Public admin backends obviously need some authentication mechanism. With a standard Symfony2 edition there are Sonata Admin and FOS User Bundle used for this purpose.
But how about using FOS User Bundles within Sonata based on PHPCR-ODM with Symfony CMF? Is there kind of integration there? I haven't found any documenation on this.
Related
I am wondering if anyone has done this before,
I have an azure Active Directory, and I host the front end of our app in IIS. The back is controlled by pm2. How can I set up SSO with Azure AD and our back end strapi?
Thank you for any help
Strapi supports natively Microsoft SSO.
You must act on three fronts: Azure Portal, Strapi Admin, Frontend App
1 - AZURE Portal: (create application, configure, get params)
1.1 Create application, go to the App registrations site and register an app
1.2 Click New Registration
1.3 Fill the form as show in below ScreenShot
1.3.1 In "Supported account types" set Multitenant option (in strapi, single tenant is not supported by default, if you need to set single tenant you must create a custom provider, but multitenant is ok)
1.3.2 In the Redirect URI field, put "Web" and
/connect/microsoft/callback
(i.e. http://localhost:1337/connect/microsoft/callback or your strapi
production url https://mystrapiexample.com/connect/microsoft/callback)
1.3.3 Register and go to next page
1.4 Go to the "Authentication" page of your registered App (left menu) to enable the implicit grant flow (Access tokens)
1.5 Go to the "Certificate and secrets" page of your registered App (left menu) to create a "New client secret" and annotate the value, You will use it when you configure the provider on strapi.
1.6 Also note the "Application (client) ID" in the Overview page, You will use it when you configure the provider on strapi
2 - STRAPI ADMIN: (create application, configure, get params)
2.1 Go to "Roles and Permission" > Providers > Microsoft
2.2 Set Enable "ON" and your clientId and secret that you get in previous steps (1.5 and 1.6)
2.3 The redirect URI to your front-end app which gets and redirects the microsoft access_code (this step will be clearer later)
3 - FRONTEND APP:
Ready? At this point the flow begins, starts to jump to complete the authentication and obtain a strapi jwt to make the requests as an authenticated user.
3.1 Create a link in your frontend application to strapi microsoft sign-in
/connect/microsoft
(i.e. http://localhost:1337/connect/microsoft or your strapi
production url https://mystrapiexample.com/connect/microsoft)
3.2 Strapi redirects the user to microsoft authentication page, on success the user will be redirected on strapi with a microsoft access_code (this step is transparent for you)
3.3 Strapi redirects the access_code to the frontend url set in 2.3, which must redirect (with access_code) to strapi page auth
/auth/microsoft/callback
(i.e http://localhost:1337/auth/microsoft/callback or your strapi
production url https://mystrapiexample.com/auth/microsoft/callback ).....
3.4 At this point strapi creates its own JWT token which returns to the frontend application, which can store it (in localstorage, session storage...) to make requests to the strapi endpoints.
References
https://github.com/strapi/strapi-examples/blob/master/login-react/doc/microsoft_setup.md
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
You can easily implement authentication using Azure AD in your strapi CRM web project.
Steps to follow:
Register an application in Azure AD.
Add target API, and grant consent to select permissions.
Choose your Microsoft authentication library ,recommended MSAL
Implement the MSAL library in your project. It is very simple to implement and code sample that can help you is available here.
Please let me know if you still have any issues.
I've read in some IS4 issues recently, e.g. here, that hosting IS4 and a client in the same web application is not a tested or recommended scenario. Does this also apply for when integrating AspNet Identity's logged-in workflows into IS4?
For example, it's understood that AspNet Identity's Account feature's controller, models and views from AspNet Identity are required so that IdentityServer4.AspNetIdentity code can initiate the relevant UI, but is it okay to leave the Manage controller in the same web application so as to provide a self-service feature, or should this functionality be moved to a separate web application?
For IS3 I created a separate web app that contained user profile functions (Manage controller), plus admin for the IS3 configuration and user management. This app was configured as a client and the IS3 web app itself had no client config or logged-in workflows. Is this the preferred architecture for re-using the Manage controller functionality?
Ideally, I'd like to keep AspNet Identity functionality together with IS4 in the one web app and have a separate web app for admin of config and users. Just want to be certain I'm not opening up a security vulnerability by doing so.
I have created an application that runs in GAE where users can create online stores. They can set up their own domain for the store. I verify the domain using Google Site Verification API:
https://developers.google.com/site-verification/v1/webResource
In order to serve the application in their domain, I also need to add a new URL defining a subdomain (i.e. www). I am currently doing this step manually, but I would like to do it programatically.
Is there a Google API to add new URLs to serve an app?
We are migrating out applications from OpenID using UserService to OAuth2 / OpenID Connect to move our apps to the new Google Apps Marketplace.
We are using UserService.isAdmin() to check if a user is registered as admin for the GAE application.
How can we keep this functionality when moving to OAuth2 for login?
I don't think you can explicitly check who the admin is any other way.
It is rare that you would need to know the App Engine admin in a publicly-listed app. If the app is a general solution app, than aren't you the admin? Most developers care about the Domain Admin, which can be determined with the Admin SDK. If these is just for your own use, set the visibility options to your domain in the Chrome Webstore Developer Dashboard.
I use Users API on Google AppEngine (java).
I have a core servlet - /api - (JAXB Jersey Implemented) which exposes CRUD operations. Currently, allows me to define that only logged in users can access that. So, users who have logged in on the site using OpenID or Google Federated Login can login and access that through the app.
Now, I want to publish API to the developers - /dev/api. We generate an unique API key for them to acsess the application.
How do I expose the same /api functionality under HTTP basic authentication without compromising the existing functionality? App Engine does not support custom security roles ().
How do I implement HTTP basic authentication? Should I use a filter on /dev/api and restrict in that filter?
This was simple.
I created a different filter (BasicAuthFilter) for my new URL pointing to the same Jersey resource.
It fixed it.