I need your help in this case.
Is there an easy way to share login information between two CakePHP 2.x apps on the same main domain but different sub-domain on multiple servers?
How can user logged in at A app, and B app know if a user is logged in or not.
Related
I have a requirement to create an admin UI where I need to list all users registered on IdentityServer to start assigning permissions and roles. This application internally uses PolicyServer, but as a superadmin user, I would need to see all users registered on IdentityServer. Here IdentityServer is responsible for authentication and the other application that uses PolicyServer is responsible for the authorization.
Which is the correct way to proceed:
1- This admin UI application should be connected to the same database that IdentityServer uses to get all the users?
2 Or should I need to extend IdentityServer on this way?:
http://docs.identityserver.io/en/latest/topics/add_apis.html
I followed this issue here:
IdentityServer/IdentityServer3#2607
but still, it is not clear for me how to proceed on the question above.
Well, the users database is usually provided by ASP.NET Identity, not so Identity Server.
I had the same issue and I went on to develop the admin Web app in the same host as Identity Server, thus using the database connection to get to the users (and the API resources, clients, etc.).
I argue that this is the simplest way to achieve what you want. And still allows you to provide a complete API on your Identity Server for external apps. I also did that (for scenarios where client apps are allowed to view/edit the user profile, for example). The API was built using plain ASP.NET Core MVC.
I have dozens of Azure Active Directory API's and SPA's that talk to each other. Here is an example:
User - Has roles necessary to use SPA and API 1
SPA - Talks to API 1 using Delegated Permissions
API 1 - Talks to API 2 using Application Permissions
API 2
These SPA's and API's each have a single Application and Client ID in Azure Active Directory but they are multi-tenant, in that they serve internal users in multiple countries using Role Based Access Control (RBAC).
All of the above applications run internally but I have a new requirement that we need to hand over the SPA application to users external to the company and that they should not be able to see parts of the SPA for other tenants and also they must not be able to call API's for other tenants. How can this be achieved?
For your scenario, I think you can use Azure AD App roles for it.
For example:
You can create two roles in the Azure AD applicaiton for the SPA. One is Admin,who can access whole SPA site and API 1. One is User, who can only access part SPA and cannot access the API 1. Then you can assign roles to users.If you have AAD basic or Premuim , you can assign roles to groups.
After finishing this, you will get the roles information in id_token. So that you can give them different access to your SPA. The rest work should be built in your SPA to deliver different access to different users.
You can also read this blog written by joonas for more detials.
Addtional, this answer is just a solution as I thought, it may be a little different from your realtic scenario which I cannot test.
Hope this helps!
I have a project where subdomains are created for each of my users. So, if my project is example.com, a customer of mine might have steve.example.com.
I then added social logins with Google and Facebook. For Google's "Authorized JavaScript origins" and "Authorized redirect URIs", they don't allow wildcard domains. What's the best way to handle this?
Next, it gets more complicated for users that want to load steve.example.com on their own domain via CNAME. So if example2.com's DNS is pointed to steve.example.com, it appears I need to add example2.com to my Authorized Javascript Origins. What's the best way to handle this? Can I add it via API? I can't find any documentation regarding this and I'd rather not have to manually add 1000 subdomains and domains to Google.
Do you want a user to authorize a scope "A" for site 1 and get it auto approved for site 2? Most likely not.
If you use the same client ID (put these all in the same project) that means they should just be approved once by a user. This may be a privacy violation if the sites are different and a user may not want to sign-in to one of those but into another.
To solve this, you should be creating a different client id for each of your customer.
Another good reason to create a project/client id is if for some reason there is abuse and one of the client ID is compromised then other/all customers are not effected.
If you are creating project/client ids for each project then you should add the right subdomain there during the configuration. I also recommend not having all the projects (1000s as you say) in one Google account.
How can visualforce pages and their respective controllers be hosted on SFDC but have my own domain name and URL extension being used when directing users to them?
I am building pages in VisualForce with Apex controller extensions in the background and would like to know how to direct my users to them whilst still prepended the filename with my own URL and not na9.salesforce......
Would these pages have to be hosted on Sites.com Or can I host them as pages in my developer.force.com account? I think the first because if they were to be hosted within SFDC then a login would be required to view the pages?
I am so confused that things are not going well. I know that SFDC want everything to be integrated but i think that users should just be happy with a single solution that does not have modules thrown all over the place where you need bespoke training to use effectively.
Salesforce.com's Sites is the technology that you are going to need to use if you want to provide your own domain (URL). Essentially, with that technology you can setup a guest account for anonymous user access. So everything still runs under the context of a user it would just be this generic guest account.
This article explains the details of mapping your Domain to the Salesforce.com Site domain.
http://wiki.developerforce.com/page/Force.com_Sites_Best_Practices
I have main site example.com where users can register and login or just login with openid.
Logged in users can create their own sites with subdomains like mysite.example.com.
Every user can have multiple sites.
Every site is cakephp app.
Every cake app has its own ACL.
How do I deploy authorization so users logged in to the main site, are also logged in to their own sites.
Two main requirements here:
Client-side cookie needs to be valid for all applications
Check the cookie set by CakePHP on the client side (FireCookie is good for this). The domain part of the cookie needs to read .example.com (not www.example.com) in order for it to apply to sub-domains. This might work in bootstrap.php:
ini_set('session.cookie_domain', '.example.com');
Server-side session storage needs to be accessible by all applications
In core.php for each application, set a common session storage. Options are:
php: This will use the PHP defined session storage directory, which should be the same for all applications.
database: If all applications use the same database, this could be an option.
cake: For this to work, you would need to define a common /tmp directory for each application.