Cookbook article: Authenticating against an external API #2358

Closed
weaverryan opened this Issue Mar 26, 2013 · 9 comments

Comments

Projects
None yet
6 participants
Member

weaverryan commented Mar 26, 2013

This is a question that comes up quite frequently: how to setup a custom authentication system where the username/password are checked in the background against an API. In this case, things in the normal flow like UserProvider::loadUserByUsername don't make sense.

I think it may be useful to have a second cookbook entry (in addition to custom_authentication_provider, which talks about WSSE) for this use-case. The "custom-authentication" world is big and varied - if we added this, it would serve to cover more common, but difficult use cases.

Contributor

romaricdrigon commented Dec 14, 2013

This is tricky.

On the one hand, we need to check the password. The AuthenticationProvider is the place for this, we can not just implement a UserProvider proxying an external service as it's obviously not gonna give you this information.

On the other hand, without an UserProvider, we may be running issues when refreshUser will be called.

What would be the use cases of this cookbook article?
In my experience, when dealing with services such as OpenID, you create an OpenIDIdentity object linked to your users and it's that entity that go through a specific workflow. You still need to have an User entity in your "Symfony2", in your application, as rarely you get enough informations from external service nor when to pollute it with application-specific details.

Member

weaverryan commented Dec 18, 2013

I think we can and should handle this in #3357. Since I'm the one who opened this issue, I'm going to close it now and hope that we handle it well there. @romaricdrigon since you've been working on some security stuff, if you have some time to look at the implementation in #3357, I'd love your thoughts :).

Cheers!

@weaverryan weaverryan closed this Dec 18, 2013

skobkin commented Mar 28, 2015

Did it cover things like OpenID? I didn't found any cookbook entries which can help to do some types of authentication similar to the OpenID (redirect from login form and then check some credentials when user returned back to the login check route from extenal API).

Contributor

romaricdrigon commented Mar 29, 2015

The closest thing to using an external API would be this article : http://symfony.com/doc/current/cookbook/security/custom_authentication_provider.html

Basically this is this + handling redirection/responses in the firewall. Last time I had to implement such a thing, I looked a lot to similar OAuth or OpenID bundles. Also I'm not sure if there are no way to simplify this with 2.4+ Security component, at that time I had to use 2.3 LTS.

However, I'm wondering if we should cover this in the documentation. I feel like it's pretty advanced and we would be going way further than the other articles. Implementing this requires understanding a lot of subsystems, and the debug during implementation is usually tricky.

Contributor

romaricdrigon commented Apr 1, 2015

Is there still some interest for that cookbook entry?
I thought about it, if still relevant I may work on it next days.

skobkin commented Apr 1, 2015

@romaricdrigon, Yes! I will be very grateful if you do it.
Meanwhile I began to understand how to do it, but I'm new to the Symfony and I will check and correct my own unfinished code considering your article if it will be written.
Also I think I'm not alone with this kind of problem and your cookbook entry may be very helpful to many newbies in the Symfony community.

+1, still wondering how to do this...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment