I am currently working on a project where i have to make a Hotel Booking Application. There will be general user who will browse through available rooms and will have to login to book. Hotel owners will have account to manage their inventory. And there will be admin section to manage the app. I am confused about what is the best approach to scale this kind of app in Laravel. Because each kind of account will require different type of authentication. I have thought multitennent approach but doesn't seem like This app falls into this category. Thanks in Advance for any help.
For this scenario, you can implement Role based authentication.
You need to create 3 roles.
Hotel Owner
Application Administrtor
General user.
Based on the role, you need to provide access. If you haven't developed Authentication system, you can use Entrust along with Confide.
Entrust provides a flexible way to add Role-based Permissions to Laravel4.
Confide is an authentication solution for Laravel made to cut repetitive work involving the management of users.
Related
Let's say we have a web app that lets the user create "widgets". We have a new client that would like to control access to each widget with their organization's Active Directory, such that some of their users can view certain widgets and other users can edit other widgets.
What's the proper way to implement this? Should every widget have its own read group and modify group, and we let the client control the membership to these groups? Is there a better way?
Design discussions can be long-lasting and people nowadays prefer Agile methodology to keep making changes as per the new requirements to get the end refined product.
But, here is a one way in which you can implement this -
You will have one B2C(for new users) Login and one AD login(for organization users).
Then, you will have to use RBAC to have different views and features for different types of users(one B2C, 2 different users from AD) using claims and user properties for AD users. For eg, Airbnb has same website but different experiences for hosts and Users who book stays.
I'm creating the user authentication in a web application, and I want to use Identity Server for resource protection.
The sample code and documentation shows how the user logs into Identity Server after creating an account for it. That is to say, they log in with their own Identity Server account. The quickstart even provides a UI.
But I don't want users of my application to have to log in to Identity Server, an external website. I want them to only have to log in to the web application.
So how to proceed? It just doesn't seem at all clear from the documentation how you're supposed to handle this scenario, which I would have thought would be the most common.
Do I just use a pre-defined API scope and user for token validation, holding for all the website's users? That doesn't seem to be very secure given that any user of the website or anyone with the client name and secret would have a valid token. Not sure what the point is in having the security if it's that easily worked around.
Or do I interact with my Identity Server instance somehow after the user is registered in the web application, and store the new user in a database? I can't find any mention of this in the documentation . It all seems to be very muddled to be honest.
Please could anybody shed light on some of this? What is the "standard" approach here? To have the user sign in to the external Identity Server website? That seems a great way to annoy your users.
If you only have one application and you don't intend to add more applications that needs to share users, then you should look at ASP.NET Core Identity
The whole point with OpenID-Connect/IdentityServer is to delegate the managing and handling of users/passwords (authentication) to a central entity. So individual applications don't need to deal with that complexity. IdentityServer is useful when you have multiple applications or if you have more complex integration needs. It is also perfect if you need to customize it to your own needs. If you don't need the customization part you can also outsource it to someone else like Auth0 that give you an IdentityServer like experience as a service.
I’ve been asked by a customer to find a way to collect all permissions for all app registrations in the customer’s AzureAD tenant. The customer has 1500+ App Registrations, so checking each manually isn’t an option. Most of these are redundant but the customer wants to review all of them to look for Graph API permissions that they’ve deemed sensitive. The problem is, there isn’t a way to export this info in the portal and Get-AzADApplication doesn’t give me actual permissions, just friendly descriptions of them. The customer would like the ACTUAL Graph API, such as Mail.Read.
I’ve attempted to script this with the assistance of a few more senior PFEs, but we’ve been unable to make any progress passing various properties between Get-AzAdApplication, Get-AzADServicePrincipal and Get-AzureADOAuth2PermissionGrant. We reached the point where we were able to get the Graph API permissions from the Service Principals, but the resultant permissions were in an unusable format.
If anyone has any suggestions on how to get this information into a concise format with (preferably) the Graph API permissions as mentioned above, I’d greatly appreciate it. I’d rather not go back to the customer and say it isn’t possible, as this is a new customer and I’d rather not say ‘No’ to my first task. 😊
Use Microsoft Cloud App Security for that purpose. This is tool designed, beside other features, especially for that purpose.
You open https://security.microsoft.com/ as a Global or Security Administrator, then you have quick overview on central place:
This will bring you to the MCAS portal, where you have solicit view on all applications with a rating, according to Microsoft standards for "Highly priviledged" access:
A direct view to applications, which users are using these applications, what permissions are granted. It even has filtering capabilities allowing you filter apps based on access level sevirity or even some Graph permissions - like Access e-mail on behalf of the user.
Your customer should really be using the Microsoft Security Center and monitor their security score: https://learn.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center
Then looking at MCAS: https://www.microsoft.com/en-us/microsoft-365/enterprise-mobility-security/cloud-app-security
You can use this script to list all delegated permissions and application permissions in Azure AD.
The key of the script is Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId.
Based on my test, the permissions in the result is in this format: email offline_access openid profile User.Read.
I think it's what you need.
I'm building an app using which the users registered(from the IAM page) for the project can access the resources of that project. I need the authentication when the URL is hit. Is there a way to achieve this?
Is it possible to provide IAM roles specific for a user request (assuming that the user will login using his email id) to access the resources based on IAM level permissions?
In the early days of AppEngine it was pretty easy to do some basic auth/access-control, but lately they're moving it to something called IAP.
From your wording I am assuming you are trying to abstract administrative tasks of a GCP project to lesser privileged administrators.
Questions 1 and 2 can be quickly solved by defining privileges in IAM using a pre-built roles or creating a custom role if you need to be more specific. Hereby you can use GSuite, GMail, Google Group accounts and let them sign into console.cloud.google.com. They will consequently only be able to see and act upon what you've assigned to them to in IAM.
If you still want to go through with building it yourself, every product does provide an API including authentication. Best practice for your use case is to instead of assigning an individual user access to a resource, you rather create a service account and then allow the user to call that service account. For this GCP has the Service Account Actor Role described well in the official documentation and also Salmaan Rashid provides a good practical insight on medium.
We are trying to build one simple website using force.com sites.Here User logged into website and need to perform different actions by moving to different VF pages.
We are facing a Problem to maintaine Session of particular user. We need help regarding how to maintaine session for particular user.
Kindly give your help. Please provide any sample code.
Thanks.
You can't ;)
Think about it, you can store usernames/passwords in your data objects and if they allow you to login and maintain a session for that user and use it to walk around apex pages and builtin forms why would you buy a salesforce license? You could operate a 1000 employees rig with just one administrative license and a site URL. For that reason salesforce does not allow you session control, it grants you one when you buy and expense a license.
For sites, you have to purchase either Customer Portal license or volume-based High Volume Customer Portal set and then use those to "promote" a contact into a login user with the above license. Then, when that user logs into site it has its own session.
This document http://wiki.developerforce.com/index.php/Authenticating_Users_on_Force.com_Sites might be of great help.
This tutorial shows you how to authenticate users on Force.com Sites. It provides a description of Customer Portal, which is needed for the authentication, and shows you how to set up such a site and process to allow site visitors to become authenticated users.
The points on customer portal are correct, and you have to pay for these licences. If you build your own auth on Force.com Sites and salesforce.com finds out they'll be very unhappy. That said you can still do it using cookies (http://www.salesforce.com/us/developer/docs/apexcode/Content/apex_classes_sites_cookie.htm) but it's not perfect because it's client-side.
I highly recommend that you steer clear of this approach though. You're better off building your UI layer on another platform (Google App Engine or Heroku) and using web services created on the Force.com platform through that UI.