[英]Custom user provider in laravel using OAuth2
I want to use an external OAuth2 server under my control to authenticate users for my Laravel 5.2 application. 我想在我的控制下使用外部OAuth2服务器来验证Laravel 5.2应用程序的用户。 As client library I want to use the package
league/oauth2-client
As far as I understood need to implement a custom user provider but I'm uncertain about the big picture of all required steps. 作为客户端库我想使用包
league/oauth2-client
据我所知,需要实现自定义用户提供程序,但我不确定所有必需步骤的大局。
The idea is that the user provides the credentials to my Laravel application, with other words the client credentials
method is used. 我们的想法是用户向我的Laravel应用程序提供凭据,换句话说,使用
client credentials
方法。 Then the bearer-token and the refresh-token is stored on the client side. 然后,承载令牌和刷新令牌存储在客户端侧。 Every time a client makes a request, the token must be validated by the OAuth server.
每次客户端发出请求时,必须由OAuth服务器验证令牌。 The OAuth server also provides some basic user information like email and name.
OAuth服务器还提供一些基本用户信息,如电子邮件和名称。 So in my application there must be some kind of link between the local user and the OAuth user.
因此,在我的应用程序中,本地用户和OAuth用户之间必须存在某种链接。 This is accomplished with a simple table like
这是通过一个简单的表来实现的
+-------------------+
| Users |
+-------------------+
| id | int(10) |
| oauthId | int(10) |
+---------+---------+
First I followed this guide at laravel.io to create a basic provider skeleton. 首先,我在laravel.io上按照本指南创建了一个基本的提供程序框架。 But at this point I have several questions:
但此时我有几个问题:
Is the method retrieveById
supposed to return any user from the OAuth service or only the users which is the issuer of the request allowed to see? 方法
retrieveById
应该从OAuth服务返回任何用户,还是仅允许请求发布者的用户看到?
My OAuth server already has permission checking for each user. 我的OAuth服务器已经为每个用户进行了权限检查。 If
retrieveById
is supposed to return any existing user, is my permission check on the OAuth server worthless? 如果
retrieveById
应该返回任何现有用户,我的权限检查OAuth服务器是否毫无价值? This would be a flaw in my architecture. 这将是我的架构中的一个缺陷。
Some methods must return an implementation of the \\Illuminate\\Contracts\\Auth\\Authenticatable
interface. 某些方法必须返回
\\Illuminate\\Contracts\\Auth\\Authenticatable
接口的实现。 Where do I have to implement this? 我在哪里实现这个? Is this supposed to be the representation of the user which is trying to authenticate?
这应该是试图验证的用户的表示吗? If this should represent a user in my model I have the problem that I don't know the return value for
getAuthPassword
since this information is on my OAuth server. 如果这应该代表我的模型中的用户,我遇到的问题是我不知道
getAuthPassword
的返回值,因为此信息在我的OAuth服务器上。 How can I solve this? 我怎么解决这个问题?
As you can see I have problems to understand how things working together in the whole authentication process. 正如您所看到的,我在解决整个身份验证过程中如何协同工作方面遇到了问题。 Your help is very appreciated.
非常感谢您的帮助。
The idea is that the user provides the credentials to my Laravel application, with other words the client credentials method is used.
我们的想法是用户向我的Laravel应用程序提供凭据,换句话说,使用客户端凭证方法。
You should forward the user to your oauth server using authorization code grant 您应该使用授权代码授权将用户转发到您的oauth服务器
So 所以
retrieveById
call retrieveById
调用返回用户的权限 I used a custom laravel/socialite provider to help with client routing and stuff. 我使用自定义laravel / socialite提供程序来帮助客户端路由和东西。 The
league/oauth2-client
should be pretty similar. league/oauth2-client
应该非常相似。
The first login redirect looks like 第一次登录重定向看起来像
class LoginController extends Controller
{
public function login(Request $request)
{
return Socialite::driver('custom-oauth')
->scopes(['read-permissions read-name read-email etc'])
->redirect();
}
}
I changed the User model getAuthIdentifier()
to be the access_token
returned from the authorization code grant. 我将User模型
getAuthIdentifier()
更改为从授权代码授权返回的access_token
。 For example 例如
class User implements Authenticatable
{
public function getAuthIdentifier()
{
return $this->token;
}
}
My login callback looks like this sort of. 我的登录回调看起来像这样。
class LoginController extends Controller
{
public function callback(Request $request)
{
/** @var \App\User $user */
$user = Socialite::driver('custom-oauth')->user();
Auth::login($user, true);
return redirect()->home();
}
}
Laravel's SessionGuard
will store that access_token
and your custom user provider should retrieveById
back to the oauth server using the access_token
to get the user information Laravel的
SessionGuard
将存储access_token
,您的自定义用户提供程序应使用access_token
将SessionGuard
retrieveById
回oauth服务器以获取用户信息
And then my custom user provider's retrieveById
looks like. 然后我的自定义用户提供程序的
retrieveById
看起来像。 Which basically hits the oauth server and requests for the current users information. 这基本上击中了oauth服务器并请求当前用户信息。
$identifier
= access_token
$identifier
= access_token
class CustomUserProvider implements UserProvider
{
public function retrieveById($identifier)
{
try {
return Socialite::driver('custom-oauth')->userFromToken($identifier);
} catch (AuthenticationException $e) {
return null;
}
}
}
I hope that helps 我希望有所帮助
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.