I've tried to Google this for a while now, but haven't found anything yet. Mostly because I'm not even sure what type of resources and what in general I should be looking for.
This question might be too broad, so if there's no good way to answer this, I'd be glad to be pointed to corresponding resources from where I could read and learn more about this.
My scenario is following:
I have two sites Site A and Site B.
A user logs in on site A. Site A redirects the log in, so that the person is asked to log in on site B.
If log in succeeds, the person is also logged in on site A and some information from site B is sent to site A. Otherwise user isn't logged in on any site.
Log in methods can be some custom or google sign in for example. I know from several sites that this kind of scenario is possible, but I have no idea of how this could be implemented.
These systems could physically be on different servers and there's no really a need for two way communication, though that would be great to learn too.
I know the basics of single site log in and how to do that and authorize access etc, but is there a way to authorize a user on some other site as well with that single authorization?
Technologies I've planned to use in this are Meteor, React and OAuth 2.0, but general or different solution is appreciated as well, if there's no way to implement this with those technologies.
Thanks.
Related
Good afternoon, I was asked to do some research on the possibility that Facebook api da for us developers. However, I already noticed that the actions are very limited and the majority only for our own user and pages. So I would like to know if someone with more knowledge in this area could ask me a question. Is it possible for me with my app, to browse other users to get the page that he owns and make tanned queries on the page and so on?
See Page Public Content Access feature
https://developers.facebook.com/docs/apps/features-reference/page-public-content-access/
Similar questions have been asked before, but this a one is a little different. I created a REST API to send an XML document with `POST. I send data from my (Windows) application to the servers, which includes: open time, operating system, version, etc.
I have one problem though. How can I make sure people can't use the REST API? How do I know that the information sent to the server is from an application and not from someone who knows the URL? How do analytic software companies solve this problem?
Thank you.
Update
I would like users to use my application without having to log in. I am pretty sure that companies that create apps that do not force you to log in are able to see whatever you are doing.
Well there are several way to secure your service.
You can always setup authentication & authorization for the service - this way the service will be available only to registered/known users.
Here are links few links for more details:
Best Practices for securing a REST API / web service
http://www.stormpath.com/blog/secure-your-rest-api-right-way
Also there are less sophisticated ways such as setting firewall rules to allow connections only from certain places -- I don't think it is a recommended approach.
Summary of the question:
I would like to create a CakePHP based registration and login system offering multiple different gateways such as OpenID, Facebook, Twitter, and so forth. I would like the system to allow a user to associate multiple forms of identification with their account.
After much searching, I am turning up a blank on anything that would allow more than one method of authorization. Cake's authorization system does complicate the matter, so using a tutorial for general PHP is not really effective. Does anyone have a solution, or somewhere I can start from?
Example:
To give a simple example, looking at the StackExchange network: you can login/register using a stack exchange account, Google, Yahoo, Facebook, or OpenID. Once logged in, you can add more of these methods to your account so that you are recognized a multitude of ways. I realize StackExchange probably isn't written in Cake, but it serves as an example.
Thank you!
Original Question
Here's the scoop: I'd like to integrate a simple registration/login system for each of the main services that offer oauth/openid in CakePHP.
Basically, I'd like my users to be able to register the old fashion way (including validation e-mail) or using an existing service to verify themselves. I'd like them to be able to login afterwards using that service, or with a username and password.
Now, I have found extremely in depth plugins for full facebook integration and the like, but the bottom line is that I want to just use this for registration and login at this point, and I would like the experience to be the same regardless of which service they choose (plus, I'd like to understand how it works... because this is all about learning CakePHP after all).
I'd also like them to be able to link other services once the account is created if they so desire. In a nut shell, they're account should be able to be linked to any number of login services, or none at all.
How on earth do I go about this?
Thank you,
James
Looks like there is now a third-party library available using Opauth as detailed on this bakery thread
Here is the CakePHP version's github page:
https://github.com/uzyn/cakephp-opauth
Great question - our CakePHP development studio may be looking at this in the coming months also. I suspect you'll have more luck researching this as a general PHP question and then how you can port that solution into Cake. Definitely post back with anything you discover.
You might find this thread a helpful starting point, although it was posted back in 2010:
Best way to implement Single-Sign-On with all major providers?
I'm using Google's user api on Google App Engine for authentification. As nearly everyone have a Google Account and api is easy to implement, that solution is convenient.
The problem is, though, with user who do not have a Google Account (or have no idea what a Google Account is). Where the api provides a nice interface to log in/log out and redirect immediately and easily to the app, nothing is said to developers about potential new users.
So here are a couple of things worth noticing:
Google' new Google Account page (https://www.google.com/accounts/NewAccount) is pretty straightforward, but not convenient at all for new users of a GAE app: no mention of anything not Google (users who don't really know what authentification is won't have any clue of why they need to open an account with Google), dead end (won't lead anywhere in the end), ugly.
GAE Log In screen includes a link to the New Google Account page. This link is of the form:
https://www.google.com/accounts/NewAccount?continue=http%3A%2F%2Fexample.com%2F_ah%2Flogin%3Fcontinue%3Dhttp%3A%2F%2Fexample.com%2Fprofile%2F&service=ah<mpl=gm&sig=0aa0a000aa000a00000aa0000a000aa
(Where example.com is the return url provided to the API). Great! But the situation is in no way different than it was: still a dead end, still no mention of any non-Google app, still ugly).
So, I'm asking, is there any imaginative way to provide a nicer interface for new users? Have anyone have ideas of how to present the process to the new users (a video for how to create a new account? some kind of tutorial page? etc.)? Just trying to think outside of the technical box here...
Regarding the various authentication options you can check out the Java or Python docs on OpenID (http://openid.net/)
Basically this allows supporting authentication by different agents, which includes Google accounts or even your own GAE application's custom implementation.
Furthermore you can check out User Experience summary for Federated Login for more information regarding UX considerations and best practices - with user authentication.
Imagine you're writing a web app that will have 1 million users (they all grow that big, right!)
How would you handle user accounts? I can imagine a few scenarios:
Roll your own (database tables, salted/hashed passwords stored in a user profile table)
If written with ASP.NET, use the login/role provider (which falls back to the database)
Use Active Directory if in a Windows environment
Use some other LDAP server
A 3rd party provider like OpenID or .NET Passport
Stability and scalability are of course important.
I guess this is really a question of whether Active Directory and other LDAP servers scale well and easily. What do Facebook, Twitter and Gmail use as their backend account provider?
What got me thinking about this is the Google App Engine. Really cool looking. But users would need to get a Google Account if I used the built-in authentication stuff. Or with #5 above, users would need to go get an OpenID. I'm trying to make it so they can just do a simple sign up with my site without needing to visit other sites -- for the non-geeks of the world :)
I would ask someone who had actually worked on a system which caters for that many users.
I'd find out about other systems like this, and look at case studies that have been written about them. (Ask Microsoft, Oracle, IBM etc.).
But, for usability you either need to implement a single sign on solution, so users don't need to know their login details. (Perfect for the corporate world.)
or
You have to go with what users know, which is an email address/username, and password.
OpenID or similiar systems are horrible for non technical users.
(Note, anyone looking at this is a technical user.).
OpenID.
If you must give the users a choice to create an account on your site, become an OP.