spring Security.
http://reddymails.blogspot.com/2013/06/integrating-jsf-web-applicataion-with.html
-Ram
I like to distribute content from within our Content Management System to several online channels like the website, twitter, linkedin and, last but not least, Facebook. Editors can create items and, eventually after a worfklow process, distriute them amongst the different channels.
Off course the website is no problem (it's still a CMS, isn't it). Twitter integration was rather simple. But now I like to create a connector with Facebook.
The approach is like this.
Create a Facebook app: TheCMSFacebookConnector
Give it permissions to write on a wall, create events, add photo
collections, etc. A customer buys the CMS
Within the CMS Manager there is an action to connect the
TheCMSFacebookConnector app to the customers' (corporate) facebook
account
The OAuth dance is performed and the accesstoken en accesstoken secret are stored
From now we use the REST API to add content to the customer's corporate wall. This is exactly the way i did it for the Twitter integration.
But.........
choosing the right integration type
When I create the Facebook app, the Facebook asks me to tell how the app integrates with Facebook. The integration types that seems to fit the best are Native iOS App or Native Android App. In fact the CMS acts as a Native App as well. Has anyone a clue which App Integration type i have to choose?. And are there other parameters that are important to set in a, maybe, different way?
Choosing the authentication flow
A second question is about the OAuth dance. If we distribute the CMS amongst our customers, they host the CMS Manager environment in their DMZ with their own (mostly) corporate URL or, better, they host the CMS Server within the LAN and the Publication Server in the DMZ (we provide some tools to synchronize those servers)
When I do the OAuth dance, the CMS Manager (which is a webapplication) has is own URL. So in the definition of the app i cannot name an unique value for App Domains. From within the "OAuth dance"" code the redirect URL seems to have a connection with the App Domain and cannot be set in a dynamic way. So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Hope that someone can help me with, especially, the first question. Thanks in advance
E.
So is it true that for the "OAuth dance" the only valid method is the client-side authentication flow?
Not necessarily – you could always have an address from your app domain set as redirect_uri, and have that redirect to the CMS users web address afterwards (via a GET parameter in redirect_uri or something like that).
I have a website that uses Django piston for the API. I have also created an iPhone app that successfully connects to the API and parses the JSON and displays the correct content on the iPhone. The API resource URLs are as follows
http:/mysite.com/api/pics
http:/mysite.com/api/pics/username
I'm currently hard coding the username into the above URL from within the iPhone app and there is no authentication at all. I would like these URLs to require the user to be authenticated.
My website allows logging in via the /accounts/login provided by Django. However, the code redirects the users to their profile on the website, so I'm assuming I can't just use this URL in an asihttprequest from the iPhone.
So, if I want to log a user in, using the Django's built in authentication system, what URL should I be pointing them to. Also, once the user is authenticated I know that I'm supposed to use "is authenticated" and "challenge" for any "protected resource" in piston. I've seen code snippets that define these functions but I'm not sure where and how to implement them. I'm used to using a decorator that just says #login_required.
if you followed the instructions at: http://yml-blog.blogspot.com/2009/10/django-piston-authentication-against.html then looking at the example applications urls.py file https://bitbucket.org/yml/django-piston/src/dfb826a31ca8/examples/blogserver/api/urls.py you will see that authentication is passed to the resource handler.
If you've done this there is no need to use a decorator :)
Background:
I am working on a legacy ASP.NET 3.5 Web Forms applications. The application allows users to buy a subscription to a 'white-label' website which is generated for them and they can customize it further. It uses forms authentication.
A typical use-case is that the user creates an account on our system, purchases a website, and then proceeds to customize their website. The URL they will use to edit their purchased website is something like this: https://www.example.com/EditWebsite.aspx. There are many other pages also within our website editing toolbox with other URLs.
Problem:
My team has now been tasked with allowing people to use one account to access multiple website subscriptions. This means that one authenticated user could be trying to access one of many websites to edit if they use the URL mentioned above. Our system can be made aware of multiple subscriptionIds per User but the website editor web app only has support for one subscription.
To clarify with a simpler example: this would be like if Google all of a sudden allowed you to view two different inboxes with one GMail account. How would the system know which one you were trying to access if the URLs were the same for both?
We originally wanted to change the application to use URLs like: https://www.example.com/[subID]/EditWebsite.aspx which would give us all the information we need to send the user to the correct website. We looked into URL Routing to accomplish this but it seems that we would have to change all of the web app's internal links to use the route config to generate the correct URLs. Maybe we have the wrong idea here but it seems like too much work for a legacy application.
Another potential solution we came up with was simply using our systems' control panel web app (where they click links to edit any of their websites) to set a session cookie which our edit website web app can read to know which website to bring up. This has the disadvantage that the pages would not be bookmark-able and you could not look at multiple websites at once in different tabs of the same browser.
Question(s):
Is there any other options we have not investigated or thought of? Is there any other web sites which allow for this kind of behavior; how do they handle it? Is URL Routing the right way to do this and we just need to take the plunge?
Any input is appreciated!
The solution we ended up using was adding a URL parameter to the link which specifies which website you are trying to edit.
https://www.example.com/EditWebsite.aspx?subID=123
This parameter is included in the links to 'Edit Website' from the page which lists all of a user's websites.
When present, this sets a session cookie for the user. If the request parameter is not present, the app looks for the cookie being set; this handles all the internal links within the application. if a cookie doesn't exist and the request parameter was not set, we just pick the authenticated user's first subscription from the list.
This isn't perfect but it has worked without issue so far. The only consequence it has caused is that a user cannot edit multiple websites in the same browser session, e.g. using multiple tabs. This hasn't resulted in any support issues yet though so it is pretty much a non-issue.