0

I'm the owner of a website (let's say www.domain1.com) and I'm working with a couple of customers who have access to my website with a login and a password. One of them told me about the SSO. He also has a website (www.domain2.com) where the users have to login. He would like to have a button on his site, when a logged user clicks on it, it redirects the user to my website and he doesn't need to log in again.

Could you please tell me if SSO with OAuth2 can be used to do this, and if yes, how ?
I've read this tutorial but I don't think it's what I'm looking for - or maybe I didn't understand the tutorial

Nevi
  • 171
  • 2
  • 13
  • 1
    Maybe this can be of any assistence? http://stackoverflow.com/questions/4873783/how-to-login-to-another-site-via-php – Naruto Mar 30 '16 at 12:18
  • SSO with OAuth2 can be used to do this. domain2.com will have to provide you with an OAuth consumer key and secret and then for each user it will have to provide an OAuth token. The rest can be taken care of using http://php.net/manual/en/book.oauth.php – apokryfos Mar 30 '16 at 12:29
  • thanks @Naruto. But the username/password on domain1 and domain2 aren't the same, so it can't work with cURL, can it ? – Nevi Mar 30 '16 at 12:30
  • Worth noting that this is mostly the responsibility of domain2 to become an OAuth2 supplier. Not your domain. You will be an OAuth consumer. – apokryfos Mar 30 '16 at 12:31
  • Do you share the same Database as `domain2` ? – Jaquarh Mar 30 '16 at 12:40
  • @KyleE4K no, nothing is shared – Nevi Mar 30 '16 at 12:44
  • The issue with this is you're opening *CRSF* attacks, since the user doesn't **exist** on domain 2, you're only storing him in `session`. You either need to save him to the Database before use or have him their already. – Jaquarh Mar 30 '16 at 12:51
  • @KyleE4K Most sites don't share a database with Facebook but they allow sign-in via Facebook all the time. Assume that domain2.com is facebook in this case. – apokryfos Mar 30 '16 at 12:55
  • Okay, taking that example I did an answer. But just like Facebook, the developer still needs to write a handler to use the data sent back. – Jaquarh Mar 30 '16 at 12:58

2 Answers2

0

So, this is what the reality of the matter is.

OAuth allows you (a consumer in this case) to authenticate users via an OAuth provider (domain2.com in this case) without having the users supply their credentials to you (because they don't really trust you for whatever reason) but rather want to sign in domain2.com whom they trust.

To do this in the forward (traditional) direction, you provide your users an option to sign in with domain2.com which will redirect the user to domain2.com . This request will need to be made using your applications' key and secret to generate the signature (PHP OAuth does this for you). The user is then redirected to domain2.com to sign in and allow access to your domain. Then the user will be redirected to the callback you supply to domain2.com along with an access token which you can then use to make additional requests to domain2.com on the users behalf (if any) which in your case would just be a single request to verify that the token works which means it's authentic.

To do this in the reverse direction (as you described), domain2.com do the same more or less, use your key and secret (which it knows) to generate a user token and redirect the user to the URL you provide them so you can get the token and use it as a means to verify the user is indeed autheticated with domain2.com . To do only this, (which based on the question is probably what you need) you just need to let the people of domain2.com know which URL will accept their token and not much else. The rest is more or less the responsibility of domain2.com to do.

The whole purpose of the table http://bshaffer.github.io/oauth2-server-php-docs/cookbook/ is to store the user's token so you wouldn't need to have them authenticate on domain2.com every time, however it's optional and for your use case simply storing the token in the session may be enough.

apokryfos
  • 38,771
  • 9
  • 70
  • 114
  • how can I check that the token is valid ? Do I have to store the token in my database ? – Nevi Mar 30 '16 at 13:00
  • To check if it's valid you need to make a request to domain2.com over OAuth using that token. If domain2.com gives you an expected response without complaining, then the token is valid. If you get a 403 error (or similar) then the token isn't valid. You don't have to store it, but if you don't store it it means that the user will have to get a new token each time they visit your site. Which is sometimes OK (in your case it's probably ok if you don't store it in the database and only keep it in session). – apokryfos Mar 30 '16 at 13:03
  • about the login, when I receive the token, how do I know that the token is for a particular user ? Do I have to have something in common with domain2 ? Like the username ? Thank you for your fast and clear answers – Nevi Mar 30 '16 at 13:22
  • When you use the traditional OAuth authentication, then you'll know since you've generated the request in the first place (the session will still be valid). However when the request comes straight from domain2.com then they will have to provide some additional means to indicate which user it is (on their end). Typically you could use the token to make a request on who the user is (something like who's the user who corresponds to this token), which is what is usually used to also verify the token is authentic. – apokryfos Mar 30 '16 at 13:28
  • Facebook for example has the api method called `me` (check http://stackoverflow.com/questions/3546677/how-to-get-the-facebook-user-id-using-the-access-token) – apokryfos Mar 30 '16 at 13:29
0

Sending the Data from Domain 2 to Domain 1 is the simple part.

Firstly configure Domain 1's htaccess file like so:

Header set Access-Control-Allow-Origin "http://www.domain2.com"

RewriteEngine On

RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^API /API/handler.php [QSA,L]

We need the Re-Write for the CORS method (which allows cross-domain posts)

You can send this from Domain 2 to Domain 1 using a cURL request.

$params = array('email' => 'email here', 'password' => 'password here');
$url = "http://www.domain1.com/API/?";
foreach($params as $k => $v)
{
    $url .= $k . "=" . $v . "&";
}
$curl = curl_init();
curl_setopt_array($curl, array(
        CURLOPT_RETURNTRANSFER => 1,
        CURLOPT_URL => $url,
        CURLOPT_USERAGENT => 'Log in the User at Domain1 from Domain2'
));

curl_exec($curl);
curl_close($curl);

header("Location: http://www.domain1.com");
exit;

Once it hits the other end, its down to you to write a handler and work with the sent data.

You can now write a handler.php file inside an API directory which picks up the requests like:

if(isset($_GET['email']) && isset($_GET['password']))
{
    // do something with the sent user...
}
Jaquarh
  • 6,493
  • 7
  • 34
  • 86